From 4bfd864f10b68b71482b35c818559068ef8d5797 Mon Sep 17 00:00:00 2001 From: Thomas Voss Date: Wed, 27 Nov 2024 20:54:24 +0100 Subject: doc: Add RFC documents --- doc/rfc/rfc3971.txt | 3139 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 3139 insertions(+) create mode 100644 doc/rfc/rfc3971.txt (limited to 'doc/rfc/rfc3971.txt') diff --git a/doc/rfc/rfc3971.txt b/doc/rfc/rfc3971.txt new file mode 100644 index 0000000..33595cb --- /dev/null +++ b/doc/rfc/rfc3971.txt @@ -0,0 +1,3139 @@ + + + + + + +Network Working Group J. Arkko, Ed. +Request for Comments: 3971 Ericsson +Category: Standards Track J. Kempf + DoCoMo Communications Labs USA + B. Zill + Microsoft + P. Nikander + Ericsson + March 2005 + + + SEcure Neighbor Discovery (SEND) + +Status of This Memo + + This document specifies an Internet standards track protocol for the + Internet community, and requests discussion and suggestions for + improvements. Please refer to the current edition of the "Internet + Official Protocol Standards" (STD 1) for the standardization state + and status of this protocol. Distribution of this memo is unlimited. + +Copyright Notice + + Copyright (C) The Internet Society (2005). + +Abstract + + IPv6 nodes use the Neighbor Discovery Protocol (NDP) to discover + other nodes on the link, to determine their link-layer addresses to + find routers, and to maintain reachability information about the + paths to active neighbors. If not secured, NDP is vulnerable to + various attacks. This document specifies security mechanisms for + NDP. Unlike those in the original NDP specifications, these + mechanisms do not use IPsec. + + + + + + + + + + + + + + + + + +Arkko, et al. Standards Track [Page 1] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +Table of Contents + + 1. Introduction. . . . . . . . . . . . . . . . . . . . . . . . . 3 + 1.1. Specification of Requirements . . . . . . . . . . . . . 4 + 2. Terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 + 3. Neighbor and Router Discovery Overview. . . . . . . . . . . . 6 + 4. Secure Neighbor Discovery Overview. . . . . . . . . . . . . . 8 + 5. Neighbor Discovery Protocol Options . . . . . . . . . . . . . 9 + 5.1. CGA Option. . . . . . . . . . . . . . . . . . . . . . . 10 + 5.1.1. Processing Rules for Senders. . . . . . . . . . 11 + 5.1.2. Processing Rules for Receivers. . . . . . . . . 12 + 5.1.3. Configuration . . . . . . . . . . . . . . . . . 13 + 5.2. RSA Signature Option. . . . . . . . . . . . . . . . . . 14 + 5.2.1. Processing Rules for Senders. . . . . . . . . . 16 + 5.2.2. Processing Rules for Receivers. . . . . . . . . 16 + 5.2.3. Configuration . . . . . . . . . . . . . . . . . 17 + 5.2.4. Performance Considerations. . . . . . . . . . . 18 + 5.3. Timestamp and Nonce Options . . . . . . . . . . . . . . 19 + 5.3.1. Timestamp Option. . . . . . . . . . . . . . . . 19 + 5.3.2. Nonce Option. . . . . . . . . . . . . . . . . . 20 + 5.3.3. Processing Rules for Senders. . . . . . . . . . 21 + 5.3.4. Processing Rules for Receivers. . . . . . . . . 21 + 6. Authorization Delegation Discovery. . . . . . . . . . . . . . 24 + 6.1. Authorization Model . . . . . . . . . . . . . . . . . . 24 + 6.2. Deployment Model. . . . . . . . . . . . . . . . . . . . 25 + 6.3. Certificate Format. . . . . . . . . . . . . . . . . . . 26 + 6.3.1. Router Authorization Certificate Profile. . . . 26 + 6.3.2. Suitability of Standard Identity Certificates . 29 + 6.4. Certificate Transport . . . . . . . . . . . . . . . . . 29 + 6.4.1. Certification Path Solicitation Message Format. 30 + 6.4.2. Certification Path Advertisement Message Format 32 + 6.4.3. Trust Anchor Option . . . . . . . . . . . . . . 34 + 6.4.4. Certificate Option. . . . . . . . . . . . . . . 36 + 6.4.5. Processing Rules for Routers. . . . . . . . . . 37 + 6.4.6. Processing Rules for Hosts. . . . . . . . . . . 38 + 6.5. Configuration . . . . . . . . . . . . . . . . . . . . . 39 + 7. Addressing. . . . . . . . . . . . . . . . . . . . . . . . . . 40 + 7.1. CGAs. . . . . . . . . . . . . . . . . . . . . . . . . . 40 + 7.2. Redirect Addresses. . . . . . . . . . . . . . . . . . . 40 + 7.3. Advertised Subnet Prefixes. . . . . . . . . . . . . . . 40 + 7.4. Limitations . . . . . . . . . . . . . . . . . . . . . . 41 + 8. Transition Issues . . . . . . . . . . . . . . . . . . . . . . 42 + 9. Security Considerations . . . . . . . . . . . . . . . . . . . 44 + 9.1. Threats to the Local Link Not Covered by SEND . . . . . 44 + 9.2. How SEND Counters Threats to NDP. . . . . . . . . . . . 45 + 9.2.1. Neighbor Solicitation/Advertisement Spoofing. . 45 + 9.2.2. Neighbor Unreachability Detection Failure . . . 46 + 9.2.3. Duplicate Address Detection DoS Attack. . . . . 46 + + + +Arkko, et al. Standards Track [Page 2] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + 9.2.4. Router Solicitation and Advertisement Attacks . 46 + 9.2.5. Replay Attacks. . . . . . . . . . . . . . . . . 47 + 9.2.6. Neighbor Discovery DoS Attack . . . . . . . . . 48 + 9.3. Attacks against SEND Itself . . . . . . . . . . . . . . 48 + 10. Protocol Values . . . . . . . . . . . . . . . . . . . . . . . 49 + 10.1. Constants . . . . . . . . . . . . . . . . . . . . . . . 49 + 10.2. Variables . . . . . . . . . . . . . . . . . . . . . . . 49 + 11. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 49 + 12. References. . . . . . . . . . . . . . . . . . . . . . . . . . 50 + 12.1. Normative References. . . . . . . . . . . . . . . . . . 50 + 12.2. Informative References. . . . . . . . . . . . . . . . . 51 + Appendices. . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 + A. Contributors and Acknowledgments. . . . . . . . . . . . 53 + B. Cache Management. . . . . . . . . . . . . . . . . . . . 53 + C. Message Size When Carrying Certificates . . . . . . . . 54 + Authors' Addresses. . . . . . . . . . . . . . . . . . . . . . . . 55 + Full Copyright Statements . . . . . . . . . . . . . . . . . . . . 56 + +1. Introduction + + IPv6 defines the Neighbor Discovery Protocol (NDP) in RFCs 2461 [4] + and 2462 [5]. Nodes on the same link use NDP to discover each + other's presence and link-layer addresses, to find routers, and to + maintain reachability information about the paths to active + neighbors. NDP is used by both hosts and routers. Its functions + include Neighbor Discovery (ND), Router Discovery (RD), Address + Autoconfiguration, Address Resolution, Neighbor Unreachability + Detection (NUD), Duplicate Address Detection (DAD), and Redirection. + + The original NDP specifications called for the use of IPsec to + protect NDP messages. However, the RFCs do not give detailed + instructions for using IPsec to do this. In this particular + application, IPsec can only be used with a manual configuration of + security associations, due to bootstrapping problems in using IKE + [19, 15]. Furthermore, the number of manually configured security + associations needed for protecting NDP can be very large [20], making + that approach impractical for most purposes. + + The SEND protocol is designed to counter the threats to NDP. These + threats are described in detail in [22]. SEND is applicable in + environments where physical security on the link is not assured (such + as over wireless) and attacks on NDP are a concern. + + This document is organized as follows. Sections 2 and 3 define some + terminology and present a brief review of NDP, respectively. Section + 4 describes the overall approach to securing NDP. This approach + involves the use of new NDP options to carry public key - based + signatures. A zero-configuration mechanism is used for showing + + + +Arkko, et al. Standards Track [Page 3] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + address ownership on individual nodes; routers are certified by a + trust anchor [7]. The formats, procedures, and cryptographic + mechanisms for the zero-configuration mechanism are described in a + related specification [11]. + + The required new NDP options are discussed in Section 5. Section 6 + describes the mechanism for distributing certification paths to + establish an authorization delegation chain to a trust anchor. + + Finally, Section 8 discusses the co-existence of secured and + unsecured NDP on the same link, and Section 9 discusses security + considerations for SEcure Neighbor Discovery (SEND). + + The use of identity certificates provisioned on end hosts for + authorizing address use is out of the scope for this document, as is + the security of NDP when the entity defending an address is not the + same as the entity claiming that address (also known as "proxy ND"). + These are extensions of SEND that may be treated in separate + documents, should the need arise. + +1.1. Specification of Requirements + + In this document, several words are used to signify the requirements + of the specification. These words are often capitalized. The key + words "MUST", "MUST NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", and + "MAY" are to be interpreted as described in [2]. + +2. Terms + + Authorization Delegation Discovery (ADD) + + A process through which SEND nodes can acquire a certification + path from a peer node to a trust anchor. + + Certificate Revocation List (CRL) + + In one method of certificate revocation, an authority periodically + issues a signed data structure called the Certificate Revocation + List. This is a time-stamped list identifying revoked + certificates, signed by the issuer, and made freely available in a + public repository. + + Certification Path Advertisement (CPA) + + The advertisement message used in the ADD process. + + + + + + +Arkko, et al. Standards Track [Page 4] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + Certification Path Solicitation (CPS) + + The solicitation message used in the ADD process. + + Cryptographically Generated Address (CGA) + + A technique [11] whereby an IPv6 address of a node is + cryptographically generated by using a one-way hash function from + the node's public key and some other parameters. + + Distinguished Encoding Rules (DER) + + An encoding scheme for data values, defined in [12]. + + Duplicate Address