Hello,
In your IESG comments on draft-ietf-ipv6-rfc2462bis-07.txt, you said:
> RFC 3756 says that IPsec really does not work for neighbor
> discovery. Even if it does work in some cases, there is not
> enough detail in this document to say how to use it. SEND
> is the answer, of course. However, this document cannot
> have a normative reference to SEND because this document is
> going for publication as Draft Standard.
> My recommendation is to delete the text regarding the use of
> IPsec and replace it with an Informative reference to SEND.
> I think this is better than misleading the reader.
I do not necessarily think the current text (with proper references)
will mislead the reader, I agree that simply referring to IPsec-AH is
almost meaningless in the context of secure address autoconfiguration.
So, I don't mind replace the reference with a reference to the SEND
RFC. And this is mostly just an editorial work: the only references
to IPsec-AH in this document are the followings:
2. If RemainingLifetime is less than or equal to 2 hours, ignore
the Prefix Information option with regards to the valid
lifetime, unless the Router Advertisement from which this
option was obtained has been authenticated (e.g., via IP
security [RFC2402]). If the Router Advertisement was
authenticated, the valid lifetime of the corresponding address
should be set to the Valid Lifetime in the received option.
(Section 5.5.3 e-2)
[...] These attacks can be addressed by requiring
that Neighbor Discovery packets be authenticated with IP security
[RFC2402].
(Section 6 "SECURITY CONSIDERATIONS")
If we replace "IP security [RFC2402]" with "SEcure Neighbor Discovery
[RFC3971]", the work will be done without introducing oddity due to
the change of the reference.
The only possible problem is, as you pointed out, the down-reference
issue. While I originally categorized the reference to RFC2402 as
normative, I actually think the reference could be informative, and
the change of the reference to SEND does not change the impression (as
long as the reference context is not changed from the above simple
ones).
What do others (in the wg) think? Does anyone have an objection to
the following change?
1. change the references to RFC2402 (IPsec-AH) to references to
RFC3971(SEND), and
2. categorize the new reference as informative
JINMEI, Tatuya
Communication Platform Lab.
Corporate R&D Center, Toshiba Corp.
[EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
