On Aug 18, 2011, at 16:04 , Erik Nordmark wrote: > > How would such sleep proxies interact with SeND?
Theoretically, not very securely. This problem, if you ask me, is one of the major deficiencies in SEND. It needs to be revised to support sleep proxies. (It's not just network sleep proxies that have trouble with SEND. So do host sleep proxies.) What I mean by "theoretically" is that, at present, I am unaware of neither any sleep proxies that implement SEcure Neighbor Discovery [RFC 3971], nor any that employ a security protocol of any kind between the sleeping host and the sleep proxy to which it registers. "Security is hard; let's go SHOPPING!" In theory, assuming all hosts and their sleep proxies are using SEND (because non-SEND nodes are not admitted to the network, or at least they aren't trusted by any of the other nodes they find on the network), then sleep proxies will need to possess the RSA private keys for all the CGAs that their client hosts register with them, and when sleep proxies themselves go to sleep, they may need to transfer those credentials to the next sleep proxy in turn. I suppose one might imagine improving SEND with express support for sleep proxies, but I'm guessing that the major users of SEND are people for whom the choice to trade energy efficiency for network security doesn't usually require very much thought. -- james woodyatt <j...@apple.com> member of technical staff, core os networking -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
