Francis Dupont writes and Jari Arkko responds: > - 6.7 Processing Rules for Hosts (comment) > > o IP Source Address is a unicast address. Note that routers may use > multiple addresses, so this address not sufficient for the unique > identification of routers. > > => RA sources are always link-local for this reason. Should we enforce > routers to use only link-local source for DCAs? Yes, thanks for noting this. > - same (comment) > > Secure Router and Neighbor Advertisements MUST use a source > address that satisfies the security properties outlined in Section > > => don't forget that RAs are sent from a link-local address. Yes. ----------- James Kempf: RFC 2461 requires that RAs be sent with a Link Local address. Issue 21 is whether the same restriction should be put on DCA. Proposed solution: yes. ----------- Jari Arkko: Agreed. ----------- Greg Daley: I've got some odd ideas for wanting to do DCA from off-network, but understand that in general on-link only is best. Is there any effective difference between requiring link-local and requiring ttl of 255 (with LL or global)? ----------- James Kempf: TTL of 255 and dropping any received packet with a TTL less than that will effectively limit to on link. Link local addresses are an additional mechanism for that, and having DCA use them is consistent with RFC 2461, which is why it is being recommended. In general, I'm not sure it is advisable to do DCA from off-link. There is an issue with fragmentation. Certs tend to be large, and if they are sent using UDP multihop, they can get fragmented and dropped by routers that don't handle fragmentation properly, which typically isn't a problem with a single link. This problem occurs frequently with IKE, for example, and the IPsec WG has yet to face up to how to handle it. The design team discussed whether to put in mechanism to handle fragmentation or certificate compression, but it would make DCA much more complicated, and it is not clear at this point whether the extra complication is necessary, if the off link uses result from only 10% of the cases. If they are more like 50%, we can put in fragmentation support later. ----------- Greg Daley: I think consistency is valid, considering that we're aiming at interworking with existing ND solutions (although this is a new message). I'd prefer that there's really only one mechanism required to ensure link-only reach of the DCA, though, if it is sufficient. Guaranteeing this with hop count 255 may be so. Whether the address is link-local seems to be less relevant for that purpose. > In general, I'm not sure it is advisable to do DCA from off-link. There is > an issue with fragmentation. Certs tend to be large, and if they are sent > using UDP multihop, they can get fragmented and dropped by routers that > don't handle fragmentation properly, which typically isn't a problem with a > single link. This problem occurs frequently with IKE, for example, and the > IPsec WG has yet to face up to how to handle it. The design team discussed > whether to put in mechanism to handle fragmentation or certificate > compression, but it would make DCA much more complicated, and it is not > clear at this point whether the extra complication is necessary, if the off > link uses result from only 10% of the cases. If they are more like 50%, we > can put in fragmentation support later. Thanks, It's nice to know some additional issues here. I must admit that I haven't looked at the draft recently though, and were unaware that we were talking about using UDP (although the same is likely to apply to other Datagram oriented communications). Certainly, we don't want to overcomplicate DCA or SEND. I'm not going to propose any odd ideas like this until the RFC comes out, and I still think the odd ideas would work. ----------- Jari Arkko: I think we are doing more than just ensuring the packets don't go out of the link. We are also trying to design the protocol so that it deviates from IPv6 as little as possible. So, while technically not really so useful, the link local rule is there just to follow the other RD messaging model of the router. ----------- James Kempf: There was some technical discussion about this but concensus seems to be having the SEND document specify Link Local to be consistent with RFC 2461 is appropriate. ----------- ----------- ----------- ----------- -----------