SEND Protocol Issue List

SEND Protocol Issue List

The following table lists all resolved and open design issues around the Secure Neighbor Discovery protocol. The latest version of the draft itself is available here and the full list of diffs in here.

The SEND mailing list archives are here.
No  Status       Slogan                                               Solution
------------------------------------------------------------------------------------------------

100 Open         Brett Pentland's review                             ?

(Draft -06 submitted)

99  Solved       English review                                       James went through the draft (diff)
98  Solved       Timestamp format reference missing                   Its the unix style (diff)
97  Solved       Exponential backoff would be better?                 Use exponential backoff (diff)
96  Solved       Greg's insecure NA problem                           Add a rule about NUD in insecure mode (diff)
95  Solved       Russ' adjustments (IESG/Housley)                     Fix them (diff)
94  Solved       Editorial issues (IESG/Alvestrand)                   Fix them (diff)
93  Solved       Editorial issues (IESG/Bellovin)                     Fix them (diff)
92  Solved       Editorial issues (IESG/Narten)                       Fix them (diff)
91  Solved       Editorial issues (IESG/Housley)                      Fix them (diff)
90  Solved       Redirect and uncertified prefixes (IESG/Narten)      Reword (diff)
89  Solved       Autoconfig runs & new CGA generation (IESG/Narten)   Delete text (diff)
88  Solved       MAY/SHOULD and incorrect timestamp (IESG/Narten)     SHOULD for better interoperability (diff)
87  Solved       Timestamp and Nonce check order (IESG/Narten)        Delete order requirement (diff)
86  Solved       NUD and performance text (IESG/Narten)               Fix text so it takes NUD into account too (diff)
85  Solved       Where does the Sig option apply? (IESG/Narten)       All ND messages (diff)
84  Solved       Fragmentation scheme details (IESG/Narten)           Add chain length to messages (diff)
83  Solved       Nonces and multicast RAs (IESG/Narten)               Do not use nonce in multicast RAs (diff)
82  Solved       MinSec variable necessary? (IESG/Narten)             Not necessary, delete it (diff)
81  Solved       MUST/MAY for CGA Option in NS/NA (IESG/Narten)       May turn SEND and CGA off even if supports SEND (diff)
80  Solved       Algorithm id needed (IESG/Housley)                   Its already there, but do a rename and add text (diff)
79  Solved       NTP attack discussion to sec. cons. (IESG/Bellovin)  Add it (diff)
78  Solved       Default value of SEND/insecure ND (IESG/Bellovin)    Say that default = both (diff)
77  Solved       Why not store certs upon recv? (IESG/Bellovin)       Necessary for DoS protection, keyword away (diff)
76  Solved       Deployment model (IESG/Housley and Hardie)           Add text on non-RIR and mobile deployment models (diff)
75  Solved       Authorization model (IESG/Bellovin)                  Clarify text + allow id certs? (diff)

74  Solved       Make wired/unwired applicability more clear (Bound)  Applicability of SEND added (diff)
73  Solved       Reference 13 not up to date (Bound)                  Fix it (diff)
72  Solved       Make SEND/non-SEND applicability clearer (Bound)     Clarified as a part of issues 78, 81, and 92

(Draft 05 published solving all known issues)

71  Rejected     Wrong modifier length it text                        True, but text removed due to issue #70
70  Solved 05    Upgrade path for algorithms                          Pass CGA parameters as opaque data (diff)
68  Solved 05    Reopening the pad length etc issues                  Keep pad length for trust anchor (diff)
69  Solved 05    SEND triggers and deployment model                   Section 8 OK, add switching to non-SEND routers (diff)
67  Solved 05    Reopening the SEND vs ND response model issue        Add a note on missing nonce (diff)

(Draft 04 published solving all WGLC issues)

49  Solved 04    Deprecate RFC 2461 IPsec (Kempf)                     Modifs in 2461bis (diff)
50  Solved 04    CRL check when not connected yet (Kempf)             Delay it (diff)
51  Solved 04    Editorial comments (Kempf)                           Fix as proposed (diff)
52  Solved 04    SEND vs. ND response model (Savola)                  Add note (diff)
53  Solved 04    FQDN i18n issues (Savola)                            Use IDNs (diff)
54  Solved 04    Other substantial issues (Savola)                    Fix as proposed, more or less (diff)
55  Solved 04    Semi-editorial issues (Savola)                       Fix as proposed (diff)
56  Solved 04    Editorial issues (Aura)                              Fix as proposed (diff)
57  Solved 04    CGA/Sig option & discard inconsistency (Aura)        Fix as proposed (diff)
58  Solved 04    Discarding uncertified prefixes (Aura)               Allow uncertified (diff)
59  Solved 04    Key length upper limit inconsistency (Aura)          Align to cga (diff)
60  Solved 04    Why require Sig option to be last (Aura)             Just ignore the rest (diff)
61  Solved 04    CGA flag per node or per prefix? (Aura)              Include note (diff)
62  Solved 04    RDlast vulnerability (Aura)                          Last bullet changed (diff and another diff)
63  Solved 04    Section 6.2 requirements too vague (Aura)            Simplify text (diff)
64  Solved 04    Delete text about AH verification (Aura)             Delete AH text (diff)
65  Solved 04    What is a "firm" address? (Savola)                   Non-unspecified address (diff)
66  Solved 04    Lenght field clarification needed (Savola)           Clarify text (diff)

