Protocol Action: 'SEcure Neighbor Discovery (SEND)' to Proposed Standard

The IESG <iesg-secretary@ietf.org> Tue, 10 August 2004 21:43 UTC

Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA09199; Tue, 10 Aug 2004 17:43:28 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1BueTi-00084f-Br; Tue, 10 Aug 2004 17:48:18 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1BueDQ-0003lz-8E; Tue, 10 Aug 2004 17:31:28 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1Bue6Z-0002Hc-TR; Tue, 10 Aug 2004 17:24:24 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id RAA08228; Tue, 10 Aug 2004 17:24:20 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1BueBC-0007nv-90; Tue, 10 Aug 2004 17:29:10 -0400
Received: from apache by megatron.ietf.org with local (Exim 4.32) id 1BudyK-0000Yn-6S; Tue, 10 Aug 2004 17:15:52 -0400
X-test-idtracker: no
From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Message-Id: <E1BudyK-0000Yn-6S@megatron.ietf.org>
Date: Tue, 10 Aug 2004 17:15:52 -0400
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 0a7aa2e6e558383d84476dc338324fab
Cc: send chair <Pekka.Nikander@nomadiclab.com>, send chair <kempf@docomolabs-usa.com>, send mailing list <ietf-send@standards.ericsson.net>, Internet Architecture Board <iab@iab.org>, RFC Editor <rfc-editor@rfc-editor.org>
Subject: Protocol Action: 'SEcure Neighbor Discovery (SEND)' to Proposed Standard
X-BeenThere: ietf-announce@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: ietf-announce.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf-announce@ietf.org>
List-Help: <mailto:ietf-announce-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf-announce>, <mailto:ietf-announce-request@ietf.org?subject=subscribe>
Sender: ietf-announce-bounces@ietf.org
Errors-To: ietf-announce-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 244a2fd369eaf00ce6820a760a3de2e8

The IESG has approved the following document:

- 'SEcure Neighbor Discovery (SEND) '
   <draft-ietf-send-ndopt-06.txt> as a Proposed Standard

This document is the product of the Securing Neighbor Discovery Working 
Group. 

The IESG contact persons are Margaret Wasserman and Thomas Narten.

Technical Summary

IPv6 nodes use the Neighbor Discovery Protocol (NDP) to discover
other nodes on the link, to determine the link-layer addresses of
other nodes on the link, to find routers, and to maintain
reachability information about the paths to active neighbors.  If not
secured, NDP is vulnerable to various attacks.  This document
specifies security mechanisms for NDP.  Unlike the original NDP
specifications, these mechanisms do not make use of IPsec.

Working Group Summary

The only major issue in the WG about this document was that both
Microsoft and Ericsson declared that they had IPR on CGA technology.
This issue was resolved after license conditions agreeable to the
WG participants and suited for public domain software were posted by
the respective companies. Before this, the WG briefly investigated an
alternative that would have required the configuration of hosts with
certificates, which might have resulted in deployment problems.

Another significant issue in the WG focused around the design of the
protocol and whether it should be based on IPsec AH or stand on its
own. After documenting the alternatives and comparing their pros and
cons, the consensus of the WG was to use an ND options based approach
instead of IPsec. The benefits of this were lack of impact on IPsec
architecture and implementations, and better ability to make security
decisions based on application state. This is important, for instance,
for co-existence of SEND and insecure ND on the same link.

A minor issue involved how to represent the authorization for routers to
route a certain prefix. The WG originally favored attribute certificates,
but since the PKIX WG was planning on defining an identity certificate
extension for this purpose, the WG decided to go with the IP address
range extension in draft-ietf-pkix-x509-ipaddr-as-extn-03.txt. Note that
this constructs a normative dependence on that draft, and it would be
helpful if we could get that draft to advance as quickly as possible
(or alterntively figure out a way to remove the normative dependence)
since there is a market window on how long before it becomes too late
for SEND to achieve widespread deployment, and having an officially
published RFC is important for implementors.

Protocol Quality

The basic protocol design has been implemented on Linux.  That
 implementation was used to fine tune the design, and the results of the 
fine tuning went into the final draft.

This document was reviewed for the IESG by Margaret Wasserman.


_______________________________________________
IETF-Announce mailing list
IETF-Announce@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf-announce