| base.txt | issue42.txt | |
|---|---|---|
| Skipping to change at page 2, line 33: | ||
| 5.2.3 Configuration . . . . . . . . . . . . . . . .18 | 5.2.3 Configuration . . . . . . . . . . . . . . . .18 | |
| 5.3 Timestamp and Nonce options . . . . . . . . . . . . 19 | 5.3 Timestamp and Nonce options . . . . . . . . . . . . 19 | |
| 5.3.1 Timestamp Option . . . . . . . . . . . . . . .19 | 5.3.1 Timestamp Option . . . . . . . . . . . . . . .19 | |
| 5.3.2 Nonce Option . . . . . . . . . . . . . . . . .20 | 5.3.2 Nonce Option . . . . . . . . . . . . . . . . .20 | |
| 5.3.3 Processing rules for senders . . . . . . . . .21 | 5.3.3 Processing rules for senders . . . . . . . . .21 | |
| 5.3.4 Processing rules for receivers . . . . . . . .21 | 5.3.4 Processing rules for receivers . . . . . . . .21 | |
| 5.4 Proxy Neighbor Discovery . . . . . . . . . . . . . . 23 | 5.4 Proxy Neighbor Discovery . . . . . . . . . . . . . . 23 | |
| 6. Authorization Delegation Discovery . . . . . . . . . . . . 24 | 6. Authorization Delegation Discovery . . . . . . . . . . . . 24 | |
| 6.1 Certificate Format . . . . . . . . . . . . . . . . . 24 | 6.1 Certificate Format . . . . . . . . . . . . . . . . . 24 | |
| 6.1.1 Router Authorization Certificate Profile . . .24 | 6.1.1 Router Authorization Certificate Profile . . .24 | |
| 6.2 Certificate Transport . . . . . . . . . . . . . . . 25 | 6.2 Certificate Transport . . . . . . . . . . . . . . . 26 | |
| 6.2.1 Delegation Chain Solicitation Message Format .26 | 6.2.1 Delegation Chain Solicitation Message Format .27 | |
| 6.2.2 Delegation Chain Advertisement Message Format 28 | 6.2.2 Delegation Chain Advertisement Message Format 29 | |
| 6.2.3 Trust Anchor Option . . . . . . . . . . . . .30 | 6.2.3 Trust Anchor Option . . . . . . . . . . . . .31 | |
| 6.2.4 Certificate Option . . . . . . . . . . . . . .31 | 6.2.4 Certificate Option . . . . . . . . . . . . . .32 | |
| 6.2.5 Processing Rules for Routers . . . . . . . . .32 | 6.2.5 Processing Rules for Routers . . . . . . . . .33 | |
| 6.2.6 Processing Rules for Hosts . . . . . . . . . .33 | 6.2.6 Processing Rules for Hosts . . . . . . . . . .34 | |
| 7. Securing Neighbor Discovery with SEND . . . . . . . . . . 35 | 7. Securing Neighbor Discovery with SEND . . . . . . . . . . 36 | |
| 7.1 Neighbor Solicitation Messages . . . . . . . . . . . 35 | 7.1 Neighbor Solicitation Messages . . . . . . . . . . . 36 | |
| 7.1.1 Sending Secure Neighbor Solicitations . . . .35 | 7.1.1 Sending Secure Neighbor Solicitations . . . .36 | |
| 7.1.2 Receiving Secure Neighbor Solicitations . . .35 | 7.1.2 Receiving Secure Neighbor Solicitations . . .36 | |
| 7.2 Neighbor Advertisement Messages . . . . . . . . . . 35 | 7.2 Neighbor Advertisement Messages . . . . . . . . . . 36 | |
| 7.2.1 Sending Secure Neighbor Advertisements . . . .35 | 7.2.1 Sending Secure Neighbor Advertisements . . . .36 | |
| 7.2.2 Receiving Secure Neighbor Advertisements . . .36 | 7.2.2 Receiving Secure Neighbor Advertisements . . .37 | |
| 7.3 Other Requirements . . . . . . . . . . . . . . . . . 36 | 7.3 Other Requirements . . . . . . . . . . . . . . . . . 37 | |
| 8. Securing Router Discovery with SEND . . . . . . . . . . . 38 | 8. Securing Router Discovery with SEND . . . . . . . . . . . 39 | |
| 8.1 Router Solicitation Messages . . . . . . . . . . . . 38 | 8.1 Router Solicitation Messages . . . . . . . . . . . . 39 | |
| 8.1.1 Sending Secure Router Solicitations . . . . .38 | 8.1.1 Sending Secure Router Solicitations . . . . .39 | |
| 8.1.2 Receiving Secure Router Solicitations . . . .38 | 8.1.2 Receiving Secure Router Solicitations . . . .39 | |
| 8.2 Router Advertisement Messages . . . . . . . . . . . 38 | 8.2 Router Advertisement Messages . . . . . . . . . . . 39 | |
| 8.2.1 Sending Secure Router Advertisements . . . . .39 | 8.2.1 Sending Secure Router Advertisements . . . . .40 | |
| 8.2.2 Receiving Secure Router Advertisements . . . .39 | 8.2.2 Receiving Secure Router Advertisements . . . .40 | |
| 8.3 Redirect Messages . . . . . . . . . . . . . . . . . 39 | 8.3 Redirect Messages . . . . . . . . . . . . . . . . . 40 | |