Detection (DAD) + + A mechanism assuring that two IPv6 nodes on the same link are not + using the same address. + + Fully Qualified Domain Name (FQDN) + + A fully qualified domain name consists of a host and domain name, + including the top-level domain. + + Internationalized Domain Name (IDN) + + Internationalized Domain Names can be used to represent domain + names that contain characters outside the ASCII set. See RFC 3490 + [9]. + + Neighbor Discovery (ND) + + The Neighbor Discovery function of the Neighbor Discovery Protocol + (NDP). NDP contains functions besides ND. + + Neighbor Discovery Protocol (NDP) + + The IPv6 Neighbor Discovery Protocol [7, 8]. + + The Neighbor Discovery Protocol is a part of ICMPv6 [6]. + + Neighbor Unreachability Detection (NUD) + + A mechanism used for tracking the reachability of neighbors. + + + + + + + +Arkko, et al. Standards Track [Page 5] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + Non-SEND node + + An IPv6 node that does not implement this specification but uses + only the Neighbor Discovery protocol defined in RFCs 2461 and + 2462, as updated, without security. + + Nonce + + An unpredictable random or pseudo-random number generated by a + node and used exactly once. In SEND, nonces are used to assure + that a particular advertisement is linked to the solicitation that + triggered it. + + Router Authorization Certificate + + An X.509v3 [7] public key certificate using the profile specified + in Section 6.3.1. + + SEND node + + An IPv6 node that implements this specification. + + Router Discovery (RD) + + Router Discovery allows the hosts to discover what routers exist + on the link, and what subnet prefixes are available. Router + Discovery is a part of the Neighbor Discovery Protocol. + + Trust Anchor + + Hosts are configured with a set of trust anchors to protect Router + Discovery. A trust anchor is an entity that the host trusts to + authorize routers to act as routers. A trust anchor configuration + consists of a public key and some associated parameters (see + Section 6.5 for a detailed explanation of these parameters). + +3. Neighbor and Router Discovery Overview + + The Neighbor Discovery Protocol has several functions. Many of these + are overloaded on a few central message types, such as the ICMPv6 + Neighbor Advertisement message. In this section, we review some of + these tasks and their effects in order to better understand how the + messages should be treated. This section is not normative, and if + this section and the original Neighbor Discovery RFCs are in + conflict, the original RFCs, as updated, take precedence. + + + + + + +Arkko, et al. Standards Track [Page 6] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + The main functions of NDP are as follows: + + o The Router Discovery function allows IPv6 hosts to discover the + local routers on an attached link. Router Discovery is described + in Section 6 of RFC 2461 [4]. The main purpose of Router + Discovery is to find neighboring routers willing to forward + packets on behalf of hosts. Subnet prefix discovery involves + determining which destinations are directly on a link; this + information is necessary in order to know whether a packet should + be sent to a router or directly to the destination node. + + o The Redirect function is used for automatically redirecting a host + to a better first-hop router, or to inform hosts that a + destination is in fact a neighbor (i.e., on-link). Redirect is + specified in Section 8 of RFC 2461 [4]. + + o Address Autoconfiguration is used for automatically assigning + addresses to a host [5]. This allows hosts to operate without + explicit configuration related to IP connectivity. The default + autoconfiguration mechanism is stateless. To create IP addresses, + hosts use any prefix information delivered to them during Router + Discovery and then test the newly formed addresses for uniqueness. + A stateful mechanism, DHCPv6 [18], provides additional + autoconfiguration features. + + o Duplicate Address Detection (DAD) is used for preventing address + collisions [5]: for instance, during Address Autoconfiguration. A + node that intends to assign a new address to one of its interfaces + first runs the DAD procedure to verify that no other node is using + the same address. As the rules forbid the use of an address until + it has been found unique, no higher layer traffic is possible + until this procedure has been completed. Thus, preventing attacks + against DAD can help ensure the availability of communications for + the node in question. + + o The Address Resolution function allows a node on the link to + resolve another node's IPv6 address to the corresponding link- + layer address. Address Resolution is defined in Section 7.2 of + RFC 2461 [4], and it is used for hosts and routers alike. Again, + no higher level traffic can proceed until the sender knows the + link layer address of the destination node or the next hop router. + Note that the source link layer address on link layer frames is + not checked against the information learned through Address + Resolution. This allows for an easier addition of network + elements such as bridges and proxies and eases the stack + implementation requirements, as less information has to be passed + from layer to layer. + + + + +Arkko, et al. Standards Track [Page 7] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + o Neighbor Unreachability Detection (NUD) is used for tracking the + reachability of neighboring nodes, both hosts and routers. NUD is + defined in Section 7.3 of RFC 2461 [4]. NUD is security + sensitive, because an attacker could claim that reachability + exists when in fact it does not. + + The NDP messages follow the ICMPv6 message format. All NDP functions + are realized by using the Router Solicitation (RS), Router + Advertisement (RA), Neighbor Solicitation (NS), Neighbor + Advertisement (NA), and Redirect messages. An actual NDP message + includes an NDP message header, consisting of an ICMPv6 header and ND + message-specific data, and zero or more NDP options. The NDP message + options are formatted in the Type-Length-Value format. + + <------------NDP Message----------------> + *-------------------------------------------------------------* + | IPv6 Header | ICMPv6 | ND Message- | ND Message | + | Next Header = 58 | Header | specific | Options | + | (ICMPv6) | | data | | + *-------------------------------------------------------------* + <--NDP Message header--> + +4. Secure Neighbor Discovery Overview + + To secure the various functions in NDP, a set of new Neighbor + Discovery options is introduced. They are used to protect NDP + messages. This specification introduces these options, an + authorization delegation discovery process, an address ownership + proof mechanism, and requirements for the use of these components in + NDP. + + The components of the solution specified in this document are as + follows: + + o Certification paths, anchored on trusted parties, are expected to + certify the authority of routers. A host must be configured with + a trust anchor to which the router has a certification path before + the host can adopt the router as its default router. + Certification Path Solicitation and Advertisement messages are + used to discover a certification path to the trust anchor without + requiring the actual Router Discovery messages to carry lengthy + certification paths. The receipt of a protected Router + Advertisement message for which no certification path is available + triggers the authorization delegation discovery process. + + + + + + + +Arkko, et al. Standards Track [Page 8] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + o Cryptographically Generated Addresses are used to make sure that + the sender of a Neighbor Discovery message is the "owner" of the + claimed address. A public-private key pair is generated by all + nodes before they can claim an address. A new NDP option, the CGA + option, is used to carry the public key and associated parameters. + + This specification also allows a node to use non-CGAs with + certificates that authorize their use. However, the details of + such use are beyond the scope of this specification and are left + for future work. + + o A new NDP option, the RSA Signature option, is used to protect all + messages relating to Neighbor and Router discovery. + + Public key signatures protect the integrity of the messages and + authenticate the identity of their sender. The authority of a + public key is established either with the authorization delegation + process, by using certificates, or through the address ownership + proof mechanism, by using CGAs, or with both, depending on + configuration and the type of the message protected. + + Note: RSA is mandated because having multiple signature algorithms + would break compatibility between implementations or increase + implementation complexity by forcing the implementation of + multiple algorithms and the mechanism to select among them. A + second signature algorithm is only necessary as a recovery + mechanism, in case a flaw is found in RSA. If this happens, a + stronger signature algorithm can be selected, and SEND can be + revised. The relationship between the new algorithm and the RSA- + based SEND described in this document would be similar to that + between the RSA-based SEND and Neighbor Discovery without SEND. + Information signed with the stronger algorithm has precedence over + that signed with RSA, in the same way that RSA-signed information + now takes precedence over unsigned information. Implementations + of the current and revised specs would still be compatible. + + o In order to prevent replay attacks, two new Neighbor Discovery + options, Timestamp and Nonce, are introduced. Given that Neighbor + and Router Discovery messages are in some cases sent to multicast + addresses, the Timestamp option offers replay protection without + any previously established state or sequence numbers. When the + messages are used in solicitation-advertisement pairs, they are + protected with the Nonce