Hi Greg, No need to go over there for comments. :-)
SEND allows the unspecified address to be used on RSs but the CGA option is not included, so, as a practical matter, the signature can't be either since the CGA option contains the key. A message sent with an unspecified address is not treated as insecure however, unlike other ND/RD messages without a CGA option and signature. jak ----- Original Message ----- From: "Greg Daley" <[EMAIL PROTECTED]> To: "Pekka Savola" <[EMAIL PROTECTED]> Cc: "Nick 'Sharkey' Moore" <[EMAIL PROTECTED]>; "Erik Nordmark" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, June 03, 2004 6:21 AM Subject: Re: optimistic dad comments > Hi Pekka, > > Pekka Savola wrote: > > On Wed, 2 Jun 2004, Erik Nordmark wrote: > > > >>>My concern with using the unspecified address comes from the > >>>experience we had in MAGMA where we had to specify which source > >>>address to use in the MLDv1 packets. > >> > >>RFC 3590 does allow the unspecified source for MLD messages during DAD, > >>so the parallel for RS works quite fine. > > > > > > That must be allowed (more or less) for MLD because there is no choice > > if there are MLD snoopers out there.. > > > > Indeed. > Let IP devices beware... > > >>>Further, some might want to > >>>perform some kind of filtering based on the link-local source address, > >>>and using the unspecified address makes this impossible. > >> > >>What type of filtering do you have in mind? > >>What problem would such filtering solve? > > > > > > I'm mainly thinking of xDSL systems where all the customers appear to > > be on the same subnet (e.g. a shared IPv4 /19 prefix), but are > > filtered so that they are actually separate from each other (sorry, I > > can't describe it much better). > > > > I would also imagine that minimizing the use of the unspecified > > address might make SEND-like mechanisms easier, because the > > unspecified address does not belong to just one node, and you cannot > > distinguish the different nodes using the unspecified address. > > > > I think that the issue with SEND is credible, for router > solicitations more than neighbour solicitations (since > unspecified address solicitations are for DAD, and the > CGA address is in the Target Address. > > Given that we were talking about RS here anyway, you may > have a point that the unspecified address RS is unidentifiable, > except by its signed public key (in the message). > > I think that ruling out RS entirely here would be premature > though until we consult SEND WG... > > It's worth asking the question over there. > > Personally, I don't think unidentified and unspecified RS's > are given significant power in any case, so there may be no need > to identify them (rather, we need to make sure that > no additional power goes to them). > > If SEND is in use, then certainly there is no CGA, but the > message is still signed and sent from an address which is > covered by the signature at the end of the packet. > > That public key did send the message, and if you know the public > key (have seen it before and perhaps trust it), then you could > even treat that differently to a device which you've never seen. > > [dhcp issues cut]. > > Greg > > > -------------------------------------------------------------------- > IETF IPv6 working group mailing list > [EMAIL PROTECTED] > Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 > -------------------------------------------------------------------- > -------------------------------------------------------------------- IETF IPv6 working group mailing list [EMAIL PROTECTED] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------