One more thing I intend to add is explicit specification that the OSPFv3 packet
should be dropped if the Security Association isn't found or has expired. The
text is analogous to the original RFC 2328 Appendix D text. This will be added
to section 4.6.
***************
*** 976,981 ****
--- 976,986 ----
and the IPv6 header length is less than the amount necessary to
include an Authentication Trailer.
+ Locate the receiving interface's OSPFv3 SA using the SA ID in the
+ received AT. If the SA is not found, or if the SA is not valid for
+ reception (i.e., current time < KeyStartAccept or current time >=
+ KeyStopAccept), the OSPFv3 packet is dropped.
+
If the cryptographic sequence number in the AT is less than or equal
to the last sequence number in the last OSPFv3 packet of the same
OSPFv3 type successfully received from the neighbor, the OSPFv3
Although I would hope no one would complain about this since it was always
implied in section 3 (see excerpt below), please speak now if you have any
concerns.
o Security Association Identifier (SA ID)
This is a 16-bit unsigned integer used to uniquely identify an
OSPFv3 SA, as manually configured by the network operator.
The receiver determines the active SA by looking at the SA ID
field in the incoming protocol packet.
_______________________________________________
OSPF mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ospf