option. + +5. Neighbor Discovery Protocol Options + + The options described in this section MUST be supported. + + + + +Arkko, et al. Standards Track [Page 9] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +5.1. CGA Option + + The CGA option allows the verification of the sender's CGA. The + format of the CGA option is described as follows: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Pad Length | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + . . + . CGA Parameters . + . . + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + . . + . Padding . + . . + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 11 + + Length + + The length of the option (including the Type, Length, Pad Length, + Reserved, CGA Parameters, and Padding fields) in units of 8 + octets. + + Pad Length + + The number of padding octets beyond the end of the CGA Parameters + field but within the length specified by the Length field. + Padding octets MUST be set to zero by senders and ignored by + receivers. + + Reserved + + An 8-bit field reserved for future use. The value MUST be + initialized to zero by the sender and MUST be ignored by the + receiver. + + + + + + +Arkko, et al. Standards Track [Page 10] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + CGA Parameters + + A variable-length field containing the CGA Parameters data + structure described in Section 4 of [11]. + + This specification requires that if both the CGA option and the + RSA Signature option are present, then the public key found from + the CGA Parameters field in the CGA option MUST be that referred + by the Key Hash field in the RSA Signature option. Packets + received with two different keys MUST be silently discarded. Note + that a future extension may provide a mechanism allowing the owner + of an address and the signer to be different parties. + + Padding + + A variable-length field making the option length a multiple of 8, + containing as many octets as specified in the Pad Length field. + +5.1.1. Processing Rules for Senders + + If the node has been configured to use SEND, the CGA option MUST be + present in all Neighbor Solicitation and Advertisement messages and + MUST be present in Router Solicitation messages unless they are sent + with the unspecified source address. The CGA option MAY be present + in other messages. + + A node sending a message using the CGA option MUST construct the + message as follows: + + The CGA Parameter field in the CGA option is filled according to + the rules presented above and in [11]. The public key in the + field is taken from the configuration used to generate the CGA, + typically from a data structure associated with the source + address. The address MUST be constructed as specified in Section + 4 of [11]. Depending on the type of the message, this address + appears in different places, as follows: + + Redirect + + The address MUST be the source address of the message. + + Neighbor Solicitation + + The address MUST be the Target Address for solicitations sent for + Duplicate Address Detection; otherwise it MUST be the source + address of the message. + + + + + +Arkko, et al. Standards Track [Page 11] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + Neighbor Advertisement + + The address MUST be the source address of the message. + + Router Solicitation + + The address MUST be the source address of the message. Note that + the CGA option is not used when the source address is the + unspecified address. + + Router Advertisement + + The address MUST be the source address of the message. + +5.1.2. Processing Rules for Receivers + + Neighbor Solicitation and Advertisement messages without the CGA + option MUST be treated as unsecured (i.e., processed in the same way + as NDP messages sent by a non-SEND node). The processing of + unsecured messages is specified in Section 8. Note that SEND nodes + that do not attempt to interoperate with non-SEND nodes MAY simply + discard the unsecured messages. + + Router Solicitation messages without the CGA option MUST also be + treated as unsecured, unless the source address of the message is the + unspecified address. + + Redirect, Neighbor Solicitation, Neighbor Advertisement, Router + Solicitation, and Router Advertisement messages containing a CGA + option MUST be checked as follows: + + If the interface has been configured to use CGA, the receiving + node MUST verify the source address of the packet by using the + algorithm described in Section 5 of [11]. The inputs to the + algorithm are the claimed address, as defined in the previous + section, and the CGA Parameters field. + + If the CGA verification is successful, the recipient proceeds with + a more time-consuming cryptographic check of the signature. Note + that even if the CGA verification succeeds, no claims about the + validity of the use can be made until the signature has been + checked. + + A receiver that does not support CGA or has not specified its use for + a given interface can still verify packets by using trust anchors, + even if a CGA is used on a packet. In such a case, the CGA property + of the address is simply left unverified. + + + + +Arkko, et al. Standards Track [Page 12] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +5.1.3. Configuration + + All nodes that support the verification of the CGA option MUST record + the following configuration information: + + minbits + + The minimum acceptable key length for public keys used in the + generation of CGAs. The default SHOULD be 1024 bits. + Implementations MAY also set an upper limit for the amount of + computation needed when verifying packets that use these security + associations. The upper limit SHOULD be at least 2048 bits. Any + implementation should follow prudent cryptographic practice in + determining the appropriate key lengths. + + All nodes that support the sending of the CGA option MUST record the + following configuration information: + + CGA parameters + + Any information required to construct CGAs, as described in [11]. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arkko, et al. Standards Track [Page 13] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +5.2. RSA Signature Option + + The RSA Signature option allows public key-based signatures to be + attached to NDP messages. The format of the RSA Signature option is + described in the following diagram: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + | Key Hash | + | | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + . . + . Digital Signature . + . . + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + . . + . Padding . + . . + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 12 + + Length + + The length of the option (including the Type, Length, Reserved, + Key Hash, Digital Signature, and Padding fields) in units of 8 + octets. + + Reserved + + A 16-bit field reserved for future use. The value MUST be + initialized to zero by the sender, and MUST be ignored by the + receiver. + + + + + + + +Arkko, et al. Standards Track [Page 14] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + Key Hash + + A 128-bit field containing the most significant (leftmost) 128 + bits of a SHA-1 [14] hash of the public key used for constructing + the signature. The SHA-1 hash is taken over the presentation used + in the Public Key field of the CGA Parameters data structure + carried in the CGA option. Its purpose is to associate the + signature to a particular key known by the receiver. Such a key + can either be stored in the certificate cache of the receiver or + be received in the CGA option in the same message. + + Digital Signature + + A variable-length field containing a PKCS#1 v1.5 signature, + constructed by using the sender's private key over the following + sequence of octets: + + 1. The 128-bit CGA Message Type tag [11] value for SEND, 0x086F + CA5E 10B2 00C9 9C8C E001 6427 7C08. (The tag value has been + generated randomly by the editor of this specification.). + + 2. The 128-bit Source Address field from the IP header. + + 3. The 128-bit Destination Address field from the IP header. + + 4. The 8-bit Type, 8-bit Code, and 16-bit Checksum fields from the + ICMP header. + + 5. The NDP message header, starting from the octet after the ICMP + Checksum field and continuing up to but not including NDP + options. + + 6. All NDP options preceding the RSA Signature option. + + The signature value is computed with the RSASSA-PKCS1-v1_5 + algorithm and SHA-1 hash, as defined in [13]. + + This field starts after the Key Hash field. The length of the + Digital Signature field is determined by the length of the RSA + Signature option minus the length of the other fields (including + the variable length Pad field). + + Padding + + This variable-length field contains padding, as many bytes long as + remain after the end of the signature. + + + + + +Arkko, et al. Standards Track [Page 15] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +5.2.1. Processing Rules for Senders + + If the node has been configured to use SEND, Neighbor Solicitation, + Neighbor Advertisement, Router Advertisement, and Redirect messages + MUST contain the RSA Signature option. Router Solicitation messages + not sent with the unspecified source address MUST contain the RSA + Signature option. + + A node sending a message with the RSA Signature option MUST construct + the message as follows: + + o The message is constructed in its entirety, without the RSA + Signature option. + + o The RSA Signature option is added as the last option in the + message. + + o The data to be signed is constructed as explained in Section 5.2, + under the description of the Digital Signature field. + + o The message, in the form defined above, is signed by using the + configured private key, and the resulting PKCS#1 v1.5 signature is + put in the Digital Signature field. + +5.2.2. Processing Rules for Receivers + + Neighbor Solicitation, Neighbor Advertisement, Router Advertisement, + and Redirect messages without the RSA Signature option MUST be + treated as unsecured (i.e., processed in the same way as NDP messages + sent by a