All right Tony, then I assume we want to have the fe80::/64 prefix present in the certificate when proxying of link local addresses is required (e.g., RFC 4389, RFC 5213.) Do you think we have to include additional text in the draft to reflect that? If yes, any suggestion?
--julien Tony Cheneau wrote: > > Laganier, Julien wrote: > > As to specifying that the proxy ND is always authorized to proxy for > > addresses in the fe80::/64 prefix vs. inclusion in the certificate of > > either a list of node's link local addresses that the proxy ND is > > authorized to proxy, or of the whole fe80::/64 prefix, I have no strong > > opinion and would like to ask the WG participant what is their > > preference there? > > I would prefer a "prefix or inclusion in the certificate" based > solution, as > I think there is some scenario where you may want to proxy global > addresses and not the Link-Local ones at all. > > I haven't read RFC 3775 recently. Please correct me if I'm wrong, but, > I think, RFC3775 (section 10.4.1) allows this kind of behavior: > " In order to do this, when a node begins serving as the home agent it > MUST multicast onto the home link a Neighbor Advertisement message > [12] on behalf of the mobile node. For the home address specified > in > the Binding Update, the home agent sends a Neighbor Advertisement > message [12] to the all-nodes multicast address on the home link to > advertise the home agent's own link-layer address for this IP > address > on behalf of the mobile node. If the Link-Layer Address > Compatibility (L) flag has been specified in the Binding Update, > the > home agent MUST do the same for the link-local address of the > mobile > node." > I assume that if the flag is turned off, you do not defend the > Link-Local addresses. The Home Agent does not need to act as a secure > proxy ND for this address either. Meaning you can disallow the secure > proxy ND on the fe80::/64 prefix/address and lessen the effect of a > compromised secure proxy ND. > > > Regards, > Tony > _______________________________________________ > CGA-EXT mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cga-ext _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
