| base.txt | issue50.txt | |
|---|---|---|
| Skipping to change at page 2, line 37: | ||
| 5.3.2 Nonce Option . . . . . . . . . . . . . . . . . 20 | 5.3.2 Nonce Option . . . . . . . . . . . . . . . . . 20 | |
| 5.3.3 Processing rules for senders . . . . . . . . . 21 | 5.3.3 Processing rules for senders . . . . . . . . . 21 | |
| 5.3.4 Processing rules for receivers . . . . . . . . 21 | 5.3.4 Processing rules for receivers . . . . . . . . 21 | |
| 6. Authorization Delegation Discovery . . . . . . . . . . . . . 24 | 6. Authorization Delegation Discovery . . . . . . . . . . . . . 24 | |
| 6.1 Certificate Format . . . . . . . . . . . . . . . . . .24 | 6.1 Certificate Format . . . . . . . . . . . . . . . . . .24 | |
| 6.1.1 Router Authorization Certificate Profile . . . 24 | 6.1.1 Router Authorization Certificate Profile . . . 24 | |
| 6.2 Certificate Transport . . . . . . . . . . . . . . . .27 | 6.2 Certificate Transport . . . . . . . . . . . . . . . .27 | |
| 6.2.1 Delegation Chain Solicitation Message Format . 27 | 6.2.1 Delegation Chain Solicitation Message Format . 27 | |
| 6.2.2 Delegation Chain Advertisement Message Format 29 | 6.2.2 Delegation Chain Advertisement Message Format 29 | |
| 6.2.3 Trust Anchor Option . . . . . . . . . . . . . 31 | 6.2.3 Trust Anchor Option . . . . . . . . . . . . . 31 | |
| 6.2.4 Certificate Option . . . . . . . . . . . . . . 32 | 6.2.4 Certificate Option . . . . . . . . . . . . . . 33 | |
| 6.2.5 Processing Rules for Routers . . . . . . . . . 33 | 6.2.5 Processing Rules for Routers . . . . . . . . . 33 | |
| 6.2.6 Processing Rules for Hosts . . . . . . . . . . 34 | 6.2.6 Processing Rules for Hosts . . . . . . . . . . 34 | |
| 7. Addressing . . . . . . . . . . . . . . . . . . . . . . . . . 36 | 7. Addressing . . . . . . . . . . . . . . . . . . . . . . . . . 37 | |
| 7.1 CGA Addresses . . . . . . . . . . . . . . . . . . . .36 | 7.1 CGA Addresses . . . . . . . . . . . . . . . . . . . .37 | |
| 7.2 Redirect Addresses . . . . . . . . . . . . . . . . . .36 | 7.2 Redirect Addresses . . . . . . . . . . . . . . . . . .37 | |
| 7.3 Advertised Prefixes . . . . . . . . . . . . . . . . .36 | 7.3 Advertised Prefixes . . . . . . . . . . . . . . . . .37 | |
| 7.4 Limitations . . . . . . . . . . . . . . . . . . . . .37 | 7.4 Limitations . . . . . . . . . . . . . . . . . . . . .38 | |
| 8. Transition Issues . . . . . . . . . . . . . . . . . . . . . 38 | 8. Transition Issues . . . . . . . . . . . . . . . . . . . . . 39 | |
| 9. Security Considerations . . . . . . . . . . . . . . . . . . 40 | 9. Security Considerations . . . . . . . . . . . . . . . . . . 41 | |
| 9.1 Threats to the Local Link Not Covered by SEND . . . .40 | 9.1 Threats to the Local Link Not Covered by SEND . . . .41 | |
| 9.2 How SEND Counters Threats to NDP . . . . . . . . . . .40 | 9.2 How SEND Counters Threats to NDP . . . . . . . . . . .41 | |
| 9.2.1 Neighbor Solicitation/Advertisement Spoofing . 41 | 9.2.1 Neighbor Solicitation/Advertisement Spoofing . 42 | |
| 9.2.2 Neighbor Unreachability Detection Failure . . 41 | 9.2.2 Neighbor Unreachability Detection Failure . . 42 | |
| 9.2.3 Duplicate Address Detection DoS Attack . . . . 41 | 9.2.3 Duplicate Address Detection DoS Attack . . . . 42 | |
| 9.2.4 Router Solicitation and Advertisement Attacks 42 | 9.2.4 Router Solicitation and Advertisement Attacks 43 | |
| 9.2.5 Replay Attacks . . . . . . . . . . . . . . . . 42 | 9.2.5 Replay Attacks . . . . . . . . . . . . . . . . 43 | |
| 9.2.6 Neighbor Discovery DoS Attack . . . . . . . . 43 | 9.2.6 Neighbor Discovery DoS Attack . . . . . . . . 44 | |
| 9.3 Attacks against SEND Itself . . . . . . . . . . . . .43 | 9.3 Attacks against SEND Itself . . . . . . . . . . . . .44 | |
| 10. Protocol Constants . . . . . . . . . . . . . . . . . . . . . 45 | 10. Protocol Constants . . . . . . . . . . . . . . . . . . . . . 46 | |
| 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 46 | 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . 47 | |
| Normative References . . . . . . . . . . . . . . . . . . . . 47 | Normative References . . . . . . . . . . . . . . . . . . . . 48 | |
| Informative References . . . . . . . . . . . . . . . . . . . 49 | Informative References . . . . . . . . . . . . . . . . . . . 50 | |
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 50 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 51 | |
| A. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 51 | A. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 52 | |
| B. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 52 | B. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 53 | |
| C. Cache Management . . . . . . . . . . . . . . . . . . . . . . 53 | C. Cache Management . . . . . . . . . . . . . . . . . . . . . . 54 | |