non-SEND node). See Section 8. + + Router Solicitation messages without the RSA Signature option MUST + also be treated as unsecured, unless the source address of the + message is the unspecified address. + + Redirect, Neighbor Solicitation, Neighbor Advertisement, Router + Solicitation, and Router Advertisement messages containing an RSA + Signature option MUST be checked as follows: + + o The receiver MUST ignore any options that come after the first RSA + Signature option. (The options are ignored for both signature + verification and NDP processing purposes.) + + o The Key Hash field MUST indicate the use of a known public key, + either one learned from a preceding CGA option in the same + message, or one known by other means. + + + + + +Arkko, et al. Standards Track [Page 16] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + o The Digital Signature field MUST have correct encoding and MUST + not exceed the length of the RSA Signature option minus the + Padding. + + o The Digital Signature verification MUST show that the signature + has been calculated as specified in the previous section. + + o If the use of a trust anchor has been configured, a valid + certification path (see Section 6.3) between the receiver's trust + anchor and the sender's public key MUST be known. + + Note that the receiver may verify just the CGA property of a + packet, even if, in addition to CGA, the sender has used a trust + anchor. + + Messages that do not pass all the above tests MUST be silently + discarded if the host has been configured to accept only secured ND + messages. The messages MAY be accepted if the host has been + configured to accept both secured and unsecured messages but MUST be + treated as an unsecured message. The receiver MAY also otherwise + silently discard packets (e.g., as a response to an apparent CPU + exhausting DoS attack). + +5.2.3. Configuration + + All nodes that support the reception of the RSA Signature options + MUST allow the following information to be configured for each + separate NDP message type: + + authorization method + + This parameter determines the method through which the authority + of the sender is determined. It can have four values: + + trust anchor + + The authority of the sender is verified as described in + Section 6.3. The sender may claim additional authorization + through the use of CGAs, but this is neither required nor + verified. + + CGA + + The CGA property of the sender's address is verified as + described in [11]. The sender may claim additional + authority through a trust anchor, but this is neither + required nor verified. + + + + +Arkko, et al. Standards Track [Page 17] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + trust anchor and CGA + + Both the trust anchor and the CGA verification is required. + + trust anchor or CGA + + Either the trust anchor or the CGA verification is required. + + anchor + + The allowed trust anchor(s), if the authorization method is not + set to CGA. + + All nodes that support sending RSA Signature options MUST record the + following configuration information: + + keypair + + A public-private key pair. If authorization delegation is in + use, a certification path from a trust anchor to this key pair + must exist. + + CGA flag + + A flag that indicates whether CGA is used or not. This flag + may be per interface or per node. (Note that in future + extensions of the SEND protocol, this flag may also be per + subnet prefix.) + +5.2.4. Performance Considerations + + The construction and verification of the RSA Signature option is + computationally expensive. In the NDP context, however, hosts + typically only have to perform a few signature operations as they + enter a link, a few operations as they find a new on-link peer with + which to communicate, or Neighbor Unreachability Detection with + existing neighbors. + + Routers are required to perform a larger number of operations, + particularly when the frequency of router advertisements is high due + to mobility requirements. Still, the number of required signature + operations is on the order of a few dozen per second, some of which + can be precomputed as explained below. A large number of router + solicitations may cause a higher demand for performing asymmetric + operations, although the base NDP protocol limits the rate at which + multicast responses to solicitations can be sent. + + + + + +Arkko, et al. Standards Track [Page 18] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + Signatures can be precomputed for unsolicited (multicast) Neighbor + and Router Advertisements if the timing of the future advertisements + is known. Typically, solicited neighbor advertisements are sent to + the unicast address from which the solicitation was sent. Given that + the IPv6 header is covered by the signature, it is not possible to + precompute solicited advertisements. + +5.3. Timestamp and Nonce Options + +5.3.1. Timestamp Option + + The purpose of the Timestamp option is to make sure that unsolicited + advertisements and redirects have not been replayed. The format of + this option is described in the following: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | + + Timestamp + + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 13 + + Length + + The length of the option (including the Type, Length, Reserved, + and Timestamp fields) in units of 8 octets; i.e., 2. + + Reserved + + A 48-bit field reserved for future use. The value MUST be + initialized to zero by the sender and MUST be ignored by the + receiver. + + + + + + + + + + +Arkko, et al. Standards Track [Page 19] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + Timestamp + + A 64-bit unsigned integer field containing a timestamp. The value + indicates the number of seconds since January 1, 1970, 00:00 UTC, + by using a fixed point format. In this format, the integer number + of seconds is contained in the first 48 bits of the field, and the + remaining 16 bits indicate the number of 1/64K fractions of a + second. + + Implementation note: This format is compatible with the usual + representation of time under UNIX, although the number of bits + available for the integer and fraction parts may vary. + +5.3.2. Nonce Option + + The purpose of the Nonce option is to make sure that an advertisement + is a fresh response to a solicitation sent earlier by the node. The + format of this option is described in the following: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Nonce ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | + | | + . . + . . + | | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 14 + + Length + + The length of the option (including the Type, Length, and Nonce + fields) in units of 8 octets. + + Nonce + + A field containing a random number selected by the sender of the + solicitation message. The length of the random number MUST be at + least 6 bytes. The length of the random number MUST be selected + so that the length of the nonce option is a multiple of 8 octets. + + + + + + +Arkko, et al. Standards Track [Page 20] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +5.3.3. Processing Rules for Senders + + If the node has been configured to use SEND, all solicitation + messages MUST include a Nonce. When sending a solicitation, the + sender MUST store the nonce internally so that it can recognize any + replies containing that particular nonce. + + If the node has been configured to use SEND, all advertisements sent + in reply to a solicitation MUST include a Nonce, copied from the + received solicitation. Note that routers may decide to send a + multicast advertisement to all nodes instead of a response to a + specific host. In such a case, the router MAY still include the + nonce value for the host that triggered the multicast advertisement. + (Omitting the nonce value may cause the host to ignore the router's + advertisement, unless the clocks in these nodes are sufficiently + synchronized so that timestamps function properly.) + + If the node has been configured to use SEND, all solicitation, + advertisement, and redirect messages MUST include a Timestamp. + Senders SHOULD set the Timestamp field to the current time, according + to their real time clocks. + +5.3.4. Processing Rules for Receivers + + The processing of the Nonce and Timestamp options depends on whether + a packet is a solicited advertisement. A system may implement the + distinction in various ways. Section 5.3.4.1 defines the processing + rules for solicited advertisements. Section 5.3.4.2 defines the + processing rules for all other messages. + + In addition, the following rules apply in all cases: + + o Messages received without at least one of the Timestamp and Nonce + options MUST be treated as unsecured (i.e., processed in the same + way as NDP messages sent by a non-SEND node). + + o Messages received with the RSA Signature option but without the + Timestamp option MUST be silently discarded. + + o Solicitation messages received with the RSA Signature option but + without the Nonce option MUST be silently discarded. + + o Advertisements sent to a unicast destination address with the RSA + Signature option but without a Nonce option SHOULD be processed as + unsolicited advertisements. + + + + + + +Arkko, et al. Standards Track [Page 21] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + o An implementation MAY use some mechanism such as a timestamp cache + to strengthen resistance to replay attacks. When there is a very + large number of nodes on the same link, or when a cache filling + attack is in progress, it is possible that the cache holding the + most recent timestamp per sender will become full. In this case, + the node MUST remove some entries from the cache or refuse some + new requested entries. The specific policy as to which entries + are preferred over others is left as an implementation decision. + However, typical policies may prefer existing entries to new ones, + CGAs with a large Sec value to smaller Sec values, and so on. The + issue is briefly discussed in Appendix B. + + o The receiver MUST be prepared to receive