Internet Engineering Task Force (IETF) R. Gagliano
Request for Comments: 6495 Cisco Systems
Updates: 3971 S. Krishnan
Category: Standards Track Ericsson
ISSN: 2070-1721 A. Kukec
Enterprise Architects
February 2012
Subject Key Identifier (SKI) SEcure Neighbor Discovery (SEND)
Name Type Fields
Abstract
SEcure Neighbor Discovery (SEND) defines the Name Type field in the
ICMPv6 Trust Anchor option. This document specifies new Name Type
fields based on certificate Subject Key Identifiers (SKIs).
Status of This Memo
This is an Internet Standards Track document.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Further information on
Internet Standards is available in Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc6495.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Gagliano, et al. Standards Track [Page 1]
RFC 6495 SEND Name Type Registry February 2012
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Requirements Notation . . . . . . . . . . . . . . . . . . . . . 2
3. Name Type Fields in the ICMPv6 TA Option Defined in This
Document . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Processing Rules for Routers . . . . . . . . . . . . . . . . . 4
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 4
6. Security Considerations . . . . . . . . . . . . . . . . . . . . 5
7. Normative References . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction
SEcure Neighbor Discovery (SEND) [RFC3971] utilizes X.509v3
certificates that include the [RFC3779] extension for IPv6 addresses
to certify a router's authority over an IPv6 prefix for the NDP
(Neighbor Discovery Protocol). The Trust Anchor (TA) option in
Section 6.4.3 of [RFC3971] allows the identification of the Trust
Anchor selected by the host. In that same section, two name types
were defined: the DER Encoded X.501 Name and a Fully Qualified Domain
Name (FQDN).
In any Public Key Infrastructure, the subject name of a certificate
is only unique within each Certification Authority (CA).
Consequently, a new option to identify TAs across CAs is needed.
In [RFC6494], the certificate profile described in [RFC6487] is
adopted for SEND. In these documents, the Subject field in the
certificates is declared to be meaningless and the subjectAltName
field is not allowed. On the other hand, the Subject Key Identifier
(SKI) extension for the X.509 certificates is defined as mandatory
and non-critical.
This document specifies new Name Type fields in the SEND TA option
that allows the use of the SKI X.509 extension to identify TA X.509
certificates. This document also defines experimental and reserved
Name Types values.
Finally, this document updates [RFC3971] by changing the "Trust
Anchor option (Type 15) Name Type field" registration procedures from
Standards Action to Standards Action or IESG Approval [RFC5226].
2. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Gagliano, et al. Standards Track [Page 2]
datatracker.ietf.org