| Intellectual Property and Copyright Statements . . . . . . . 54 | Intellectual Property and Copyright Statements . . . . . . . 55 | |
| 1. Introduction | 1. Introduction | |
| IPv6 defines the Neighbor Discovery Protocol (NDP) in RFCs 2461 [7] | IPv6 defines the Neighbor Discovery Protocol (NDP) in RFCs 2461 [7] | |
| and 2462 [8]. Nodes on the same link use NDP to discover each | and 2462 [8]. Nodes on the same link use NDP to discover each | |
| other's presence, to determine each other's link-layer addresses, to | other's presence, to determine each other's link-layer addresses, to | |
| find routers, and to maintain reachability information about the | find routers, and to maintain reachability information about the | |
| paths to active neighbors. NDP is used both by hosts and routers. | paths to active neighbors. NDP is used both by hosts and routers. | |
| Its functions include Neighbor Discovery (ND), Router Discovery (RD), | Its functions include Neighbor Discovery (ND), Router Discovery (RD), | |
| Address Autoconfiguration, Address Resolution, Neighbor | Address Autoconfiguration, Address Resolution, Neighbor | |
| Skipping to change at page 26, line 49: | ||
| Certificate 3: | Certificate 3: | |
| Issuer: isp_foo.com | Issuer: isp_foo.com | |
| Validity: Jan 1, 2004 through Dec 31, 2004 | Validity: Jan 1, 2004 through Dec 31, 2004 | |
| Subject: router_x.isp_foo.com | Subject: router_x.isp_foo.com | |
| Extensions: | Extensions: | |
| IP address delegation extension: | IP address delegation extension: | |
| Prefixes R1, ..., Rk | Prefixes R1, ..., Rk | |
| ... possibly other extensions ... | ... possibly other extensions ... | |
| ... other certificate parameters ... | ... other certificate parameters ... | |
| When processing the three certificates, the usual RFC 3280 | When procesing the three certificates, the usual RFC 3280 [10] | |
| certificate path validation is performed, for instance by checking | certificate path validation is performed. Note, however, that at the | |
| for revoked certificates. In addition, the IP addresses in the | time a node is checking certificates received in a DCA from a router, | |
| delegation extension must be subsumed by the IP addresses in the | it typically does not have a connection to the Internet yet, and so | |
| delegation extension in the issuer's certificate. So in this | it is not possible to perform an on-line Certificate Revocation List | |
| example, R1, ..., Rs must be subsumed by Q1,...,Qr, and Q1,...,Qr | (CRL) check if such a check is necessary. Until such a check is | |
| must be subsumed by P1,...,Pk. If the certificate chain is valid, | performed, acceptance of the certificate MUST be considered | |
| then router_foo.isp_foo_example.com is authorized to route the | provisional, and the node MUST perform a check as soon as it has | |
| prefixes R1,...,Rs. | established a connection with the Internet through the router. If | |
| the router has been compromised, it could interfere with the CRL | ||
| check. Should performance of the CRL check be disrupted or should | ||
| the check fail, the node SHOULD immediately stop using the router as | ||
| a default and use another router on the link instead. | ||
| In addition, the IP addresses in the delegation extension must be | ||
| subsumed by the IP addresses in the delegation extension in the | ||
| issuer's certificate. So in this example, R1, ..., Rs must be | ||
| subsumed by Q1,...,Qr, and Q1,...,Qr must be subsumed by P1,...,Pk. | ||
| If the certificate chain is valid, then | ||
| router_foo.isp_foo_example.com is authorized to route the prefixes | ||
| R1,...,Rs. | ||
| 6.2 Certificate Transport | 6.2 Certificate Transport | |
| The Delegation Chain Solicitation (DCS) message is sent by a host | The Delegation Chain Solicitation (DCS) message is sent by a host | |
| when it wishes to request a certificate chain between a router and | when it wishes to request a certificate chain between a router and | |
| the one of the host's trust anchors. The Delegation Chain | the one of the host's trust anchors. The Delegation Chain | |
| Advertisement (DCA) message is sent as an answer to the DCS message. | Advertisement (DCA) message is sent as an answer to the DCS message. | |
| These messages are separate from the rest of Neighbor and Router | These messages are separate from the rest of Neighbor and Router | |
| Discovery, in order to reduce the effect of the potentially | Discovery, in order to reduce the effect of the potentially | |
| voluminous certificate chain information on other messages. | voluminous certificate chain information on other messages. | |
| End of changes. | ||
This html diff was produced by rfcdiff v0.42, available from http://www.levkowetz.com/ietf/tools/rfcdiff/ | ||