Hi Julien,
All right Tony, then I assume we want to have the fe80::/64 prefix present in
the certificate when proxying of link local addresses is required (e.g., RFC
4389, RFC 5213.) Do you think we have to include additional text in the draft
to reflect that? If yes, any suggestion?
I think some text may be needed to clarify the issue (which is new and
related to the Secure ND proxy).
Maybe a new section, right after 6.2, named "Handling of Link-Local
Addresses". Containing:
"Secure Neighbor Discovery [RFC3971] relies on certificate to
prove that routers are authorized to announce a certain prefix.
However, Neighbor Discovery [RFC4861] states that router does not
announce the Link-Local prefix (fe80::/64). Hence, it is unusual for a
SEND certificate to hold a X.509 IP address extensions that authorizes
the fe80::/64 prefix. Some scenario ([RFC4389], [RFC5213], etc) imposes
that the Secure ND proxy provides proxying function for the Link-Local
address of a node. When Secure ND proxy functionality on a Link-Local
address is required, either the address or the Link-Local prefix MUST
be explicitly authorized in routers certificate."
What do you think of it ?
Regards,
Tony
_______________________________________________
CGA-EXT mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/cga-ext
