Tony Cheneau wrote: > > Hi Julien, > > > All right Tony, then I assume we want to have the fe80::/64 prefix > > present in the certificate when proxying of link local addresses is > > required (e.g., RFC 4389, RFC 5213.) Do you think we have to include > > additional text in the draft to reflect that? If yes, any suggestion? > > I think some text may be needed to clarify the issue (which is new and > related to the Secure ND proxy).
Ok. > Maybe a new section, right after 6.2, named "Handling of Link-Local > Addresses". Containing: Maybe rather "Proxying Link-Local Addresses"? > "Secure Neighbor Discovery [RFC3971] relies on certificate to > prove that routers are authorized to announce a certain prefix. > However, Neighbor Discovery [RFC4861] states that router does not > announce the Link-Local prefix (fe80::/64). Hence, it is unusual for a s/unusual/not required/ > SEND certificate to hold a X.509 IP address extensions that authorizes > the fe80::/64 prefix. Some scenario ([RFC4389], [RFC5213], etc) imposes > that the Secure ND proxy provides proxying function for the Link-Local > address of a node. When Secure ND proxy functionality on a Link-Local > address is required, either the address or the Link-Local prefix MUST > be explicitly authorized in routers certificate." > > What do you think of it ? Sounds good Tony, thanks for the text! --julien _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
