On the behalf of the SEND DT, I'd like to get a clarification to the current ND design from those who were around back when RFC2461 and RFC2462 were written.
Specifically, we'd like the know the exact reasons why RFC2461 uses separate source/target link layer address options instead of relying on the actual source link layer addresses used in the link layer frame? Furthermore, why are the actual link layer addresses used in the link layer frame completely ignored, and not checked to match with the options? Is this just a layering question, an attempt to avoid layer violations? Or were there behind other goals, like allowing proxy ND? The reason why I am asking this is that the current situation makes security design tricky. That is, the Secure ND part of SEND (as opposed to Secure RD) is all about creating a secure binding between an IP address and a link layer address. The WG decided to pursue the idea of using public key based AH to secure the NA (and NS) messages. That requires that the hosts learn the public keys of the other hosts on the local link. Basically, there are two know methods for distributing the public keys: Using certificates and relying on a (local) CA, or using Cryptographically Generated Addresses (CGA). Now, for zero-config operation, we would like to use the CGA ideas. Furthermore, there is a possible attack against link local addresses, and that attack can be partially dwarfed if we bind both the link layer address and the public key to the IP address in CGA. Under the current design, the CGA processing at the AH layer becomes very tricky, if we attempt to include the link layer address into the CGA process. --Pekka Nikander -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
