Re: [v6ops] Improving ND security

Ted Lemon <> Fri, 31 July 2020 17:40 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4056A3A096D for <>; Fri, 31 Jul 2020 10:40:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 0BSCQ6yFlZHj for <>; Fri, 31 Jul 2020 10:40:46 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CEDDB3A08E6 for <>; Fri, 31 Jul 2020 10:40:45 -0700 (PDT)
Received: by with SMTP id c12so14529130qtn.9 for <>; Fri, 31 Jul 2020 10:40:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=YtwQ5dx3S1BB8hOkvC6e+3D0wguaHTW4Zph+6fBMuZg=; b=hxbadQ/L6ditv9NrQxxbmlrtUV1mFUB2UsH1CK/55Q0Dfkidc6+a+ybsiGKJy7RC8L rgB+ZB8HHxrERd7E7pE+ackgXLNBv/dfPeS0WY8BRB96vOTzC0sM7eRm3LMnhAL9FYnL XaQraCTOafysamNIPS0Pf95FN+5BbTvdsztQv0K41Zb4jOuN5cebqsFoP9f79viDnVwt boP0rEKv+fm9Hk3sdl2sKEUpwRMx0qz3zaVHWoQMhuslTYLPel0Gs75sZqy8GyBudoay bES01b2uHuI684Kg9/ESzLO0SxJ80mASEL5mwoDsjs/3+FMqobZ92JdFCIQf1PnHbz6c MhYQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=YtwQ5dx3S1BB8hOkvC6e+3D0wguaHTW4Zph+6fBMuZg=; b=UgpqohV7QYjAo0o29kb5N2pfZHb1RaW2ZNAOVVZD+HYL8md8guLjYy9bqMJwaLdKlA GMU5RNcJ0C/tDnF1blmECj5qBrcBxDa4NGUUwTwy9/9szC9zudJqm0OgWZvHZfacgT83 KLyBhKjOeuoH+A78yi2b6zYOV+kikCb5850pkfj1ZpJyt7ECcaBmRFVlgSVQl4WVdTz4 v/JZpzZZYsMA+TRTPMdx+uzT02xhIFzMtPrpW6ILasUYuHdYfUlSZl94ppffIOMxfhIi Pi89s3GaqvNYVEouYwuCOYWkhDDCfye7zYIeHd/JDderkXtAOnYDuJYF/ViEjU0tyjII sgqA==
X-Gm-Message-State: AOAM531u4pb04L4qp9RtLJ9PeZBlnQBRu16KwpsHt3lwXk+dNKZ0xyxU hUIhJPKRFnyPpW2hm4e5cdMLrA==
X-Google-Smtp-Source: ABdhPJy1Ptz7qCBPwdUaQEPHUOA0NK0EQqPS9xse9AmjozXL/4UkfRz4eUh5aWJ6zNM48jHxCn2GYA==
X-Received: by 2002:ac8:1486:: with SMTP id l6mr4853530qtj.195.1596217244784; Fri, 31 Jul 2020 10:40:44 -0700 (PDT)
Received: from ?IPv6:2601:18b:300:36ee:1d5e:d83c:760:89f9? ([2601:18b:300:36ee:1d5e:d83c:760:89f9]) by with ESMTPSA id o17sm9092097qtr.13.2020. (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 31 Jul 2020 10:40:44 -0700 (PDT)
From: Ted Lemon <>
Message-Id: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_7951215C-D4FF-4301-B74D-C9BA0BA9FFB9"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.\))
Date: Fri, 31 Jul 2020 13:40:42 -0400
In-Reply-To: <>
Cc: "Pascal Thubert (pthubert)" <>, v6ops list <>, 6man <>
To: "Templin (US), Fred L" <>
References: <>
X-Mailer: Apple Mail (2.3608.
Archived-At: <>
Subject: Re: [v6ops] Improving ND security
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: v6ops discussion list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 31 Jul 2020 17:40:51 -0000

On Jul 31, 2020, at 1:35 PM, Templin (US), Fred L <> wrote:
> I think as long as the network has a way of associating the key pair with another piece
> of information that accompanies the IPv6 ND message then the network would be able
> to know when the mobile node is using its (single) authorized key. So, for example, if
> the IPv6 ND message included an identity for the MN (sort of like a DHCPv6 DUID), the
> network would know when the MN is using the correct key pair – right? (BTW, I am
> not saying to use DHCPv6 DUID – that is just one example of a MN identity…)

By “NM” I think you mean “Mobile Node?” That’s not really one of the use cases we’re talking about here. Or am I missing something?

In any case, you’re presuming some kind of trust establishment for non-router nodes, right? SEND only talks about trust establishment for routers. And, let’s be frank, doesn’t actually give us enough operational guidance that we would expect what _is_ said to be generally practicable.