Hi Tony, 2009/11/20 Tony Cheneau <[email protected]>: > Hi Julien, > > Comments inline: > > On Thu, 19 Nov 2009, Laganier, Julien wrote: > >> Hi Tony, >> >> Thanks for reviewing the draft! >>
<snip> > Another question that comes to my mind just now, and that may need > clarification in your document is: > Is your solution able to provide Secure Proxy ND for the fe80::/64 > prefix ? I mean, a router does not announce this prefix as it not a > routable one. Then, there will be no CPS/CPA exchange for this prefix, > meaning no certificate exchange. What is the processing of a host > receiving a ND message toward a fe80::/64 address signed with a Proxy > Signature Option ? How can he learn the certificate of the Secure Proxy > ND ? This should be addressed as it is a use case of RFC 4389 (I think). > IMHO, securing ND Proxy for fe80::/64 case is out of scope. AFAIK (e.g. on FreeBSD, Debian), there is no proxied DAD process for fe80::/64 based address in a multilink scenario because a router is able to uniquely differentiate two nodes having the same Link Local address on two different links: that's why when you want to ping one node using its Link Local address from a router you have to specify the interface of the router connected to the node also. Cheers. JMC. > Feel free to ask if I'm not clear enough and you need clarifications. > > Best regards, > Tony > > > _______________________________________________ > CGA-EXT mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cga-ext > _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
