Secure NEighbor Discovery (SEND) over OMNI Interfaces
draft-templin-omni-send-03
|
| Document |
Type |
|
Active Internet-Draft (individual)
|
|
Author |
|
Fred Templin
|
|
Last updated |
|
2021-01-22
|
|
Stream |
|
(None)
|
|
Intended RFC status |
|
(None)
|
|
Formats |
|
plain text
xml
pdf
htmlized (tools)
htmlized
bibtex
|
| Stream |
Stream state |
|
(No stream defined) |
|
Consensus Boilerplate |
|
Unknown
|
|
RFC Editor Note |
|
(None)
|
| IESG |
IESG state |
|
I-D Exists
|
|
Telechat date |
|
|
|
Responsible AD |
|
(None)
|
|
Send notices to |
|
(None)
|
Network Working Group F. Templin, Ed.
Internet-Draft Boeing Research & Technology
Updates: RFC3971 (if approved) January 22, 2021
Intended status: Standards Track
Expires: July 26, 2021
Secure NEighbor Discovery (SEND) over OMNI Interfaces
draft-templin-omni-send-03
Abstract
The Overlay Multilink Network Interface (OMNI) specification can be
used by nodes on public Internetworks when a suitable security
service is provided to authenticate IPv6 Neighbor Discovery (IPv6 ND)
control messages. The basic OMNI security service for transmission
of IPv6 ND messages over public Internetworks uses a Hashed Message
Authentication Code (HMAC) based on a shared secret. This document
specifies use of the Secure NEighbor Discovery (SEND) protocol over
OMNI interfaces which can provide a more flexible and robust service.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 26, 2021.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
Templin Expires July 26, 2021 [Page 1]
Internet-Draft OMNI SEND January 2021
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. SEND Over OMNI Interfaces . . . . . . . . . . . . . . . . . . 3
3.1. Processing Rules for Senders . . . . . . . . . . . . . . 4
3.2. Processing Rules for Receivers . . . . . . . . . . . . . 5
4. SEND/CGA Updates . . . . . . . . . . . . . . . . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . 6
7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 7
8.1. Normative References . . . . . . . . . . . . . . . . . . 7
8.2. Informative References . . . . . . . . . . . . . . . . . 9
Appendix A. Using Host Identity Tags (HITs) with OMNI/SEND . . . 9
Appendix B. Using HIP-based Authentication Instead of SEND/CGA . 10
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction
The Overlay Multilink Network Interface (OMNI) specification
[I-D.templin-6man-omni-interface] can be used by nodes on public
Internetworks when a suitable security service is provided to
authenticate IPv6 Neighbor Discovery (IPv6 ND) control messages
[RFC4861][RFC8200]. The basic OMNI security service for transmission
of IPv6 ND messages over public Internetworks uses a Hashed Message
Authentication Code (HMAC) based on a shared secret. This document
specifies use of the Secure NEighbor Discovery (SEND) protocol over
OMNI interfaces which can provide a more flexible and robust service.
The HMAC-based security service may be adequate when all OMNI access
routers can be provisioned with a shared secret for all potential
clients. However, the service may not be scalable and/or agile
enough for all environments, e.g., when the population of clients
grows and/or changes dynamically. Moreover, it is client-server
oriented, and may be too cumbersome for general-purpose use between
opportunistic neighbor pairs.
The Secure NEighbor Discovery (SEND) protocol [RFC3971] and
Cryptographically Generated Addresses (CGA) [RFC3972] were designed
to provide authentication services for IPv6 ND messaging over links
of all varieties, including wireless. SEND requires that the CGA
Show full document text