Dave Thaler wrote:
The fact that SEND doesn't yet support proxy ND is not specific to this specification, it's something for SEND to solve.
The general case of proxy ND, which this specification uses, can not provide any security against MiTM because by definition the proxy is a MiTM. Thus it is completely unreasonably to assume that SeND will solve this.
There are specific cases of proxy for SeND can be extended, that have the property that there exists a security relationship between the host and the proxy. An example of this is a MIP home agent. In such a case one can extend SeND to allow for the mobile node to delegate its key (somehow) to the home agent.
But with ndproxy you both want things to be transparent to the hosts, and you want the ndproxy proxies to rewrite the ND packets. You can't do that and prevent other nodes (aka attackers) from forging ND packets.
Thus any secure solution in this space requires at least one of: 1. that the host be modified to have a secure relationship with the proxy 2. that the proxies do not modify the ND packets
Note that #2 can be done, but it requires that the proxies be able to receive packets addressed to any MAC address (just like bridges do).
This is very much analogous to Ralph's comments about DHCP.
So expecting SeND to provide security when by design you need MiTMs in the proxies isn't truth in advertising about this protocol.
Erik
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
