Skip to main content

SEcure Neighbor Discovery (SEND)
draft-ietf-send-ndopt-06

Revision differences

Document history

Date Rev. By Action
2012-08-22
06 (System) post-migration administrative database adjustment to the Yes position for Thomas Narten
2012-08-22
06 (System) post-migration administrative database adjustment to the No Objection position for Steven Bellovin
2012-08-22
06 (System) post-migration administrative database adjustment to the No Objection position for Ted Hardie
2012-08-22
06 (System) post-migration administrative database adjustment to the No Objection position for Russ Housley
2004-10-07
(System) Posted related IPR disclosure: Ericsson's Statement about IPR claimed in draft-ietf-send-cga-06.txt and draft-ietf-send-ndopt-06.txt
2004-08-11
06 Amy Vezza State Changes to RFC Ed Queue from Approved-announcement sent by Amy Vezza
2004-08-10
06 Amy Vezza IESG state changed to Approved-announcement sent
2004-08-10
06 Amy Vezza IESG has approved the document
2004-08-10
06 Amy Vezza Closed "Approve" ballot
2004-08-10
06 Margaret Cullen State Changes to Approved-announcement to be sent from IESG Evaluation::AD Followup by Margaret Wasserman
2004-08-10
06 Thomas Narten [Ballot Position Update] Position for Thomas Narten has been changed to Yes from Discuss by Thomas Narten
2004-08-09
06 Russ Housley [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss by Russ Housley
2004-08-08
06 Margaret Cullen Sent reminder to Thomas and Russ.  Latest version should address all discuss comments.
2004-07-23
06 Steven Bellovin [Ballot Position Update] Position for Steve Bellovin has been changed to No Objection from Discuss by Steve Bellovin
2004-07-19
06 (System) Sub state has been changed to AD Follow up from New Id Needed
2004-07-19
06 (System) New version available: draft-ietf-send-ndopt-06.txt
2004-06-14
06 Ted Hardie
[Ballot comment]
Removed DISCUSS as Steve's was a superset of the issues I raised.  To
make coordination a bit easier, he will hold the DISCUSS …
[Ballot comment]
Removed DISCUSS as Steve's was a superset of the issues I raised.  To
make coordination a bit easier, he will hold the DISCUSS token on this.
2004-06-14
06 Ted Hardie [Ballot Position Update] Position for Ted Hardie has been changed to No Objection from Discuss by Ted Hardie
2004-06-11
06 Thomas Narten
[Ballot comment]
Editorial (more or less):


>      4.  The 32-bit ICMP header.

Would be better to make clear exactly what part of the …
[Ballot comment]
Editorial (more or less):


>      4.  The 32-bit ICMP header.

Would be better to make clear exactly what part of the header you are
referring to. ICMP has more than a 32 bit header in some cases. Also,
see below comment.

>    o  For the purpose of constructing a signature, the following data
>      items are concatenated:
>
>
>      *  The 128-bit CGA Type Tag.

This is a repetition  of what was given just a page earlier. Can we
just have one definition/algorith (and make sure it is clear?)


>    o  The receiver MUST ignore any options the come after the first
>      Signature option.

s/the come/that come/


>    Messages that do not pass all the above tests MUST be silently
>    discarded.  The receiver MAY also otherwise silently discard packets,
>    e.g., as a response to an apparent CPU exhausting DoS attack.

the MUST seems too strong. I.e., if the sender includes a signature I
don't have a key for, I have to drop the packet? Can't I run ND in
insecure mode? Later, text implies yes.

Actually my confusion may stem from:

>    A message containing a Signature option MUST be checked as follows:

What messages? I assumed ND in general, but maybe this is only for a
RS/NS? Please clarify.



> 5.2.3 Configuration
>
>
>    All nodes that support the reception of the Signature options MUST be
>    configured with the following information for each separate NDP
>    message type:

must "allow the following information to be configured" (or some such,
i.e, make clear that a config interface needs to be provided).