(Draft 03 published and WGLC started)

48  Solved 03    The continuing saga of issue 44 and 47               Add warning about other apps (diff)

(Draft 02 published by Jari, tentatively closing all issues, again)

47  Solved 02    Certs give routing, advertisement or both rights?    Routing (diff)

(Draft 01 published by Jari, tentatively closing all issues)

13  Solved 01    Other clarifications from Pasi and Valtteri          Fix as proposed by reviewers (diff)
17  Solved 01    Different functions of Redirect                      Specify in Sect.3, no security issue (diff)
27  Solved 01    DCS and DCA semantics                                Fix as proposed by Jon Wood (diff and additional diff)
28  Solved 01    Scope of DCS source address                          Require link-local source (diff)
30  Solved 01    Change back the RSA-PKCS version number              Fix as proposed by Tuomas Aura (diff)
31  Solved 01    Source address selection wrt. SEND                   Use CGA only, selection outside scope (diff)
32  Rejected     Replace RSA with ECC                                 No (diff)
33  Solved 01    SEND and L2 security                                 Allow combination, not require it (diff and another diff)
34  Solved 01    Not all changes to 2461-2462 in Sects 7 and 8        Merge 7 and 8 to 5 as a part of issue 38 (diff)
35  Solved 01    Pasi Eronen's review, editorial issues               Fix as proposed (diff)
36  Solved 01    Modifier field length vs. draft-ietf-send-cga        Align with CGA draft (diff)
37  Solved 01    RS and trust anchor                                  Trust anchor not required (diff)
38  Solved 01    Remove duplication & simplify document               Do it (diff)
39  Solved 01    Chains include CA cert too?                          No (diff)
40  Solved 01    Order of options unclear in 5.1                      Remove 5.1 (diff)
41  Solved 01    Delegating authority = IANA or an ISP?               ISP (diff)
42  Solved 01    Cert chain example needed                            Use the provided example (diff)
43  Solved 01    Hosts to check certified prefix against RAs?         Yes (diff)
44  Solved 01    Certs give routing, advertisement or both rights?    Both (diff)
45  Solved 01    Unsolicited NA text & mixed mode                     Clarified text, required CGA option (diff)
46  Solved 01    Fuzzy factor needed for timestamps                   Yes (diff)

(Draft 00 posted to the I-D directories by Pekka)

04  Solved 00    Editorial issues in draft-send-ipsec-01.txt          Fix as proposed by Dave Thaler
05  Solved 00    Clarifications and inconsistency fixes               Fix as proposed by Dave Thaler
07  Solved 00    Use of certs for ND (not RD) not though out          Remove certs for ND
08  Solved 00    Certificate details review by Pasi and Valtteri      Use term "trust anchor" etc
11  Solved 00    Timestamp processing issues, nonce vs. timestamp     Solicited msgs first, always reply to NS/RS
16  Solved 00    Editorial issues from Francis Dupont                 Fix as proposed by reviewers
19  Solved 00    Allow autoconfig even with non-CGA addrs e.g. ::1    Allow
20  Solved 00    Francis Dupont's certificate issues                  New text provided
22  Solved 00    Replay protection issue from Francis Dupont          As proposed by Pekka
26  Solved 00    Timestamp management                                 Solved through issues 11 and 22
29  Solved 00    DN vs FQDN                                           DN + optional FQDN

(Jari's intermediate version, not released)

01  Solved 00a   Use IPsec or ND-layer security?                      ND options
02  Solved 00a   Does SEND need DAD?                                  Yes, keep oDAD work separate
03  Solved 00a   Coexistence scheme is flawed due to multicast        Not relevant due to adopting draft-arkko-ndopt
06  Solved 00a   Millisecond timestamps problematic                   1/64K granularity
09  Solved 00a   IPsec details review by Pasi and Valtteri            Fix as proposed by reviewers
10  Solved 00a   SA configuration details review                      Allow multiple roots, 
12  Solved 00a   Transition mode issues, need two link local addrs?   Not relevant due to adopting draft-arkko-ndopt
14  Solved 00a   Is CGA-only RD protection useful?                    May use with certs, not without
15  Solved 00a   IPR issues                                           Two statements published
18  Solved 00a   Specify SEND and AAA interactions                    Say that certs from AAA may be used, say that secure RD and ND may be used independently
21  Solved 00a   RA source needs to be link-local                     Yes
23  Solved 00a   Specify more about MLD interactions                  No more interactions with non-ipsec security
24  Solved 00a   Does 802.1X help against issues not handled in SEND  Additional text proposed by James
25  Solved 00a   Sign whole packet, in local link we can do this      Sign pseudopacket

Open means an open issue. Proposed means an issue for which a solution has been proposed, but it may not be yet fully agreed or at least not edited in. Solved means a solved and edited-in solution, with the draft number following. Rejected means an issue which was finally decided to not impact the specification.

There have been visitors since December 9, 2003.