SEND Protocol Issue List
The following table lists all resolved and open design issues around the Secure Neighbor Discovery protocol. The latest version of the draft itself is available here and the full list of diffs in here.
The SEND mailing list archives are here.No Status Slogan Solution ------------------------------------------------------------------------------------------------ 100 Open Brett Pentland's review ? (Draft -06 submitted) 99 Solved English review James went through the draft (diff) 98 Solved Timestamp format reference missing Its the unix style (diff) 97 Solved Exponential backoff would be better? Use exponential backoff (diff) 96 Solved Greg's insecure NA problem Add a rule about NUD in insecure mode (diff) 95 Solved Russ' adjustments (IESG/Housley) Fix them (diff) 94 Solved Editorial issues (IESG/Alvestrand) Fix them (diff) 93 Solved Editorial issues (IESG/Bellovin) Fix them (diff) 92 Solved Editorial issues (IESG/Narten) Fix them (diff) 91 Solved Editorial issues (IESG/Housley) Fix them (diff) 90 Solved Redirect and uncertified prefixes (IESG/Narten) Reword (diff) 89 Solved Autoconfig runs & new CGA generation (IESG/Narten) Delete text (diff) 88 Solved MAY/SHOULD and incorrect timestamp (IESG/Narten) SHOULD for better interoperability (diff) 87 Solved Timestamp and Nonce check order (IESG/Narten) Delete order requirement (diff) 86 Solved NUD and performance text (IESG/Narten) Fix text so it takes NUD into account too (diff) 85 Solved Where does the Sig option apply? (IESG/Narten) All ND messages (diff) 84 Solved Fragmentation scheme details (IESG/Narten) Add chain length to messages (diff) 83 Solved Nonces and multicast RAs (IESG/Narten) Do not use nonce in multicast RAs (diff) 82 Solved MinSec variable necessary? (IESG/Narten) Not necessary, delete it (diff) 81 Solved MUST/MAY for CGA Option in NS/NA (IESG/Narten) May turn SEND and CGA off even if supports SEND (diff) 80 Solved Algorithm id needed (IESG/Housley) Its already there, but do a rename and add text (diff) 79 Solved NTP attack discussion to sec. cons. (IESG/Bellovin) Add it (diff) 78 Solved Default value of SEND/insecure ND (IESG/Bellovin) Say that default = both (diff) 77 Solved Why not store certs upon recv? (IESG/Bellovin) Necessary for DoS protection, keyword away (diff) 76 Solved Deployment model (IESG/Housley and Hardie) Add text on non-RIR and mobile deployment models (diff) 75 Solved Authorization model (IESG/Bellovin) Clarify text + allow id certs? (diff) 74 Solved Make wired/unwired applicability more clear (Bound) Applicability of SEND added (diff) 73 Solved Reference 13 not up to date (Bound) Fix it (diff) 72 Solved Make SEND/non-SEND applicability clearer (Bound) Clarified as a part of issues 78, 81, and 92 (Draft 05 published solving all known issues) 71 Rejected Wrong modifier length it text True, but text removed due to issue #70 70 Solved 05 Upgrade path for algorithms Pass CGA parameters as opaque data (diff) 68 Solved 05 Reopening the pad length etc issues Keep pad length for trust anchor (diff) 69 Solved 05 SEND triggers and deployment model Section 8 OK, add switching to non-SEND routers (diff) 67 Solved 05 Reopening the SEND vs ND response model issue Add a note on missing nonce (diff) (Draft 04 published solving all WGLC issues) 49 Solved 04 Deprecate RFC 2461 IPsec (Kempf) Modifs in 2461bis (diff) 50 Solved 04 CRL check when not connected yet (Kempf) Delay it (diff) 51 Solved 04 Editorial comments (Kempf) Fix as proposed (diff) 52 Solved 04 SEND vs. ND response model (Savola) Add note (diff) 53 Solved 04 FQDN i18n issues (Savola) Use IDNs (diff) 54 Solved 04 Other substantial issues (Savola) Fix as proposed, more or less (diff) 55 Solved 04 Semi-editorial issues (Savola) Fix as proposed (diff) 56 Solved 04 Editorial issues (Aura) Fix as proposed (diff) 57 Solved 04 CGA/Sig option & discard inconsistency (Aura) Fix as proposed (diff) 58 Solved 04 Discarding uncertified prefixes (Aura) Allow uncertified (diff) 59 Solved 04 Key length upper limit inconsistency (Aura) Align to cga (diff) 60 Solved 04 Why require Sig option to be last (Aura) Just ignore the rest (diff) 61 Solved 04 CGA flag per node or per prefix? (Aura) Include note (diff) 62 Solved 04 RDlast vulnerability (Aura) Last bullet changed (diff and another diff) 63 Solved 04 Section 6.2 requirements too vague (Aura) Simplify text (diff) 64 Solved 04 Delete text about AH verification (Aura) Delete AH text (diff) 65 Solved 04 What