> 5.2.4 Performance Considerations
>
>
>    The construction and verification of this option is computationally
>    expensive. In the NDP context, however, the hosts typically have the
>    need to perform only a few signature operations as they enter a link,
>    and a few operations as they find a new on-link peer with which to
>    communicate.

What about NUD? these operations can potentially be reinvoked once per
minute...

>    If a message has both Nonce and Timestamp options, the Nonce option
>    SHOULD precede the Timestamp option in the message.

Why? What value does this have (and its only a SHOULD, so receivers
can't count on it...). This seems useless.

>    TIMESTAMP_DRIFT (see Section 11.

missing closing paren.

>    o  If the timestamp is NOT within the boundaries but the message is a
>      Neighbor Solicitation message which should be answered by the
>      receiver, the receiver MAY respond to the message.  However, if it
>

Seems like MAY -> SHOULD for better interoperability.

>      In the FQDN case the Name field is an "IDN-unaware domain name

s/case/case,/

>    Nodes that use stateless address autoconfiguration SHOULD generate a
>    new CGA and a CGA Parameters data structure as specified in Section 4
>    of [13] each time they run the autoconfiguration procedure.

I hope this isn't what it sounds like it does... Why can't one
continue to reuse the same one one had earlier? That seems like a
performance win. (And networks come and go rather frequently
sometimes, e.g., in the wireless case...)

>    If the Target Address and Destination Address fields in the ICMP
>    Redirect message are equal, then this message is used to inform hosts
>    that a destination is in fact a neighbor.  In this case the receiver
>    MUST verify that the given address falls within the range defined by
>    the router's certificate.  Redirect messages failing this check MUST
>    be silently discarded.

Note: this seems to contradict what Section 7.3 says, which allows
uncertified prefixes to be accepted.

>    Note that RFC 2461 rules prevent a host from accepting a Redirect
>    message from a router that is not its default router. This prevents
>    an attacker from tricking a node into redirecting traffic when the
>    attacker is not the default router.

nit: the rules in 2461 say one only accepts a redirect from the router
a host is using to reach the destination mentioned in the
redirect. That is slightly different.

>    This specification does not address the protection of NDP packets for
>    nodes that are configured with a static address (e.g., PREFIX::1).
>    Future certificate chain-based authorization specifications are
>    needed for such nodes.

Or addresses configured under normal stateless addrconfig...

>    SEND nodes MUST send only secured messages.  Plain (non-SEND)
>    Neighbor Discovery nodes will obviously send only insecure messages.
>    Per RFC 2461 [7], such nodes will ignore the unknown options and will
>    treat secured messages in the same way as they treat insecure ones.
>    Secured and insecure nodes share the same network resources, such as
>    prefixes and address spaces.

Wording odd. What is a "SEND node"? One that implements this spec?
That's too strong. It should be an operational choice whether to use
SEND or not, if it is implemented.

>      flag on entries indicating whether the entry issecured. Received

s/issecured/is secured/
2004-06-11
06 Thomas Narten
[Ballot discuss]
> 5.1.1 Processing Rules for Senders
>
>
>    The CGA option MUST be present in all Neighbor Solicitation and
>    …
[Ballot discuss]
> 5.1.1 Processing Rules for Senders
>
>
>    The CGA option MUST be present in all Neighbor Solicitation and
>    Advertisement messages, and MUST be present in Router Solicitation
>    messages unless they are sent with the unspecified source address.
>    The CGA option MAY be present in other messages.

MUST? so it's not an option to implement the spec, but then not
actually use a feature? That seems wrong; i.e., end user should be
able to disable or choose not  to use.

>    minSec

Why require this if it is not used? How can including this facilitate
experimentation? I don't understand the need to include this here.

