Hi, replying to myself for the records.
[email protected] (Arnaud Ebalard) writes: > I'd be interested by your (implementor) thoughts on the following if you > have some time. > > I thought SEND specification (RFC 3971) would support the following > scenario but in the end, it is unclear (I would say the spec is > contradictory on that aspect): > > A MIPv6 MN with partial support for SEND: it supports only the > certificate-based part of the spec and knows nothing about CGA. It is > configured with trust anchors and supports sending RS with Timestamp > and Nonce option. It would allow it to verify RA messages sent by > SEND-enabled routers. One possible interest of such a mode is for > securing the MIPv6 home link detection mechanism (see [1] for > rationale). > > In the specification, we have the following: > > Section 5.3.3: > > "If the node has been configured to use SEND, all advertisements sent > in reply to a solicitation MUST include a Nonce, copied from the > received solicitation. Note that routers may decide to send a > multicast advertisement to all nodes instead of a response to a > specific host. In such a case, the router MAY still include the nonce > value for the host that triggered the multicast > advertisement. (Omitting the nonce value may cause the host to ignore > the router's advertisement, unless the clocks in these nodes are > sufficiently synchronized so that timestamps function properly.)" > > > Section 8: > > o Unsolicited advertisements sent by a SEND node MUST be secured. > > o A SEND node MUST send a secured advertisement in response to a > secured solicitation. Advertisements sent in response to an > unsecured solicitation MUST be secured as well, but MUST NOT > contain the Nonce option. > > I may have missed something in the specification ... Here is what I initially missed in the specification: Section 5.1.1: If the node has been configured to use SEND, the CGA option [...] must be present in Router Solicitation messages unless they are sent with the unspecified source address. Section 5.1.2: Router Solicitations messages without the CGA option MUST also be treated as unsecured, unless the source address of the message is the unspecified address. So, in order for my MN to get a secured RA w/ a Nonce option from a SEND-enabled router on the link, it needs to send a RS with the Nonce option using the unspecified address as source for its message. Sending such a message is authorized (as per section 5.1.1) and the message will be considered secured (as per section 5.1.2. I should say it will not be considered unsecured) by the receiver. As per section 8, this will trigger the emission of a secured advertisement, which will include the nonce option found in the RS (as per section 5.3.3). Cheers, a+ _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
