Skip to main content

Securing IPv6 Neighbor Discovery Using Address Based Keys (ABKs)

Document Type Expired Internet-Draft (individual)
Expired & archived
Last updated 2003-05-07
Replaces draft-kempf-secure-nd
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


When an IPv6 node receives a Router Advertisement, how does it know that the node which sent the advertisement is authorized to announce that it routes the prefix? When an IPv6 node receives a Neighbor Advertisement message, how does it know that the node sending the message is, in fact, authorized to claim the binding? The answer is, in the absence of a preconfigured IPsec security association among the nodes on the link and the routers, they don't. In this draft, a lightweight protocol is described for securing the signaling involved in IPv6 Neighbor Discovery. The protocol allows a node receiving a Router Advertisement or a Neighbor Advertisement to have the confidence that the message was authorized by the legitimate owner of the address or prefix being advertised without requiring a preconfigured IPsec security association. A certain degree of infrastructural support is required, but not any more than is currently common for public access IP networks. The protocol is based on some results in identity based cryptosystems that allow a publicly known identifier to function as a public key.


(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)