Pekka Savola wrote:
It is an odd "SHOULD" in that it doesn't add a requirement on implemetors of
ND, but instead states a requirement on some potential other protocol which
uses proxy NAs.
But I do think that MIPv6 is an example of this. Even with multiple Home Agents
on the same home link, MIPv6 ensures that only one home agent performs proxy ND
for a given home address.
Even more reason to remove it from here, unless it has been implemented (I haven't seen it for sure -- doing it robustly is pretty difficult).
As I said above, I think the MIPv6 RFC is the "implementation" in this case. But it does make sense to clarify that the text is about a requirement on other protocols which use proxy ND.
Leaving the first paragraph as is, since it is basically explaining the term,
and adding something before the second paragraph that "Neighbor Discovery
allows a router to load balance traffic towards itself if the router has
multiple MAC addresses by ..."
This does not address the point because Neighbor Discovery allows a _host_ to load balance incoming traffic as well ?
Sorry, I can't understand how your comment relates to mine.
We can make the text be more clear that the first paragraph explains/defines the term, and the above addition to the second paragraph. Wouldn't that work?
Can't SeND nodes choose to ignore redirects that aren't protected by SeND?
Sure. I was just referring this editorially, that "unauthenticated" is often an overloaded term, referring to IPsec AH..
But here the fact that it doesn't specify how it is authenticated is a feature; if there is a new ND authentication scheme we want this to apply there as well.
And I don't think the anti-spam folks mean IPsec AH when they say "authenticated email" :-)
What's the bug? If there are no on-link prefixes advertised, then the host will
send all packets to a default router. So if an attacker sends RAs with a zero
valid lifetime for all the prefixes and a zero default router lifetime for all
the routers, and advertises itself as a default router, then all packets will
be sent to that spoofed router. So I think the text is correct.
That approach is correct, but beacause the "two hour rule" applies to the on-link prefixes, it's not "immediately".
That apparently a commonly held misunderstanding. The 2 hour rule only applies two stateless address autoconfiguration only. (It is only in RFC 2462, not in 2461.)
Erik
-------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