is a "firm" address? (Savola) Non-unspecified address (diff) 66 Solved 04 Lenght field clarification needed (Savola) Clarify text (diff) (Draft 03 published and WGLC started) 48 Solved 03 The continuing saga of issue 44 and 47 Add warning about other apps (diff) (Draft 02 published by Jari, tentatively closing all issues, again) 47 Solved 02 Certs give routing, advertisement or both rights? Routing (diff) (Draft 01 published by Jari, tentatively closing all issues) 13 Solved 01 Other clarifications from Pasi and Valtteri Fix as proposed by reviewers (diff) 17 Solved 01 Different functions of Redirect Specify in Sect.3, no security issue (diff) 27 Solved 01 DCS and DCA semantics Fix as proposed by Jon Wood (diff and additional diff) 28 Solved 01 Scope of DCS source address Require link-local source (diff) 30 Solved 01 Change back the RSA-PKCS version number Fix as proposed by Tuomas Aura (diff) 31 Solved 01 Source address selection wrt. SEND Use CGA only, selection outside scope (diff) 32 Rejected Replace RSA with ECC No (diff) 33 Solved 01 SEND and L2 security Allow combination, not require it (diff and another diff) 34 Solved 01 Not all changes to 2461-2462 in Sects 7 and 8 Merge 7 and 8 to 5 as a part of issue 38 (diff) 35 Solved 01 Pasi Eronen's review, editorial issues Fix as proposed (diff) 36 Solved 01 Modifier field length vs. draft-ietf-send-cga Align with CGA draft (diff) 37 Solved 01 RS and trust anchor Trust anchor not required (diff) 38 Solved 01 Remove duplication & simplify document Do it (diff) 39 Solved 01 Chains include CA cert too? No (diff) 40 Solved 01 Order of options unclear in 5.1 Remove 5.1 (diff) 41 Solved 01 Delegating authority = IANA or an ISP? ISP (diff) 42 Solved 01 Cert chain example needed Use the provided example (diff) 43 Solved 01 Hosts to check certified prefix against RAs? Yes (diff) 44 Solved 01 Certs give routing, advertisement or both rights? Both (diff) 45 Solved 01 Unsolicited NA text & mixed mode Clarified text, required CGA option (diff) 46 Solved 01 Fuzzy factor needed for timestamps Yes (diff) (Draft 00 posted to the I-D directories by Pekka) 04 Solved 00 Editorial issues in draft-send-ipsec-01.txt Fix as proposed by Dave Thaler 05 Solved 00 Clarifications and inconsistency fixes Fix as proposed by Dave Thaler 07 Solved 00 Use of certs for ND (not RD) not though out Remove certs for ND 08 Solved 00 Certificate details review by Pasi and Valtteri Use term "trust anchor" etc 11 Solved 00 Timestamp processing issues, nonce vs. timestamp Solicited msgs first, always reply to NS/RS 16 Solved 00 Editorial issues from Francis Dupont Fix as proposed by reviewers 19 Solved 00 Allow autoconfig even with non-CGA addrs e.g. ::1 Allow 20 Solved 00 Francis Dupont's certificate issues New text provided 22 Solved 00 Replay protection issue from Francis Dupont As proposed by Pekka 26 Solved 00 Timestamp management Solved through issues 11 and 22 29 Solved 00 DN vs FQDN DN + optional FQDN (Jari's intermediate version, not released) 01 Solved 00a Use IPsec or ND-layer security? ND options 02 Solved 00a Does SEND need DAD? Yes, keep oDAD work separate 03 Solved 00a Coexistence scheme is flawed due to multicast Not relevant due to adopting draft-arkko-ndopt 06 Solved 00a Millisecond timestamps problematic 1/64K granularity 09 Solved 00a IPsec details review by Pasi and Valtteri Fix as proposed by reviewers 10 Solved 00a SA configuration details review Allow multiple roots, 12 Solved 00a Transition mode issues, need two link local addrs? Not relevant due to adopting draft-arkko-ndopt 14 Solved 00a Is CGA-only RD protection useful? May use with certs, not without 15 Solved 00a IPR issues Two statements published 18 Solved 00a Specify SEND and AAA interactions Say that certs from AAA may be used, say that secure RD and ND may be used independently 21 Solved 00a RA source needs to be link-local Yes 23 Solved 00a Specify more about MLD interactions No more interactions with non-ipsec security 24 Solved 00a Does 802.1X help against issues not handled in SEND Additional text proposed by James 25 Solved 00a Sign whole packet, in local link we can do this Sign pseudopacket
Open means an open issue. Proposed means an issue for which a solution has been proposed, but it may not be yet fully agreed or at least not edited in. Solved means a solved and edited-in solution, with the draft number following. Rejected means an issue which was finally decided to not impact the specification.