Pasi Eronen: Please find below some comments about
draft-ietf-send-ndopt-00.

o  Section 6.5.1: "The parent certificates in the certificate chain
   MUST contain one or more X.509 IP address extensions, back up to
   the delegating authority (the Regional Address Registry or IANA)
   that delegated the original IP address space block." I think
   it's much more likely that the trust anchor is something below,
   like ISP or company IT administrator.

------------------

Jari Arkko: I agree with you Pasi on this. I believe the current text
assumes a perfect address ownership model for router's addresses. That
is, the authorization should act as a guarantee that the router really
has the addresses it is supposed to have, all the way to the way up to
IANA.

I think it would be difficult to achieve, though maybe that happens in
the future. I certainly hope so.

But for now, I believe what we can achieve is a weaker guarantee: that
the addresses are right as far as the organization that we trust is
concerned -- not necessarily globally right.  Lets say I work for
evil-network-mgmt.com. If their CA says that they own prefix P and it
is for router R, then I trust that. Even if prefix P was perhaps
stolen from poor-victim.com without consulting the RIRs or the IANA
;-)

Suggested text change:

  The parent certificates in the certificate chain MUST contain one or
  more X.509 IP address extensions, back up to a trusted party (such
  as the user's ISP) that configured the original IP address space
  block for the router in question.