>    All solicited advertisements MUST include a Nonce, copied from the
>    received solicitation.  Note that routers may decide to send a
>    multicast advertisement to all nodes instead of a response to a
>    specific host. In such case the router MAY still include the nonce
>    value for the host that triggered the multicast advertisement.
>    Omitting the nonce value may, however, cause the host to ignore the
>    router's advertisement, unless the clocks in these nodes are
>    sufficiently synchronized so that timestamps can be relied on.

But if a multicast RA includes the nonce, won't the other nodes ignore
it, defeating the purpose of having a multicast RA?

>    o  Advertisements sent to a unicast destination address with the
>      Signature option but without a Nonce option MUST be silently
>      discarded.
>

This may break an assumption in ND. Namely, that one can send
unsolicited unicast RAs or NAs. This is currently legal in ND, but
would no longer be above. Is this restriction necessary?

>      implementation decision. However, typical policies may prefer
>      existing entries over new ones, CGAs with a large Sec value over
>      smaller Sec values, and so on.  The issue is briefly discussed in
>      Appendix C.

not much guidance for Sec value; I don't really understand what this
is to be used for.

>          A single advertisement MUST be broken into separately sent
>          components if there is more than one Certificate option, in
>          order to avoid excessive fragmentation at the IP layer.  Unlike
>          the fragmentation at the IP layer, individual components of an
>          advertisement may be stored and used before all the components
>          have arrived; this makes them slightly more reliable and less
>          prone to Denial-of-Service attacks.

Seems wrong. the sender should definitely fragment as necessary, but
the protocol should not require it if two Certificate options could
fit in a single message. some link types have large MTUs. Hmm, maybe
this is to keep the algorithms simple. That might be OK.

>      Component
>
>
>          A 16-bit unsigned integer field, used for informing the
>          receiver which certificate is being sent, and how many are
>          still left to be sent in the whole chain.

I don't see how the receiver can learn (definitively) how many
certificates there are in a reply. the protocol seems to assume the
first response will not get lost, and the component value indicates
the number of messages. This seems unrobust. Given that there are
reserved/unused fields, why not just include the total number in all
messages? (And for that matter, would it be useful to allow a request
to indicate which component needs to be retransmitted? This would
help remove systematic failures, which is one of  the reasons IP
fragmentation is problematic.
2004-06-11
06 Thomas Narten [Ballot Position Update] Position for Thomas Narten has been changed to Discuss from Undefined by Thomas Narten
2004-06-11
06 Thomas Narten [Ballot Position Update] New position, Undefined, has been recorded for Thomas Narten by Thomas Narten
2004-06-11
06 (System) Removed from agenda for telechat - 2004-06-10
2004-06-10
06 Amy Vezza State Changes to IESG Evaluation::Revised ID Needed from IESG Evaluation by Amy Vezza
2004-06-10
06 Steven Bellovin
[Ballot discuss]
I'm very concerned that the authorization model used by the authors is incorrect.  Several of the following comments, including the most serious ones, …
[Ballot discuss]
I'm very concerned that the authorization model used by the authors is incorrect.  Several of the following comments, including the most serious ones, are based on that belief.

Section 4 says "A host and a router must have at least one common trust anchor before the host can adopt the router as its default router."  I don't know what it means to "have ... a common trust anchor", but the relationships are different.  The host must believe that the chain of authorizations, from the anchor to the router, identifies a node that is *authorized* to route packets for this link.  That has nothing to do with whether or not the host in some way trusts the anchor for other purposes.  To give a concrete example, since router certificates are tied to the addressing structure they're presumably rooted at an RIR.  That will be true of virutally all router certificates describing public address space, including the routers belonging to EvilHackerDudes.example.org.  The fact that I'll trust the certificates from routers for MyCompany.example.com doesn't mean that I'll trust the evil ones.  While trust anchors may suffice, the spec must mandate some sort of user (or configuration) interface to describe a full chain of authorized certificates.  In some situations, these may not be address certificates.  A user sitting in a public hot spot may be willing to trust the owner of the hotspot -- say, via a standard commercial identity certificate, of the type used today on the Web -- without regard to the particular addresses being advertised or assigned.

