Secure NEighbor Discovery (SEND) over OMNI Interfaces
draft-templin-omni-send-03

Document Type Active Internet-Draft (individual)
Author Fred Templin 
Last updated 2021-01-22
Stream (None)
Intended RFC status (None)
Formats plain text xml pdf htmlized (tools) htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                    F. Templin, Ed.
Internet-Draft                              Boeing Research & Technology
Updates: RFC3971 (if approved)                          January 22, 2021
Intended status: Standards Track
Expires: July 26, 2021

         Secure NEighbor Discovery (SEND) over OMNI Interfaces
                       draft-templin-omni-send-03

Abstract

   The Overlay Multilink Network Interface (OMNI) specification can be
   used by nodes on public Internetworks when a suitable security
   service is provided to authenticate IPv6 Neighbor Discovery (IPv6 ND)
   control messages.  The basic OMNI security service for transmission
   of IPv6 ND messages over public Internetworks uses a Hashed Message
   Authentication Code (HMAC) based on a shared secret.  This document
   specifies use of the Secure NEighbor Discovery (SEND) protocol over
   OMNI interfaces which can provide a more flexible and robust service.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on July 26, 2021.

Copyright Notice

   Copyright (c) 2021 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect

Templin                   Expires July 26, 2021                 [Page 1]
Internet-Draft                  OMNI SEND                   January 2021

   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  SEND Over OMNI Interfaces . . . . . . . . . . . . . . . . . .   3
     3.1.  Processing Rules for Senders  . . . . . . . . . . . . . .   4
     3.2.  Processing Rules for Receivers  . . . . . . . . . . . . .   5
   4.  SEND/CGA Updates  . . . . . . . . . . . . . . . . . . . . . .   5
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   6.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   7
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   9
   Appendix A.  Using Host Identity Tags (HITs) with OMNI/SEND . . .   9
   Appendix B.  Using HIP-based Authentication Instead of SEND/CGA .  10
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   The Overlay Multilink Network Interface (OMNI) specification
   [I-D.templin-6man-omni-interface] can be used by nodes on public
   Internetworks when a suitable security service is provided to
   authenticate IPv6 Neighbor Discovery (IPv6 ND) control messages
   [RFC4861][RFC8200].  The basic OMNI security service for transmission
   of IPv6 ND messages over public Internetworks uses a Hashed Message
   Authentication Code (HMAC) based on a shared secret.  This document
   specifies use of the Secure NEighbor Discovery (SEND) protocol over
   OMNI interfaces which can provide a more flexible and robust service.

   The HMAC-based security service may be adequate when all OMNI access
   routers can be provisioned with a shared secret for all potential
   clients.  However, the service may not be scalable and/or agile
   enough for all environments, e.g., when the population of clients
   grows and/or changes dynamically.  Moreover, it is client-server
   oriented, and may be too cumbersome for general-purpose use between
   opportunistic neighbor pairs.

   The Secure NEighbor Discovery (SEND) protocol [RFC3971] and
   Cryptographically Generated Addresses (CGA) [RFC3972] were designed
   to provide authentication services for IPv6 ND messaging over links
   of all varieties, including wireless.  SEND requires that the CGA
Show full document text