datatracker.ietf.org
Sign in
Version 5.6.4.p1, 2014-10-20
Report a bug

SEcure Neighbor Discovery (SEND)
RFC 3971

Document type: RFC - Proposed Standard (March 2005; Errata)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 3971 (Proposed Standard)
Responsible AD: Margaret Wasserman
Send notices to: Pekka.Nikander@nomadiclab.com, kempf@docomolabs-usa.com

Network Working Group                                      J. Arkko, Ed.
Request for Comments: 3971                                      Ericsson
Category: Standards Track                                       J. Kempf
                                          DoCoMo Communications Labs USA
                                                                 B. Zill
                                                               Microsoft
                                                             P. Nikander
                                                                Ericsson
                                                              March 2005

                    SEcure Neighbor Discovery (SEND)

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   IPv6 nodes use the Neighbor Discovery Protocol (NDP) to discover
   other nodes on the link, to determine their link-layer addresses to
   find routers, and to maintain reachability information about the
   paths to active neighbors.  If not secured, NDP is vulnerable to
   various attacks.  This document specifies security mechanisms for
   NDP.  Unlike those in the original NDP specifications, these
   mechanisms do not use IPsec.

Arkko, et al.               Standards Track                     [Page 1]
RFC 3971               SEcure Neighbor Discovery              March 2005

Table of Contents

   1.  Introduction. . . . . . . . . . . . . . . . . . . . . . . . .   3
       1.1.  Specification of Requirements . . . . . . . . . . . . .   4
   2.  Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . .   4
   3.  Neighbor and Router Discovery Overview. . . . . . . . . . . .   6
   4.  Secure Neighbor Discovery Overview. . . . . . . . . . . . . .   8
   5.  Neighbor Discovery Protocol Options . . . . . . . . . . . . .   9
       5.1.  CGA Option. . . . . . . . . . . . . . . . . . . . . . .  10
             5.1.1.  Processing Rules for Senders. . . . . . . . . .  11
             5.1.2.  Processing Rules for Receivers. . . . . . . . .  12
             5.1.3.  Configuration . . . . . . . . . . . . . . . . .  13
       5.2.  RSA Signature Option. . . . . . . . . . . . . . . . . .  14
             5.2.1.  Processing Rules for Senders. . . . . . . . . .  16
             5.2.2.  Processing Rules for Receivers. . . . . . . . .  16
             5.2.3.  Configuration . . . . . . . . . . . . . . . . .  17
             5.2.4.  Performance Considerations. . . . . . . . . . .  18
       5.3.  Timestamp and Nonce Options . . . . . . . . . . . . . .  19
             5.3.1.  Timestamp Option. . . . . . . . . . . . . . . .  19
             5.3.2.  Nonce Option. . . . . . . . . . . . . . . . . .  20
             5.3.3.  Processing Rules for Senders. . . . . . . . . .  21
             5.3.4.  Processing Rules for Receivers. . . . . . . . .  21
   6.  Authorization Delegation Discovery. . . . . . . . . . . . . .  24
       6.1.  Authorization Model . . . . . . . . . . . . . . . . . .  24
       6.2.  Deployment Model. . . . . . . . . . . . . . . . . . . .  25
       6.3.  Certificate Format. . . . . . . . . . . . . . . . . . .  26
             6.3.1.  Router Authorization Certificate Profile. . . .  26
             6.3.2.  Suitability of Standard Identity Certificates .  29
       6.4.  Certificate Transport . . . . . . . . . . . . . . . . .  29
             6.4.1.  Certification Path Solicitation Message Format.  30
             6.4.2.  Certification Path Advertisement Message Format  32
             6.4.3.  Trust Anchor Option . . . . . . . . . . . . . .  34
             6.4.4.  Certificate Option. . . . . . . . . . . . . . .  36
             6.4.5.  Processing Rules for Routers. . . . . . . . . .  37
             6.4.6.  Processing Rules for Hosts. . . . . . . . . . .  38
       6.5.  Configuration . . . . . . . . . . . . . . . . . . . . .  39
   7.  Addressing. . . . . . . . . . . . . . . . . . . . . . . . . .  40
       7.1.  CGAs. . . . . . . . . . . . . . . . . . . . . . . . . .  40
       7.2.  Redirect Addresses. . . . . . . . . . . . . . . . . . .  40
       7.3.  Advertised Subnet Prefixes. . . . . . . . . . . . . . .  40
       7.4.  Limitations . . . . . . . . . . . . . . . . . . . . . .  41
   8.  Transition Issues . . . . . . . . . . . . . . . . . . . . . .  42
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  44
       9.1.  Threats to the Local Link Not Covered by SEND . . . . .  44
       9.2.  How SEND Counters Threats to NDP. . . . . . . . . . . .  45

[include full document text]