5.2.2: Clarify that options after the signature option MUST always be ignored (or the packet dropped); in this context, it's ambiguous if such options are only dropped for purposes of signature verification.

5.2.4 says that the IPv6 header is covered by the signature.  5.2.1 says that the ICMPv6 header is covered, as well as the source and destination addresses.  Which is it?

5.3.4.2: A 1-hour DELTA value seems amazingly high.  Kerberos uses 5 minutes.

6.2.1: Per my comments on Section 4, I'm not convinced that a trust anchor is useful.

6.2.6: Why does it say that "hosts SHOULD NOT store certificates" under certain conditions?  Certificates are self-validating.  Ones that aren't part of a chain may be useless, and it may be advantageous under certain conditions to discard them, but strongly advising their discard seems wrong -- if you have the storage (and a good search algorithm), possessing them is useful because it can avoid the need to solicit or receive them later.

8: The spec says that nodes SHOULD have an option to restrict them to secure NDP messages only.  What is the default value for this option?

The Security Considerations section should discuss the effects of an NTP attack on router time values.  See
@inproceedings{Bishop-ntp,
        author = {Bishop, Matt},
        title = "A Security Analysis of the {NTP} Protocol",
        booktitle = {Sixth  Annual Computer Security Conference Proceedings},
        address = {Tucson, AZ},
        pages = {20--29},
        year = 1990,
        month = {December},
        url = {ftp://louie.udel.edu/pub/ntp/doc/security.ps.Z}
}
2004-06-10
06 Alex Zinin [Ballot Position Update] New position, No Objection, has been recorded for Alex Zinin by Alex Zinin
2004-06-10
06 Jon Peterson [Ballot Position Update] New position, No Objection, has been recorded for Jon Peterson by Jon Peterson
2004-06-10
06 Allison Mankin [Ballot Position Update] New position, No Objection, has been recorded for Allison Mankin by Allison Mankin
2004-06-10
06 Russ Housley
[Ballot comment]
RFC 3280 uses the term "certification path," not the term "certificate
  chain." Likewise, RFC 3280 uses the term "certification authority," not
  …
[Ballot comment]
RFC 3280 uses the term "certification path," not the term "certificate
  chain." Likewise, RFC 3280 uses the term "certification authority," not
  the term "certificate authority."  Please align with RFC 3280.

  Please change "PKCS#1 signature" to "PKCS#1 v1.5 signature"
  throughout the document.

  In at least two places the document talks about ASN.1, and in another
  place it talks about DER.  Normative references are needed.

  In the 2nd bullet of section 4, the document says:
  >
  > This specification also allows a node to use non-CGAs with
  > certificates to authorize their use.  However, the details of
  > such use are beyond the scope of this specification.
  >
  The point that this topic is out of scope ought to come much earlier in
  the document, preferably in the introduction.

  In section 5.2.2, the introduction of the "valid authorization delegation
  chain" has no foundation.  Please include a forward reference to section 6.

  In section 6.2, last paragraph: s/must be a subset/MUST be a subset/

  In section 6.2.3, the document says:
  >
  > When the Name Type field is set to 1, the Name field contains a
  > DER encoded X.501 certificate Name, represented and encoded
  > exactly as in the matching X.509v3 trust anchor certificate.
  >
  However, a trust anchor need not have a certificate.  It must have a
  X.501 name to be used in the issuer field of certificates that it issues,
  but the use of a self-signed certificate is not required.
2004-06-10
06 Russ Housley
[Ballot discuss]
The protocol supports a single digital signature algorithm.  Since
  no algorithm identifiers appear in any of the protocol data units,
  it …
[Ballot discuss]
The protocol supports a single digital signature algorithm.  Since
  no algorithm identifiers appear in any of the protocol data units,
  it is not possible to support others in the future.  While I think
  this is a poor design choice, I am not blocking the document on this
  point.  However, I do insist that this situation be explained in the
  document introduction.  I also insist that the name of the signature
  option be changed.  The name needs to reflect the signature algorithm
  so that it is clear that the mechanism to support other signature
  algorithms is the definition of a new option.