the Timestamp and Nonce + options in any order, as per RFC 2461 [4], Section 9. + +5.3.4.1. Processing Solicited Advertisements + + The receiver MUST verify that it has recently sent a matching + solicitation, and that the received advertisement contains a copy of + the Nonce sent in the solicitation. + + If the message contains a Nonce option but the Nonce value is not + recognized, the message MUST be silently discarded. + + Otherwise, if the message does not contain a Nonce option, it MAY be + considered an unsolicited advertisement and processed according to + Section 5.3.4.2. + + If the message is accepted, the receiver SHOULD store the receive + time of the message and the timestamp time in the message, as + specified in Section 5.3.4.2. + +5.3.4.2. Processing All Other Messages + + Receivers SHOULD be configured with an allowed timestamp Delta value, + a "fuzz factor" for comparisons, and an allowed clock drift + parameter. The recommended default value for the allowed Delta is + TIMESTAMP_DELTA; for fuzz factor TIMESTAMP_FUZZ; and for clock drift, + TIMESTAMP_DRIFT (see Section 10.2). + + To facilitate timestamp checking, each node SHOULD store the + following information for each peer: + + o The receive time of the last received and accepted SEND message. + This is called RDlast. + + o The time stamp in the last received and accepted SEND message. + This is called TSlast. + + + +Arkko, et al. Standards Track [Page 22] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + An accepted SEND message is any successfully verified Neighbor + Solicitation, Neighbor Advertisement, Router Solicitation, Router + Advertisement, or Redirect message from the given peer. The RSA + Signature option MUST be used in such a message before it can update + the above variables. + + Receivers SHOULD then check the Timestamp field as follows: + + o When a message is received from a new peer (i.e., one that is not + stored in the cache), the received timestamp, TSnew, is checked, + and the packet is accepted if the timestamp is recent enough to + the reception time of the packet, RDnew: + + -Delta < (RDnew - TSnew) < +Delta + + The RDnew and TSnew values SHOULD be stored in the cache as RDlast + and TSlast. + + o If the timestamp is NOT within the boundaries but the message is a + Neighbor Solicitation message that the receiver should answer, the + receiver SHOULD respond to the message. However, even if it does + respond to the message, it MUST NOT create a Neighbor Cache entry. + This allows nodes that have large differences in their clocks to + continue communicating with each other by exchanging NS/NA pairs. + + o When a message is received from a known peer (i.e., one that + already has an entry in the cache), the timestamp is checked + against the previously received SEND message: + + TSnew + fuzz > TSlast + (RDnew - RDlast) x (1 - drift) - fuzz + + If this inequality does not hold, the receiver SHOULD silently + discard the message. If, on the other hand, the inequality holds, + the receiver SHOULD process the message. + + Moreover, if the above inequality holds and TSnew > TSlast, the + receiver SHOULD update RDlast and TSlast. Otherwise, the receiver + MUST NOT update RDlast or TSlast. + + As unsolicited messages may be used in a Denial-of-Service attack to + make the receiver verify computationally expensive signatures, all + nodes SHOULD apply a mechanism to prevent excessive use of resources + for processing such messages. + + + + + + + + +Arkko, et al. Standards Track [Page 23] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +6. Authorization Delegation Discovery + + NDP allows a node to configure itself automatically based on + information learned shortly after connecting to a new link. It is + particularly easy to configure "rogue" routers on an unsecured link, + and it is particularly difficult for a node to distinguish between + valid and invalid sources of router information, because the node + needs this information before communicating with nodes outside of the + link. + + As the newly-connected node cannot communicate off-link, it cannot be + responsible for searching information to help validate the router(s). + However, given a certification path, the node can check someone + else's search results and conclude that a particular message comes + from an authorized source. In the typical case, a router already + connected beyond the link can communicate if necessary with off-link + nodes and construct a certification path. + + The Secure Neighbor Discovery Protocol mandates a certificate format + and introduces two new ICMPv6 messages used between hosts and routers + to allow the host to learn a certification path with the assistance + of the router. + +6.1. Authorization Model + + To protect Router Discovery, SEND requires that routers be authorized + to act as routers. This authorization is provisioned in both routers + and hosts. Routers are given certificates from a trust anchor, and + the hosts are configured with the trust anchor(s) to authorize + routers. This provisioning is specific to SEND and does not assume + that certificates already deployed for some other purpose can be + used. + + The authorization for routers in SEND is twofold: + + o Routers are authorized to act as routers. The router belongs to + the set of routers trusted by the trust anchor. All routers in + this set have the same authorization. + + o Optionally, routers may also be authorized to advertise a certain + set of subnet prefixes. A specific router is given a specific set + of subnet prefixes to advertise; other routers have an + authorization to advertise other subnet prefixes. Trust anchors + may also delegate a certain set of subnet prefixes to someone + (such as an ISP) who, in turn, delegates parts of this set to + individual routers. + + + + + +Arkko, et al. Standards Track [Page 24] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + Note that while communicating with hosts, routers typically also + present a number of other parameters beyond the above. For instance, + routers have their own IP addresses, subnet prefixes have lifetimes, + and routers control the use of stateless and stateful address + autoconfiguration. However, the ability to be a router and the + subnet prefixes are the most fundamental parameters to authorize. + This is because the host needs to choose a router that it uses as its + default router, and because the advertised subnet prefixes have an + impact on the addresses the host uses. The subnet prefixes also + represent a claim about the topological location of the router in the + network. + + Care should be taken if the certificates used in SEND are also used + to provide authorization in other circumstances; for example, with + routing protocols. It is necessary to ensure that the authorization + information is appropriate for all applications. SEND certificates + may authorize a larger set of subnet prefixes than the router is + authorized to advertise on a given interface. For instance, SEND + allows the use of the null prefix, which might cause verification or + routing problems in other applications. It is RECOMMENDED that SEND + certificates containing the null prefix are only used for SEND. + + Note that end hosts need not be provisioned with their own certified + public keys, just as Web clients today do not require end host + provisioning with certified keys. Public keys for CGA generation do + not need to be certified, as these keys derive their ability to + authorize operations on the CGA by the tie to the address. + +6.2. Deployment Model + + The deployment model for trust anchors can be either a globally + rooted public key infrastructure or a more local, decentralized + deployment model similar to that currently used for TLS in Web + servers. The centralized model assumes a global root capable of + authorizing routers and, optionally, the address space they + advertise. The end hosts are configured with the public keys of the + global root. The global root could operate, for instance, under the + Internet Assigned Numbers Authority (IANA) or as a co-operative among + Regional Internet Registries (RIRs). However, no such global root + currently exists. + + In the decentralized model, end hosts are configured with a + collection of trusted public keys. The public keys could be issued + from various places; for example, a) a public key for the end host's + own organization, b) a public key for the end host's home ISP and for + ISPs with which the home ISP has a roaming agreement, or c) public + keys for roaming brokers acting as intermediaries for ISPs that don't + want to run their own certification authority. + + + +Arkko, et al. Standards Track [Page 25] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + This decentralized model works even when a SEND node is used both in + networks that have certified routers and in networks that do not. As + discussed in Section 8, a SEND node can fall back to the use of a + non-SEND router. This makes it possible to start with a local trust + anchor even if there is no trust anchor for all possible networks. + +6.3. Certificate Format + + The certification path of a router terminates in a Router + Authorization Certificate that authorizes a specific IPv6 node to act + as a router. Because authorization paths are not a common practice + in the Internet at the time of this writing, the path MUST consist of + standard Public Key Certificates (PKC, in the sense of [8]). The + certification path MUST start from the identity of a trust anchor + shared by the host and the router. This allows the host to anchor + trust for the router's public key in the trust anchor. Note that + there MAY be multiple certificates issued by a single trust anchor. + +6.3.1. Router Authorization Certificate Profile + + Router Authorization Certificates are X.509v3 certificates, as + defined in RFC 3280 [7], and SHOULD contain at least one instance of + the X.509 extension for IP addresses, as defined in [10]. The parent + certificates in the certification path SHOULD contain one