On Fri, 24 Jul 2009 09:43:16 +0200, a...@natisbad.org (Arnaud Ebalard) wrote: >> This all leads me to conclude that the node requirements doc should >> not make SEND even a SHOULD. Ideally, somewhere between a MAY and >> SHOULD. I'd love to see SEND implemented and deployed (so we can >> figure out how well it works and fix any shortcomings), but I think it >> is premature to recommend its implementation an all nodes. > > +1 > > Some implementations have been done, which provided some feedback on the > specification (padding in Signature Option, ...) but the main issue IMHO > is the lack of feedback from a deployment standpoint (router load, > certificates deployment and maintenance, ...). > > Even if some vendors have various levels of support for the protocol in > their routers, there is no major client OS providing a good level of > support for the protocol: not available yet in Windows or OS X, > available in FreeBSD via the ports (DoCoMo implementation, no upstream > maintainer), externally available for Debian, not available in Ubuntu or > RedHat ...
IIRC, the DoCoMo implementation is basically a proof-of-concept-grade hack. It works with user-space packet filtering hooks, instead of being built into the real IPv6 neighbor discovery code. SeND is theoretically not easy to deploy - you need to provision cryptography material on all nodes. That implementations are not even properly integrated into operating systems makes it worse. I somewhat expect that somewhat secure networks will use network-side filtering as is done for ARP instead, as it requires no host-side changes. I don't think it deserves a "SHOULD" at this point. -- Rémi Denis-Courmont -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------