Pasi Eronen and Valtteri Niemi write: o Section 10: What about co-existence of nodes using CGA and those not using CGA? o Section 10.1 (editorial/technical): If SEND nodes don't try do detect if the same address is used by a non-SEND node, why DAD Neighbor Solicitations are sent to the normal solicited-node multicast address, too? o Section 10.1 (technical): The spec says that "Hosts configured for SEND MUST use SEND for all of their addresses, including link local addresses.". Are hosts allowed to use SEND on one link, and not use SEND on some other link? o Section 10.1 (technical): "Secure Router and Neighbor Advertisements MUST use a source address that satisfies the security properties outlined in Section 9. Unless this address is link-local, it MUST belong to one of the advertised secure prefixes. Similarly, source addresses for insecure advertisements MUST belong to one of the advertised insecure prefixes, unless the address is link-local." This changes RFC261 requirements (the source address of Router Advertisements is always a link-local address). If this is intentional, document justifications. ----------- Jari Arkko responds: > o Section 10: What about co-existence of nodes using CGA and those > not using CGA? Good question. This isn't currently discussed, I think. But isn't this rather obvious? nodes that have both certs and cgas can interwork with nodes that use only certs. And it also works in the reverse direction, assuming we can set a policy which requires at least one of cga or cert to be used. > o Section 10.1 (editorial/technical): If SEND nodes don't try do > detect if the same address is used by a non-SEND node, why DAD > Neighbor Solicitations are sent to the normal solicited-node > multicast address, too? To prevent the non-SEND nodes (in some cases) using the SEND node's address. I believe this is discussed in the security considerations. > o Section 10.1 (technical): The spec says that "Hosts configured for > SEND MUST use SEND for all of their addresses, including link local > addresses.". Are hosts allowed to use SEND on one link, and not > use SEND on some other link? I think I wrote that down somewhere, but now I can't find it. I think the intention is to allow the SEND-capability to be per link. > o Section 10.1 (technical): "Secure Router and Neighbor > Advertisements MUST use a source address that satisfies the > security properties outlined in Section 9. Unless this address is > link-local, it MUST belong to one of the advertised secure > prefixes. Similarly, source addresses for insecure advertisements > MUST belong to one of the advertised insecure prefixes, unless the > address is link-local." > > This changes RFC261 requirements (the source address of Router > Advertisements is always a link-local address). If this is > intentional, document justifications. Yes. I believe this is an open issue which has been discussed before. Solutions for this include two link-local prefixes, or switching to draft-arkko-send-ndopt-00.txt. ----------- ----------- ----------- ----------- -----------