| 8.3.1 Sending Redirects . . . . . . . . . . . . . .40 | 8.3.1 Sending Redirects . . . . . . . . . . . . . .41 | |
| 8.3.2 Receiving Redirects . . . . . . . . . . . . .40 | 8.3.2 Receiving Redirects . . . . . . . . . . . . .41 | |
| 8.4 Other Requirements . . . . . . . . . . . . . . . . . 40 | 8.4 Other Requirements . . . . . . . . . . . . . . . . . 41 | |
| 9. Co-Existence of SEND and non-SEND nodes . . . . . . . . . 42 | 9. Co-Existence of SEND and non-SEND nodes . . . . . . . . . 43 | |
| 10. Performance Considerations . . . . . . . . . . . . . . . . 44 | 10. Performance Considerations . . . . . . . . . . . . . . . . 45 | |
| 11. Security Considerations . . . . . . . . . . . . . . . . . 45 | 11. Security Considerations . . . . . . . . . . . . . . . . . 46 | |
| 11.1 Threats to the Local Link Not Covered by SEND . . . 45 | 11.1 Threats to the Local Link Not Covered by SEND . . . 46 | |
| 11.2 How SEND Counters Threats to Neighbor Discovery . . 46 | 11.2 How SEND Counters Threats to Neighbor Discovery . . 47 | |
| 11.2.1 Neighbor Solicitation/Advertisement Spoofing .46 | 11.2.1 Neighbor Solicitation/Advertisement Spoofing .47 | |
| 11.2.2 Neighbor Unreachability Detection Failure . .47 | 11.2.2 Neighbor Unreachability Detection Failure . .48 | |
| 11.2.3 Duplicate Address Detection DoS Attack . . . .47 | 11.2.3 Duplicate Address Detection DoS Attack . . . .48 | |
| 11.2.4 Router Solicitation and Advertisement Attacks 48 | 11.2.4 Router Solicitation and Advertisement Attacks 49 | |
| 11.2.5 Replay Attacks . . . . . . . . . . . . . . . .48 | 11.2.5 Replay Attacks . . . . . . . . . . . . . . . .49 | |
| 11.2.6 Neighbor Discovery DoS Attack . . . . . . . .48 | 11.2.6 Neighbor Discovery DoS Attack . . . . . . . .49 | |
| 11.3 Attacks against SEND Itself . . . . . . . . . . . . 49 | 11.3 Attacks against SEND Itself . . . . . . . . . . . . 50 | |
| 12. Protocol Constants . . . . . . . . . . . . . . . . . . . . 50 | 12. Protocol Constants . . . . . . . . . . . . . . . . . . . . 51 | |
| 13. IANA Considerations . . . . . . . . . . . . . . . . . . . 51 | 13. IANA Considerations . . . . . . . . . . . . . . . . . . . 52 | |
| Normative References . . . . . . . . . . . . . . . . . . . 52 | Normative References . . . . . . . . . . . . . . . . . . . 53 | |
| Informative References . . . . . . . . . . . . . . . . . . 53 | Informative References . . . . . . . . . . . . . . . . . . 54 | |
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . 54 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . 55 | |
| A. Contributors . . . . . . . . . . . . . . . . . . . . . . . 55 | A. Contributors . . . . . . . . . . . . . . . . . . . . . . . 56 | |
| B. Acknowledgements . . . . . . . . . . . . . . . . . . . . . 56 | B. Acknowledgements . . . . . . . . . . . . . . . . . . . . . 57 | |
| C. Cache Management . . . . . . . . . . . . . . . . . . . . . 57 | C. Cache Management . . . . . . . . . . . . . . . . . . . . . 58 | |
| D. Comparison to AH-Based Approach . . . . . . . . . . . . . 58 | D. Comparison to AH-Based Approach . . . . . . . . . . . . . 59 | |
| Intellectual Property and Copyright Statements . . . . . . 61 | Intellectual Property and Copyright Statements . . . . . . 62 | |
| 1. Introduction | 1. Introduction | |
| IPv6 defines the Neighbor Discovery Protocol (NDP) in RFC 2461 [7]. | IPv6 defines the Neighbor Discovery Protocol (NDP) in RFC 2461 [7]. | |
| Nodes on the same link use NDP to discover each other's presence, to | Nodes on the same link use NDP to discover each other's presence, to | |
| determine each other's link-layer addresses, to find routers, and to | determine each other's link-layer addresses, to find routers, and to | |
| maintain reachability information about the paths to active | maintain reachability information about the paths to active | |
| neighbors. NDP is used both by hosts and routers. Its functions | neighbors. NDP is used both by hosts and routers. Its functions | |
| include Neighbor Discovery (ND), Router Discovery (RD), Address | include Neighbor Discovery (ND), Router Discovery (RD), Address | |