  Since the document only supports RSA PKCS#1 v1.5 signatures, section 6.2
  ought to discuss the processing of subjectPublicKeyInfo within the
  certificate to ensure that only RSA public keys are used to attempt the
  validation of signatures.

  In section 5.2, the document says:
  >
  > The Signature option allows public-key based signatures to be
  > attached to NDP messages. Configured trust anchors, CGAs, or both are
  > supported as the trusted root.
  >
  The term "trusted root" is not explained.  In fact, I do not think that
  the traditional use of the term applies here.  The public key that is
  used to verify the signature is not contained in a certificate when a
  CGA is employed.  The processing to validate a public key needs to be
  explained for each supported case.

  In section 5.2.3, I expected some information about the source of
  trust anchors.  When I show up at an IETF meeting, how will my
  laptop software learn the anchor for the IETF WLAN?  If this
  information is not going to be provided in this document, where can
  I find it?  One possible solution is to define a PKI that is rooted
  at IANA.  In this case, a single trust anchor is needed, so it can be
  built into every implementation.  However, there are several clues in
  the document that indicate that a more local scheme is envisioned.
2004-06-10
06 Russ Housley [Ballot Position Update] New position, Discuss, has been recorded for Russ Housley by Russ Housley
2004-06-10
06 David Kessens [Ballot Position Update] New position, No Objection, has been recorded for David Kessens by David Kessens
2004-06-10
06 Bert Wijnen [Ballot Position Update] New position, No Objection, has been recorded for Bert Wijnen by Bert Wijnen
2004-06-10
06 Harald Alvestrand
[Ballot comment]
Reviewed by Michael Patton, Gen-ART.

I believe this needs a respin for other reasons. But the number of language issues identified in Patton's …
[Ballot comment]
Reviewed by Michael Patton, Gen-ART.

I believe this needs a respin for other reasons. But the number of language issues identified in Patton's review is large enough that it should have a careful language review in the same respin.
So if there hadn't been other reasons to respin it, this might have been a (marginal) DISCUSS.
2004-06-10
06 Harald Alvestrand [Ballot Position Update] New position, No Objection, has been recorded for Harald Alvestrand by Harald Alvestrand
2004-06-10
06 Bill Fenner [Ballot Position Update] New position, No Objection, has been recorded for Bill Fenner by Bill Fenner
2004-06-09
06 Steven Bellovin
[Ballot comment]
Given that there are implementations of this spec, it would be nice to include an appendix giving typical packet lengths, especially for messages …
[Ballot comment]
Given that there are implementations of this spec, it would be nice to include an appendix giving typical packet lengths, especially for messages with certificates.
2004-06-09
06 Steven Bellovin
[Ballot discuss]
I'm very concerned that the authorization model used by the authors is incorrect.  Several of the following comments, including the most serious ones, …
[Ballot discuss]
I'm very concerned that the authorization model used by the authors is incorrect.  Several of the following comments, including the most serious ones, are based on that belief.

Section 4 says "A host and a router must have at least one common trust anchor before the host can adopt the router as its default router."  I don't know what it means to "have ... a common trust anchor", but the relationships are different.  The host must believe that the chain of authorizations, from the anchor to the router, identifies a node that is *authorized* to route packets for this link.  That has nothing to do with whether or not the host in some way trusts the anchor for other purposes.  To give a concrete example, since router certificates are tied to the addressing structure they're presumably rooted at an RIR.  That will be true of virutally all router certificates describing public address space, including the routers belonging to EvilHackerDudes.example.org.  The fact that I'll trust the certificates from routers for MyCompany.example.com doesn't mean that I'll trust the evil ones.  While trust anchors may suffice, the spec must mandate some sort of user (or configuration) interface to describe a full chain of authorized certificates.  In some situations, these may not be address certificates.  A user sitting in a public hot spot may be willing to trust the owner of the hotspot -- say, via a standard commercial identity certificate, of the type used today on the Web -- without regard to the particular addresses being advertised or assigned.

