>    Messages that do not pass all the above tests MUST be silently
>    discarded.  The receiver MAY also otherwise silently discard packets,
>    e.g., as a response to an apparent CPU exhausting DoS attack.

the MUST seems too strong. I.e., if the sender includes a signature I
don't have a key for, I have to drop the packet? Can't I run ND in
insecure mode? Later, text implies yes.

Actually my confusion may stem from:

>    A message containing a Signature option MUST be checked as follows:

What messages? I assumed ND in general, but maybe this is only for a
RS/NS? Please clarify.

--------

James Kempf: We'll add a qualification as to what messages containing
the signature option must be checked.

Regarding accepting packets where the signature/CGA does not verify,
SEND is a security protocol and if a signature or CGA doesn't check
and the host is configured to just accept secured messages, then one
must assume that the preconditions for accepting the message as secure
aren't met (and therefore the protocol isn't met), and therefore the
message should be discarded. A host can take a risk in accepting such
a packet and consider it unsecured if the host has been configured to
accept unsecured packets, of course, so we could put in a
qualification something like this;

   Messages that do not pass all the above tests MUST be silently
   discarded if the host has been configured to only accept secure ND
   messages. The messages MAY be accepted it the host has been
   configured to accept both secure and insecure messages, but MUST be
   treated as an insecure message.

--------

Thomas Narten: This seems fine.

--------

Arkko: Make more explicit what messages rules in spec apply. Redirect,
NS/NA, RS/RA. Also text in contridiction with mixed mode, need to
specify. If you are configured to only accept secure, agreed text on
Web page.

Action Item: Proposed text.

--------

--------