1Arkko, 57th IETF: SEND base protocol issue list
Issues in the SEND base documentdraft-ietf-send-ipsec-01.txt
http://www.piuha.net/~jarkko/publications/send/issues
57th IETF, Vienna
Jari Arkko, Ericsson Research NomadicLab
2Arkko, 57th IETF: SEND base protocol issue list
Issues for discussion here
• 07 - Cert-only ND protection not thought out• 14 - Is CGA-only RD protection useful?• 06 - Millisecond time granularity problematic• 08 - Certificate details
Only if AH is used:• 03 - Co-existence scheme flawed due to multicast?
3Arkko, 57th IETF: SEND base protocol issue list
07 - Certificate-only ND protection
• Complaint: certificate-only ND protection is “not thought out”– I think we generally agree, this part of the spec is not in as
good status as the rest.
• (What are the specific problems?)• Practical proposal: given the new IPR situation,
perhaps we should remove certificate-based ND protection completely and rely on CGA only– This would simplify the specification– Can still be added as an extension later
4Arkko, 57th IETF: SEND base protocol issue list
14 - Is CGA-only RD Protection Useful?
• Current draft allows CGA-only RD protection• CGA tells nothing about your right to be a router• Should it be removed?
• CGA allows to bind the selected default router to Redirects sent by it
• Other RD-protection might be possible to arrange via heuristics (e.g. the router appears to route)
• Practical proposal: simplify the draft and just keep the certificate-based RD protection
5Arkko, 57th IETF: SEND base protocol issue list
06 - Millisecond granularity
• Current timestamp granularity is one millisecond• Can not send two messages within one ms --
normally Ok, but can be problematic in some cases• Solutions:
– 1) Not an issue– 2) Allow reception within the same ms; note that getting the
same ND message twice is not an issue– 3) Increase allowed granularity to microsecond
6Arkko, 57th IETF: SEND base protocol issue list
14 - Certificate details
• Use PKCs instead of ACs for routers and define new options for prefixes?– Pro: Infrastructure for PKCs exists but does not exist for ACs– Contra: New extensions are needed– Certificate chain can not mirror prefix delegation, but not
sure how useful this would be
• Should DNs be used instead of FQDNs to identify trust roots?
7Arkko, 57th IETF: SEND base protocol issue list
03 - Co-existence scheme & multicast
• Nodes may run multicast on the link, exchange link-local addresses
• Since multicast does not use ND, such addresses may traverse from the secure side to the non-secure side
• Violates addressing RFC• Solutions:
– 1) In the ND-option approach, there are no “sides” and hence no problem
– 2) Something else, what?
Top Related