Hi, Some quick comments:
I think its valuable to work on limits to ensure that existing mechanisms don't cause denial-of-service or flooding.
Good network security mandates good network management for detecting unauthorized devices on the network.
It would seem that the recommended mechanisms are capable of detecting only devices that are accidentally unauthorized, e.g., plugged to the wrong Ethernet connector. But it wouldn't appear to be able to detect malicious unauthorized devices, as those would likely not respond to such queries. Also, given that IND is not widely implemented (according to the draft), it would seem that whatever we do would have limited success within a network that has nodes that predate the suggested mandatory-to-implement requirement. So some of the accidentially unauthorized nodes would also be missed, if they are older.
This draft does not "add" that feature. The feature already exists.
(snip)
2) Requiring all nodes implement Inverse Neighbor Discover with the addidtion of the response holdoff timer.
The feature exists. But an all-nodes mandatory implementation requirement is additional functionality, and I'm not sure there's justification for that yet - but I admit that I did not follow the discussion in the last meeting about this, so I may be missing something. One approach would be to publish INDbis spec, but not make it mandatory for everyone. --Jari -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