5.2.2: Clarify that options after the signature option MUST always be ignored (or the packet dropped); in this context, it's ambiguous if such options are only dropped for purposes of signature verification.

5.2.4 says that the IPv6 header is covered by the signature.  5.2.1 says that the ICMPv6 header is covered, as well as the source and destination addresses.  Which is it?

5.3.4.2: A 1-hour DELTA value seems amazingly high.  Kerberos uses 5 minutes.

6.2.1: Per my comments on Section 4, I'm not convinced that a trust anchor is useful.

6.2.6: Why does it say that "hosts SHOULD NOT store certificates" under certain conditions?  Certificates are self-validating.  Ones that aren't part of a chain may be useless, and it may be advantageous under certain conditions to discard them, but strongly advising their discard seems wrong -- if you have the storage (and a good search algorithm), possessing them is useful because it can avoid the need to solicit or receive them later.

8: The spec says that nodes SHOULD have an option to restrict them to secure NDP messages only.  What is the default value for this option?
2004-06-09
06 Steven Bellovin [Ballot Position Update] New position, Discuss, has been recorded for Steve Bellovin by Steve Bellovin
2004-06-08
06 Ted Hardie
[Ballot discuss]
I guess I have a fundamental design question.  The draft describes part of the
underlying logic in section 6.1 as:


  The certificate …
[Ballot discuss]
I guess I have a fundamental design question.  The draft describes part of the
underlying logic in section 6.1 as:


  The certificate chain of a router terminates in a Router
  Authorization Certificate that authorizes a specific IPv6 node to act
  as a router.  Because authorization chains are not a common practice
  in the Internet at the time this specification was written, the chain
  MUST consist of standard Public Key Certificates (PKC, in the sense
  of [19]).  The certificate chain MUST start from the identity of a
  trust anchor that is shared by the host and the router.  This allows
  the host to anchor trust for the router's public key in the trust
  anchor.  Note that there MAY be multiple certificates issued by a
  single trust anchor.

One of the common use cases for V6 is in mobile networks, where it
may be common for a terminal to operate in a network operated
by a provider to whom the user has no direct relationship.  Managing
the trust anchors in this instance looks to be a fairly hard problem.
The draft doesn't seem to address this part of the problem
directly, though there is a bit of text on how fast hand-off may enable
one router to pass data on the next router along.

Have I missed something here in the way of context or text?
2004-06-08
06 Ted Hardie [Ballot Position Update] New position, Discuss, has been recorded for Ted Hardie by Ted Hardie
2004-05-24
06 Scott Hollenbeck [Ballot Position Update] New position, No Objection, has been recorded for Scott Hollenbeck by Scott Hollenbeck
2004-05-22
06 Margaret Cullen State Changes to IESG Evaluation from Waiting for Writeup by Margaret Wasserman
2004-05-22
06 Margaret Cullen Placed on agenda for telechat - 2004-06-10 by Margaret Wasserman
2004-05-22
06 Margaret Cullen [Ballot Position Update] New position, Yes, has been recorded for Margaret Wasserman
2004-05-22
06 Margaret Cullen Ballot has been issued by Margaret Wasserman
2004-05-22
06 Margaret Cullen Created "Approve" ballot
2004-05-22
06 Margaret Cullen Note field has been cleared by Margaret Wasserman
2004-05-17
06 (System) State has been changed to Waiting for Writeup from In Last Call by system
2004-05-10
06 Michelle Cotton
IANA Last Call Comments:
We understand the IANA Actions to be the following:

