datatracker.ietf.org
Sign in
Version 5.6.2.p5, 2014-08-04
Report a bug

Securing Neighbor Discovery Proxy: Problem Statement
RFC 5909

Internet Engineering Task Force (IETF)                       J-M. Combes
Request for Comments: 5909                         France Telecom Orange
Category: Informational                                      S. Krishnan
ISSN: 2070-1721                                                 Ericsson
                                                                G. Daley
                                                       Netstar Logicalis
                                                               July 2010

          Securing Neighbor Discovery Proxy: Problem Statement

Abstract

   Neighbor Discovery Proxies are used to provide an address presence on
   a link for nodes that are no longer present on the link.  They allow
   a node to receive packets directed at its address by allowing another
   device to perform Neighbor Discovery operations on its behalf.

   Neighbor Discovery Proxy is used in Mobile IPv6 and related protocols
   to provide reachability from nodes on the home network when a Mobile
   Node is not at home, by allowing the Home Agent to act as proxy.  It
   is also used as a mechanism to allow a global prefix to span multiple
   links, where proxies act as relays for Neighbor Discovery messages.

   Neighbor Discovery Proxy currently cannot be secured using Secure
   Neighbor Discovery (SEND).  Today, SEND assumes that a node
   advertising an address is the address owner and in possession of
   appropriate public and private keys for that node.  This document
   describes how existing practice for proxy Neighbor Discovery relates
   to SEND.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc5909.

Combes, et al.                Informational                     [Page 1]
RFC 5909            SEND ND Proxy: Problem Statement           July 2010

Copyright Notice

   Copyright (c) 2010 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Combes, et al.                Informational                     [Page 2]
RFC 5909            SEND ND Proxy: Problem Statement           July 2010

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  Scenarios  . . . . . . . . . . . . . . . . . . . . . . . . . .  4
     2.1.  IPv6 Mobile Nodes and Neighbor Discovery Proxy . . . . . .  4
     2.2.  IPv6 Fixed Nodes and Neighbor Discovery Proxy  . . . . . .  6
     2.3.  Bridge-Like ND Proxies . . . . . . . . . . . . . . . . . .  6
   3.  Proxy Neighbor Discovery and SEND  . . . . . . . . . . . . . .  9
     3.1.  CGA Signatures and Proxy Neighbor Discovery  . . . . . . .  9
     3.2.  Non-CGA Signatures and Proxy Neighbor Discovery  . . . . . 10
     3.3.  Securing Proxy DAD . . . . . . . . . . . . . . . . . . . . 11
     3.4.  Securing Router Advertisements . . . . . . . . . . . . . . 11
   4.  Potential Approaches to Securing Proxy ND  . . . . . . . . . . 12
     4.1.  Secured Proxy ND and Mobile IPv6 . . . . . . . . . . . . . 12
       4.1.1.  Mobile IPv6 and Router-Based Authorization . . . . . . 13
       4.1.2.  Mobile IPv6 and Per-Address Authorization  . . . . . . 13
       4.1.3.  Cryptographic-Based Solutions  . . . . . . . . . . . . 13
       4.1.4.  Solution Based on the 'Point-to-Point' Link Model  . . 14
     4.2.  Secured Proxy ND and Bridge-Like Proxies . . . . . . . . . 14
       4.2.1.  Authorization Delegation . . . . . . . . . . . . . . . 14
       4.2.2.  Unauthorized Routers and Proxies . . . . . . . . . . . 14
       4.2.3.  Multiple Proxy Spans . . . . . . . . . . . . . . . . . 15
       4.2.4.  Routing Infrastructure Delegation  . . . . . . . . . . 15

[include full document text]