Hi Jean-Michel, > > Another question that comes to my mind just now, and that may need > > clarification in your document is: > > Is your solution able to provide Secure Proxy ND for the fe80::/64 > > prefix ? I mean, a router does not announce this prefix as it not a > > routable one. Then, there will be no CPS/CPA exchange for this prefix, > > meaning no certificate exchange. What is the processing of a host > > receiving a ND message toward a fe80::/64 address signed with a Proxy > > Signature Option ? How can he learn the certificate of the Secure > > Proxy ND ? This should be addressed as it is a use case of RFC 4389 (I > > think). > > IMHO, securing ND Proxy for fe80::/64 case is out of scope.
It is in scope and required for RFC 4389 as Tony pointed out, e.g., link-local addresses will be used by routers and will be present in RAs sent by routers, or in NS/NA when a node attempts address resolution for a router's link local. These packets need to be proxied. However the fe80::/64 prefix needs not to be present in the authorization certificates. The draft should simply specify (although it currently does not) that a proxy ND is always authorized to proxy addresses in the fe80::/64 prefix. That has to be fixed in the next revision of the draft. --julien _______________________________________________ CGA-EXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/cga-ext