ICMPv6 type numbers for:

Delegation Chain Solicitation message
Delegation Chain Advertisement message …
IANA Last Call Comments:
We understand the IANA Actions to be the following:

ICMPv6 type numbers for:

Delegation Chain Solicitation message
Delegation Chain Advertisement message

in the following registry (informational range):


Neighbor Discovery Protocol Option assignments for:

CGA option
Signature option
Timestamp option
Nonce option
Trust Anchor option
Certificate option

in the "IPv6 NEIGHBOR DISCOVERY OPTION FORMATS"
registry at:
>

The IANA Considerations section says the following:

  "This document defines a new 128-bit value under the CGA Message Type
  [13] namespace, 0x086F CA5E 10B2 00C9 9C8C E001 6427 7C08."

This document is asking for an assignment in a registry that is created
by another document .  The IANA will not be
able to make this assignment until that document is approved to become
an RFC.  We are confirming that this is correct.

A new registry (name space) will be created for Name Type fileds
in the Trust Anchor option.  There are 2 values currently:

  1  DER Encoded X.501 Name
  2  FQDN

(New types allocated via Standards Action)

A new registry (name space) will be created for Cert Type fileds
in the Certification option.  There is 1 value currently:

  1  X.509v3 Certificate

(New types allocated via Standards Action)>
2004-05-03
06 Amy Vezza Last call sent
2004-05-03
06 Amy Vezza State Changes to In Last Call from Last Call Requested by Amy Vezza
2004-05-02
06 Margaret Cullen
Document submission questionnaire from James Kempf:

1) Have the chairs personally reviewed this version of the ID and do
  they believe this ID is …
Document submission questionnaire from James Kempf:

1) Have the chairs personally reviewed this version of the ID and do
  they believe this ID is sufficiently baked to forward to the IESG
  for publication?

James Kempf has reviewed the immediately previous verison, which went through WG Last Call in Feb., of the ID and he believes that it is sufficiently baked to forward to the IESG for publication. In addition, the design was implemented by at least one implementor, without any complications, though not specifically this draft.

2) Has the document had adequate review from both key WG members and
  key non-WG members? Do you have any concerns about the depth or
  breadth of the reviews that have been performed?

The draft has been carefully reviewed by several prominent members of the WG, including Tuomas Aura and Pekka Savola who submitted comments. Pasi Eronen reviewed the 04 draft and submitted detailed commments.

Charlie Kaufman, who is not a WG member, also reviewed the immediately previous version of draft during WG Last Call and had a few basic comments about the underlying motivation and architecture which James Kempf discussed with him and resolved to his apparent satisfaction.

3) Do you have concerns that the document needs more review from a
  particular (broader) perspective (e.g., security, operational
  complexity, someone familiar with AAA, etc.)?

James Kempf sent email the the WG chairs of the PKIX WG requesting a review of Section 6.1 for compliance with draft-ietf-pkix-x509-ipaddr-as-extn-03.txt, since the router certs in SEND use the address range extension in that draft, but received no response. That section should be reviewed by someone familiar with the PKIX address range extension prior to the draft being published.

 
4) Do you have any specific concerns/issues with this document that
  you believe the ADs and/or IESG should be aware of? For example,
  perhaps you are uncomfortable with certain parts of the document,
  or whether there really is a need for it, etc., but at the same
  time these issues have been discussed in the WG and the WG has
  indicated it wishes to advance the document anyway.

No.
 
5) How solid is the WG consensus behind this document?  Does it
  represent the strong concurrence of a few individuals, with others
  being silent, or does the WG as a whole understand and agree with
  it?

The WG concensus appears to be solidly behind the draft.

6) Has anyone threatened an appeal or otherwise indicated extreme
  discontent?  If so, please summarize what are they upset about.

