On 7/31/13 11:11 AM, Linda Dunbar wrote:
However, when SEND is used, Access (or Aggregation) switches might not
possess knowledge of the attached hosts (VMs)’ private keys.
Are there any concerns/feedback for giving the following recommendation
in our draft? Any preferences?
1) state that SARP is not recommended when SEND is deployed;
2) recommend using RFC6496 (Secure Proxy ND Support for SEND).
I think it would be awkward to use RFC 6496 in this context since it
requires that the host create a special certificate authorizing the
switches to respond on their behalf. (That makes sense in cases like
Mobile IP home agents where there is a pre-established relationship
between the host and the home agent.)
Note that there would be some additional deployment issues as well,
since all the hosts on the link would need to be able to do the RFC 6496
validation - not just the normal SeND validation.
My take is that *if* we want to have the approach where a host's IP
address should map to somebody else's MAC address, then I think the
simplest (and secure) approach would be to have the host (somehow) find
out the MAC address to use, and then have the hosts send the NAs themselves.
Erik
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