| Autoconfiguration, Address Resolution, Neighbor Unreachability | Autoconfiguration, Address Resolution, Neighbor Unreachability | |
| Skipping to change at page 25, line 47: | ||
| received through DCA messages. If any of the checks fail, the client | received through DCA messages. If any of the checks fail, the client | |
| MUST NOT accept the certificate. | MUST NOT accept the certificate. | |
| Since it is possible that some PKC certificates used with SEND do not | Since it is possible that some PKC certificates used with SEND do not | |
| immediately contain the X.509 IP address extension element, an | immediately contain the X.509 IP address extension element, an | |
| implementation MAY contain facilities that allow the prefix and range | implementation MAY contain facilities that allow the prefix and range | |
| checks to be relaxed. However, any such configuration options SHOULD | checks to be relaxed. However, any such configuration options SHOULD | |
| be off by default. That is, the system SHOULD have a default | be off by default. That is, the system SHOULD have a default | |
| configuration that requires rigorious prefix and range checks. | configuration that requires rigorious prefix and range checks. | |
| The following is an example of a certificate chain. Suppose that | ||
| ispgroup.com is the trust anchor. The host has this certificate for | ||
| it: | ||
| Certificate 1: | ||
| Issuer: isp_group.com | ||
| Validity: Jan 1, 2004 through Dec 31, 2004 | ||
| Subject: isp_group.com | ||
| Extensions: | ||
| IP address delegation extension: | ||
| Prefixes: P1, ..., Pk | ||
| ... possibly other extensions ... | ||
| ... other certificate parameters ... | ||
| The host attaches then to a linked served by router_x.isp_foo.com, | ||
| and receives the following certificate chain: | ||
| Certificate 2: | ||
| Issuer: isp_group.com | ||
| Validity: Jan 1, 2004 through Dec 31, 2004 | ||
| Subject: isp_foo.com | ||
| Extensions: | ||
| IP address delegation extension: | ||
| Prefixes: Q1, ..., Qk | ||
| ... possibly other extensions ... | ||
| ... other certificate parameters ... | ||
| Certificate 3: | ||
| Issuer: isp_foo.com | ||
| Validity: Jan 1, 2004 through Dec 31, 2004 | ||
| Subject: router_x.isp_foo.com | ||
| Extensions: | ||
| IP address delegation extension: | ||
| Prefixes R1, ..., Rk | ||
| ... possibly other extensions ... | ||
| ... other certificate parameters ... | ||
| When processing the three certificates, the usual RFC 3280 | ||
| certificate path validation is performed, for instance by checking | ||
| for revoked certificates. In addition, the IP addresses in the | ||
| delegation extension must be subsumed by the IP addresses in the | ||
| delegation extension in the issuer's certificate. So in this | ||
| example, R1, ..., Rs must be subsumed by Q1,...,Qr, and Q1,...,Qr | ||
| must be subsumed by P1,...,Pk. If the certificate chain is valid, | ||
| then router_foo.isp_foo_example.com is authorized to route the | ||
| prefixes R1,...,Rs. | ||
| 6.2 Certificate Transport | 6.2 Certificate Transport | |
| The Delegation Chain Solicitation (DCS) message is sent by a host | The Delegation Chain Solicitation (DCS) message is sent by a host | |
| when it wishes to request a certificate chain between a router and | when it wishes to request a certificate chain between a router and | |
| the one of the host's trust anchors. The Delegation Chain | the one of the host's trust anchors. The Delegation Chain | |
| Advertisement (DCA) message is sent as an answer to the DCS message. | Advertisement (DCA) message is sent as an answer to the DCS message. | |
| These messages are separate from the rest of Neighbor and Router | These messages are separate from the rest of Neighbor and Router | |
| Discovery, in order to reduce the effect of the potentially | Discovery, in order to reduce the effect of the potentially | |
| voluminous certificate chain information on other messages. | voluminous certificate chain information on other messages. | |
| End of changes. | ||
This html diff was produced by rfcdiff v0.42, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||