No.
 
7) Have the chairs verified that the document adheres to _all_ of the
  ID nits?  (see http://www.ietf.org/ID-nits.html).

Yes.

8) For Standards Track and BCP documents, the IESG approval
  announcement includes a writeup section with the following
  sections:

  - Technical Summary

IPv6 nodes use the Neighbor Discovery Protocol (NDP) to discover
other nodes on the link, to determine the link-layer addresses of
other nodes on the link, to find routers, and to maintain
reachability information about the paths to active neighbors.  If not
secured, NDP is vulnerable to various attacks.  This document
specifies security mechanisms for NDP.  Unlike the original NDP
specifications, these mechanisms do not make use of IPsec.

  - Working Group Summary

The only major issue in the WG about this document was that both
Microsoft and Ericsson declared that they had IPR on CGA technology.
This issue was resolved after license conditions agreeable to the
WG participants and suited for public domain software were posted by
the respective companies. Before this, the WG briefly investigated an
alternative that would have required the configuration of hosts with
certificates, which might have resulted in deployment problems.

Another significant issue in the WG focused around the design of the
protocol and whether it should be based on IPsec AH or stand on its
own. After documenting the alternatives and comparing their pros and
cons, the consensus of the WG was to use an ND options based approach
instead of IPsec. The benefits of this were lack of impact on IPsec
architecture and implementations, and better ability to make security
decisions based on application state. This is important, for instance,
for co-existence of SEND and insecure ND on the same link.

A minor issue involved how to represent the authorization for routers to
route a certain prefix. The WG originally favored attribute certificates,
but since the PKIX WG was planning on defining an identity certificate
extension for this purpose, the WG decided to go with the IP address
range extension in draft-ietf-pkix-x509-ipaddr-as-extn-03.txt. Note that
this constructs a normative dependence on that draft, and it would be
helpful if we could get that draft to advance as quickly as possible
(or alterntively figure out a way to remove the normative dependence)
since there is a market window on how long before it becomes too late
for SEND to achieve widespread deployment, and having an officially
published RFC is important for implementors.

  - Protocol Quality

    - is the protocol already being implemented?

The basic protocol design has been implemented on Linux, though not specifically the details in this draft. That implementation was used to fine tune the design, and the results of the fine tuning went into the final draft.

    - have a significant number of vendors indicated they plan to
      implement the spec?

We have heard from at least one vendor that has expressed interest in the protocol.
 
    - are there any reviewers (during the end stages) that merit
      explicit mention as having done a thorough review that resulted
      in important changes or a conclusion that the document was fine
      (except for maybe some nits?)

Major reviewers are listed above. There were no major changes in the draft after 00, mostly just a matter of fixing fine points.
2004-05-02
06 Margaret Cullen State Changes to Last Call Requested from AD Evaluation by Margaret Wasserman
2004-05-02
06 Margaret Cullen Last Call was requested by Margaret Wasserman
2004-05-02
06 (System) Ballot writeup text was added
2004-05-02
06 (System) Last call text was added
2004-05-02
06 (System) Ballot approval text was added
2004-05-02
06 Margaret Cullen State Changes to AD Evaluation from Publication Requested by Margaret Wasserman
2004-05-02
06 Margaret Cullen [Note]: 'Requested expert review from Security ADs and Eric Rescorla.' added by Margaret Wasserman
2004-04-27
06 Dinara Suleymanova Draft Added by Dinara Suleymanova
2004-04-16
05 (System) New version available: draft-ietf-send-ndopt-05.txt
2004-02-17
04 (System) New version available: draft-ietf-send-ndopt-04.txt
2004-01-28
03 (System) New version available: draft-ietf-send-ndopt-03.txt
2004-01-20
01 (System) New version available: draft-ietf-send-ndopt-01.txt
2003-10-17
00 (System) New version available: draft-ietf-send-ndopt-00.txt