or more + X.509 IP address extensions, back up to a trusted party (such as the + user's ISP) that configured the original IP address block for the + router in question, or that delegated the right to do so. The + certificates for the intermediate delegating authorities SHOULD + contain X.509 IP address extension(s) for subdelegations. The + router's certificate is signed by the delegating authority for the + subnet prefixes the router is authorized to advertise. + + The X.509 IP address extension MUST contain at least one + addressesOrRanges element. This element MUST contain an + addressPrefix element containing an IPv6 address prefix for a prefix + that the router or the intermediate entity is authorized to route. + If the entity is allowed to route any prefix, the IPv6 address prefix + used is the null prefix, ::/0. The addressFamily element of the + IPAddrBlocks sequence element MUST contain the IPv6 Address Family + Identifier (0002), as specified in [10], for IPv6 subnet prefixes. + Instead of an addressPrefix element, the addressesOrRange element MAY + contain an addressRange element for a range of subnet prefixes, if + more than one prefix is authorized. The X.509 IP address extension + MAY contain additional IPv6 subnet prefixes, expressed as either an + addressPrefix or an addressRange. + + + + + + +Arkko, et al. Standards Track [Page 26] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + A node receiving a Router Authorization Certificate MUST first check + whether the certificate's signature was generated by the delegating + authority. Then the client SHOULD check whether all the + addressPrefix or addressRange entries in the router's certificate are + contained within the address ranges in the delegating authority's + certificate, and whether the addressPrefix entries match any + addressPrefix entries in the delegating authority's certificate. If + an addressPrefix or addressRange is not contained within the + delegating authority's subnet prefixes or ranges, the client MAY + attempt to take an intersection of the ranges/subnet prefixes and to + use that intersection. If the resulting intersection is empty, the + client MUST NOT accept the certificate. If the addressPrefix in the + certificate is missing or is the null prefix, ::/0, the parent prefix + or range SHOULD be used. If there is no parent prefix or range, the + subnet prefixes that the router advertises are said to be + unconstrained (see Section 7.3). That is, the router is allowed to + advertise any prefix. + + The above checks SHOULD be done for all certificates in the path. If + any of the checks fail, the client MUST NOT accept the certificate. + The client also has to perform validation of advertised subnet + prefixes as discussed in Section 7.3. + + Hosts MUST check the subjectPublicKeyInfo field within the last + certificate in the certificate path to ensure that only RSA public + keys are used to attempt validation of router signatures. Hosts MUST + disregard the certificate for SEND if it does not contain an RSA key. + + As it is possible that some public key certificates used with SEND do + not immediately contain the X.509 IP address extension element, an + implementation MAY contain facilities that allow the prefix and range + checks to be relaxed. However, any such configuration options SHOULD + be switched off by default. The system SHOULD have a default + configuration that requires rigorous prefix and range checks. + + The following is an example of a certification path. Suppose that + isp_group_example.net is the trust anchor. The host has this + certificate: + + Certificate 1: + Issuer: isp_group_example.net + Validity: Jan 1, 2004 through Dec 31, 2004 + Subject: isp_group_example.net + Extensions: + IP address delegation extension: + Prefixes: P1, ..., Pk + ... possibly other extensions ... + ... other certificate parameters ... + + + +Arkko, et al. Standards Track [Page 27] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + When the host attaches to a link served by + router_x.isp_foo_example.net, it receives the following certification + path: + + Certificate 2: + Issuer: isp_group_example.net + Validity: Jan 1, 2004 through Dec 31, 2004 + Subject: isp_foo_example.net + Extensions: + IP address delegation extension: + Prefixes: Q1, ..., Qk + ... possibly other extensions ... + ... other certificate parameters ... + + Certificate 3: + Issuer: isp_foo_example.net + Validity: Jan 1, 2004 through Dec 31, 2004 + Subject: router_x.isp_foo_example.net + Extensions: + IP address delegation extension: + Prefixes R1, ..., Rk + ... possibly other extensions ... + + ... other certificate parameters ... + + When the three certificates are processed, the usual RFC 3280 [7] + certificate path validation is performed. Note, however, that when a + node checks certificates received from a router, it typically does + not have a connection to the Internet yet, and so it is not possible + to perform an on-line Certificate Revocation List (CRL) check, if + necessary. Until this check is performed, acceptance of the + certificate MUST be considered provisional, and the node MUST perform + a check as soon as it has established a connection with the Internet + through the router. If the router has been compromised, it could + interfere with the CRL check. Should performance of the CRL check be + disrupted or should the check fail, the node SHOULD immediately stop + using the router as a default and use another router on the link + instead. + + In addition, the IP addresses in the delegation extension MUST be a + subset of the IP addresses in the delegation extension of the + issuer's certificate. So in this example, R1, ..., Rs must be a + subset of Q1,...,Qr, and Q1,...,Qr must be a subset of P1,...,Pk. If + the certification path is valid, then router_foo.isp_foo_example.com + is authorized to route the prefixes R1,...,Rs. + + + + + + +Arkko, et al. Standards Track [Page 28] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +6.3.2. Suitability of Standard Identity Certificates + + As deployment of the IP address extension is, itself, not common, a + network service provider MAY choose to deploy standard identity + certificates on the router to supply the router's public key for + signed Router Advertisements. + + If there is no prefix information further up in the certification + path, a host interprets a standard identity certificate as allowing + unconstrained prefix advertisements. + + If the other certificates contain prefix information, a standard + identity certificate is interpreted as allowing those subnet + prefixes. + +6.4. Certificate Transport + + The Certification Path Solicitation (CPS) message is sent by a host + when it wishes to request a certification path between a router and + one of the host's trust anchors. The Certification Path + Advertisement (CPA) message is sent in reply to the CPS message. + These messages are kept separate from the rest of Neighbor and Router + Discovery to reduce the effect of the potentially voluminous + certification path information on other messages. + + The Authorization Delegation Discovery (ADD) process does not exclude + other forms of discovering certification paths. For instance, during + fast movements, mobile nodes may learn information (including the + certification paths) about the next router from a previous router, or + nodes may be preconfigured with certification paths from roaming + partners. + + Where hosts themselves are certified by a trust anchor, these + messages MAY also optionally be used between hosts to acquire the + peer's certification path. However, the details of such usage are + beyond the scope of this specification. + + + + + + + + + + + + + + + +Arkko, et al. Standards Track [Page 29] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +6.4.1. Certification Path Solicitation Message Format + + Hosts send Certification Path Solicitations in order to prompt + routers to generate Certification Path Advertisements. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Code | Checksum | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Identifier | Component | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Options ... + +-+-+-+-+-+-+-+-+-+-+-+- + + IP Fields: + + Source Address + + A link-local unicast address assigned to the sending interface, + or to the unspecified address if no address is assigned to the + sending interface. + + Destination Address + + Typically the All-Routers multicast address, the Solicited-Node + multicast address, or the address of the host's default router. + + Hop Limit + + 255 + + ICMP Fields: + + Type + + 148 + + Code + + 0 + + Checksum + + The ICMP checksum [6]. + + + + + + +Arkko, et al. Standards Track [Page 30] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + Identifier + + A 16-bit unsigned integer field, acting as an identifier to + help match advertisements to solicitations. The Identifier + field MUST NOT be zero, and its value SHOULD be randomly + generated. This randomness does not have to be + cryptographically hard, as its purpose is only to avoid + collisions. + + Component + + This 16-bit unsigned integer field is set to 65,535 if the + sender seeks to retrieve all certificates. Otherwise, it is + set to the component identifier corresponding to the + certificate that the receiver wants to retrieve (see Sections + 6.4.2 and 6.4.6). + + Valid Options: + + Trust Anchor + + One or more trust anchors that the client is willing to accept. + The first (or only) Trust Anchor option MUST contain a DER + Encoded X.501 Name; see Section 6.4.3. If there is more than + one Trust Anchor option, the options beyond the first may + contain any type of trust anchor. + + Future versions of this protocol may define new option types. + Receivers MUST silently ignore any options they do not recognize + and continue processing the message. All included options MUST + have a length greater than zero. + + ICMP length (derived from the IP length) MUST be 8 or more octets. + + + + + + + + + + + + + + + + + + +Arkko, et al. Standards Track [Page 31] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +6.4.2. Certification Path Advertisement Message Format + + Routers send out Certification Path Advertisement messages in + response to a Certification Path Solicitation. + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Code | Checksum | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Identifier | All Components | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Component | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Options ... + +-+-+-+-+-+-+-+-+-+-+-+- + + IP Fields: + + Source Address + + A link-local unicast address assigned to the interface from + which this message is sent. Note that routers may use multiple + addresses, and therefore this address is not sufficient for the + unique identification of routers. + + Destination Address + + Either the Solicited-Node multicast address of the receiver or + the link-scoped All-Nodes multicast address. + + Hop Limit + + 255 + + ICMP Fields: + + Type + + 149 + + Code + + 0 + + Checksum + + The ICMP checksum [6]. + + + +Arkko, et al. Standards Track [Page 32] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + Identifier + + A 16-bit unsigned integer field, acting as an identifier to + help match advertisements to solicitations. The Identifier + field MUST be zero for advertisements sent to the All-Nodes + multicast address and MUST NOT be zero for others. + + All Components + + A 16-bit unsigned integer field, used to inform the receiver of + the number of certificates in the entire path. + + A single advertisement SHOULD be broken into separately sent + components if there is more than one certificate in the path, + in order to avoid excessive fragmentation at the IP layer. + + Individual certificates in a path MAY be stored and used as + received before all the certificates have arrived; this makes + the protocol slightly more reliable and less prone to Denial- + of-Service attacks. + + Examples of packet lengths of Certification Path Advertisement + messages for typical certification paths are listed in Appendix + C. + + Component + + A 16-bit unsigned integer field, used to inform the receiver + which certificate is being sent. + + The first message in an N-component advertisement has the + Component field set to N-1, the second set to N-2, and so on. + A zero indicates that there are no more components coming in + this advertisement. + + The sending of path components SHOULD be ordered so that the + certificate after the trust anchor is sent first. Each + certificate sent after the first can be verified with the + previously sent certificates. The certificate of the sender + comes last. The trust anchor certificate SHOULD NOT be sent. + + Reserved + + An unused field. It MUST be initialized to zero by the sender + and MUST be ignored by the receiver. + + + + + + +Arkko, et al. Standards Track [Page 33] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + Valid Options: + + Certificate + + One certificate is provided in each Certificate option to + establish part of a certification path to a trust anchor. + + The certificate of the trust anchor itself SHOULD NOT be sent. + + Trust Anchor + + Zero or more Trust Anchor options may be included to help + receivers decide which advertisements are useful for them. If + present, these options MUST appear in the first component of a + multi-component advertisement. + + Future versions of this protocol may define new option types. + Receivers MUST silently ignore any options they do not recognize + and continue processing the message. All included options MUST + have a length that is greater than zero. + + The ICMP length (derived from the IP length) MUST be 8 or more + octets. + +6.4.3. Trust Anchor Option + + The format of the Trust Anchor option is described in the following: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Name Type | Pad Length | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Name ... | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | ... Padding | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 15 + + Length + + The length of the option (including the Type, Length, Name Type, + Pad Length, and Name fields), in units of 8 octets. + + + + + +Arkko, et al. Standards Track [Page 34] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + Name Type + + The type of the name included in the Name field. This + specification defines two legal values for this field: + + 1 DER Encoded X.501 Name + 2 FQDN + + Pad Length + + The number of padding octets beyond the end of the Name field but + within the length specified by the Length field. Padding octets + MUST be set to zero by senders and ignored by receivers. + + Name + + When the Name Type field is set to 1, the Name field contains a + DER encoded X.501 Name identifying the trust anchor. The value is + encoded as defined in [12] and [7]. + + When the Name Type field is set to 2, the Name field contains a + Fully Qualified Domain Name of the trust anchor; for example, + "trustanchor.example.com". The name is stored as a string, in the + DNS wire format, as specified in RFC 1034 [1]. Additionally, the + restrictions discussed in RFC 3280 [7], Section 4.2.1.7 apply. + + In the FQDN case, the Name field is an "IDN-unaware domain name + slot", as defined in [9]. That is, it can contain only ASCII + characters. An implementation MAY support internationalized + domain names (IDNs) using the ToASCII operation; see [9] for more + information. + + All systems MUST support the DER Encoded X.501 Name. + Implementations MAY support the FQDN name type. + + Padding + + A variable-length field making the option length a multiple of 8, + beginning after the previous field ends and continuing to the end + of the option, as specified by the Length field. + + + + + + + + + + + +Arkko, et al. Standards Track [Page 35] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +6.4.4. Certificate Option + + The format of the certificate option is described in the following: + + 0 1 2 3 + 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Type | Length | Cert Type | Reserved | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | Certificate ... + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | ... Padding | + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + + Type + + 16 + + Length + + The length of the option (including the Type, Length, Cert Type, + Pad Length, and Certificate fields), in units of 8 octets. + + Cert Type + + The type of the certificate included in the Certificate field. + This specification defines only one legal value for this field: + + 1 X.509v3 Certificate, as specified below + + Reserved + + An 8-bit field reserved for future use. The value MUST be + initialized to zero by the sender and MUST be ignored by the + receiver. + + Certificate + + When the Cert Type field is set to 1, the Certificate field + contains an X.509v3 certificate [7], as described in Section + 6.3.1. + + Padding + + A variable length field making the option length a multiple of 8, + beginning after the ASN.1 encoding of the previous field [7, 15] + ends and continuing to the end of the option, as specified by the + Length field. + + + +Arkko, et al. Standards Track [Page 36] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +6.4.5. Processing Rules for Routers + + A router MUST silently discard any received Certification Path + Solicitation messages that do not conform to the message format + defined in Section 6.4.1. The contents of the Reserved field and of + any unrecognized options MUST be ignored. Future, backward- + compatible changes to the protocol may specify the contents of the + Reserved field or add new options; backward-incompatible changes may + use different Code values. The contents of any defined options that + are not specified to be used with Router Solicitation messages MUST + be ignored, and the packet processed in the normal manner. The only + defined option that may appear is the Trust Anchor option. A + solicitation that passes the validity checks is called a "valid + solicitation". + + Routers SHOULD send advertisements in response to valid solicitations + received on an advertising interface. If the source address in the + solicitation was the unspecified address, the router MUST send the + response to the link-scoped All-Nodes multicast address. If the + source address was a unicast address, the router MUST send the + response to the Solicited-Node multicast address corresponding to the + source address, except when under load, as specified below. Routers + SHOULD NOT send Certification Path Advertisements more than + MAX_CPA_RATE times within a second. When there are more + solicitations, the router SHOULD send the response to the All-Nodes + multicast address regardless of the source address that appeared in + the solicitation. + + In an advertisement, the router SHOULD include suitable Certificate + options so that a certification path can be established to the + solicited trust anchor (or a part of it, if the Component field in + the solicitation is not equal to 65,535). Note also that a single + advertisement is broken into separately sent components and ordered + in a particular way (see Section 6.4.2) when there is more than one + certificate in the path. + + The anchor is identified by the Trust Anchor option. If the Trust + Anchor option is represented as a DER Encoded X.501 Name, then the + Name must be equal to the Subject field in the anchor's certificate. + If the Trust Anchor option is represented as an FQDN, the FQDN must + be equal to an FQDN in the subjectAltName field of the anchor's + certificate. The router SHOULD include the Trust Anchor option(s) in + the advertisement for which the certification path was found. + + If the router is unable to find a path to the requested anchor, it + SHOULD send an advertisement without any certificates. In this case, + the router SHOULD include the Trust Anchor options that were + solicited. + + + +Arkko, et al. Standards Track [Page 37] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +6.4.6. Processing Rules for Hosts + + A host MUST silently discard any received Certification Path + Advertisement messages that do not conform to the message format + defined in Section 6.4.2. The contents of the Reserved field, and of + any unrecognized options, MUST be ignored. Future, backward- + compatible changes to the protocol MAY specify the contents of the + Reserved field or add new options; backward-incompatible changes MUST + use different Code values. The contents of any defined options not + specified to be used with Certification Path Advertisement messages + MUST be ignored, and the packet processed in the normal manner. The + only defined options that may appear are the Certificate and Trust + Anchor options. An advertisement that passes the validity checks is + called a "valid advertisement". + + Hosts SHOULD store certification paths retrieved in Certification + Path Discovery messages if they start from an anchor trusted by the + host. The certification paths MUST be verified, as defined in + Section 6.3, before storing them. Routers send the certificates one + by one, starting from the trust anchor end of the path. + + Note: Except to allow for message loss and reordering for temporary + purposes, hosts might not store certificates received in a + Certification Path Advertisement unless they contain a certificate + that can be immediately verified either to the trust anchor or to a + certificate that has been verified earlier. This measure is intended + to prevent Denial-of-Service attacks, whereby an attacker floods a + host with certificates that the host cannot validate and overwhelms + memory for certificate storage. + + Note that caching this information, and the implied verification + results between network attachments for use over multiple attachments + to the network, can help improve performance. But periodic + certificate revocation checks are still needed, even with cached + results, to make sure that the certificates are still valid. + + The host SHOULD retrieve a certification path when a Router + Advertisement has been received with a public key that is not + available from a certificate in the hosts' cache, or when there is no + certification path to one of the host's trust anchors. In these + situations, the host MAY send a Certification Path Solicitation + message to retrieve the path. If there is no response within + CPS_RETRY seconds, the message should be retried. The wait interval + for each subsequent retransmission MUST exponentially increase, + doubling each time. If there is no response after CPS_RETRY_MAX + seconds, the host abandons the certification path retrieval process. + If the host receives only a part of a certification path within + CPS_RETRY_FRAGMENTS seconds of receiving the first part, it MAY in + + + +Arkko, et al. Standards Track [Page 38] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + addition transmit a Certification Path Solicitation message with the + Component field set to a value not equal to 65,535. This message can + be retransmitted by using the same process as for the initial + message. If there are multiple missing certificates, additional CPS + messages can be sent after getting a response to first one. However, + the complete retrieval process may last at most CPS_RETRY_MAX + seconds. + + Certification Path Solicitations SHOULD NOT be sent if the host has a + currently valid certification path from a reachable router to a trust + anchor. + + When soliciting certificates for a router, a host MUST send + Certification Path Solicitations either to the All-Routers multicast + address, if it has not selected a default router yet, or to the + default router's IP address, if a default router has already been + selected. + + If two hosts want to establish trust with the CPS and CPA messages, + the CPS message SHOULD be sent to the Solicited-Node multicast + address of the receiver. The advertisements SHOULD be sent as + specified above for routers. However, the exact details are outside + the scope of this specification. + + When processing possible advertisements sent as responses to a + solicitation, the host MAY prefer to process those advertisements + with the same Identifier field value as that of the solicitation + first. This makes Denial-of-Service attacks against the mechanism + harder (see Section 9.3). + +6.5. Configuration + + End hosts are configured with a set of trust anchors in order to + protect Router Discovery. A trust anchor configuration consists of + the following items: + + o A public key signature algorithm and associated public key, which + may optionally include parameters. + + o A name as described in Section 6.4.3. + + o An optional public key identifier. + + o An optional list of address ranges for which the trust anchor is + authorized. + + If the host has been configured to use SEND, it SHOULD possess the + above information for at least one trust anchor. + + + +Arkko, et al. Standards Track [Page 39] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + Routers are configured with a collection of certification paths and a + collection of certificates containing certified keys, down to the key + and certificate for the router itself. Certified keys are required + for routers so that a certification path can be established between + the router's certificate and the public key of a trust anchor. + + If the router has been configured to use SEND, it should be + configured with its own key pair and certificate, and with at least + one certification path. + +7. Addressing + +7.1. CGAs + + By default, a SEND-enabled node SHOULD use only CGAs for its own + addresses. Other types of addresses MAY be used in testing, in + diagnostics, or for other purposes. However, this document does not + describe how to choose between different types of addresses for + different communications. A dynamic selection can be provided by an + API, such as the one defined in [21]. + +7.2. Redirect Addresses + + If the Target Address and Destination Address fields in the ICMP + Redirect message are equal, then this message is used to inform hosts + that a destination is, in fact, a neighbor. In this case, the + receiver MUST verify that the given address falls within the range + defined by the router's certificate. Redirect messages failing this + check MUST be treated as unsecured, as described in Section 7.3. + + Note that base NDP rules prevent a host from accepting a Redirect + message from a router that the host is not using to reach the + destination mentioned in the redirect. This prevents an attacker + from tricking a node into redirecting traffic when the attacker is + not the default router. + +7.3. Advertised Subnet Prefixes + + The router's certificate defines the address range(s) that it is + allowed to advertise securely. A router MAY, however, advertise a + combination of certified and uncertified subnet prefixes. + Uncertified subnet prefixes are treated as unsecured (i.e., processed + in the same way as unsecured router advertisements sent by non-SEND + routers). The processing of unsecured messages is specified in + Section 8. Note that SEND nodes that do not attempt to interoperate + with non-SEND nodes MAY simply discard the unsecured information. + + + + + +Arkko, et al. Standards Track [Page 40] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + Certified subnet prefixes fall into the following two categories: + + Constrained + + If the network operator wants to constrain which routers are + allowed to route particular subnet prefixes, routers should be + configured with certificates having subnet prefixes listed in the + prefix extension. These routers SHOULD advertise the subnet + prefixes that they are certified to route, or a subset thereof. + + Unconstrained + + Network operators that do not want to constrain routers this way + should configure routers with certificates containing either the + null prefix or no prefix extension at all. + + Upon processing a Prefix Information option within a Router + Advertisement, nodes SHOULD verify that the prefix specified in this + option falls within the range defined by the certificate, if the + certificate contains a prefix extension. Options failing this check + are treated as containing uncertified subnet prefixes. + + Nodes SHOULD use one of the certified subnet prefixes for stateless + autoconfiguration. If none of the advertised subnet prefixes match, + the host SHOULD use a different advertising router as its default + router, if one is available. If the node is performing stateful + autoconfiguration, it SHOULD check the address provided by the DHCP + server against the certified subnet prefixes and SHOULD NOT use the + address if the prefix is not certified. + +7.4. Limitations + + This specification does not address the protection of NDP packets for + nodes configured with a static address (e.g., PREFIX::1). Future + certification path-based authorization specifications are needed for + these nodes. This specification also does not apply to addresses + generated by the IPv6 stateless address autoconfiguration from a + fixed interface identifiers (such as EUI-64). + + It is outside the scope of this specification to describe the use of + trust anchor authorization between nodes with dynamically changing + addresses. These addresses may be the result of stateful or + stateless address autoconfiguration, or may have resulted from the + use of RFC 3041 [17] addresses. If the CGA method is not used, nodes + are required to exchange certification paths that terminate in a + certificate authorizing a node to use an IP address having a + particular interface identifier. This specification does not specify + the format of these certificates, as there are currently only a few + + + +Arkko, et al. Standards Track [Page 41] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + cases where they are provided by the link layer, and it is up to the + link layer to provide certification for the interface identifier. + This may be the subject of a future specification. It is also + outside the scope of this specification to describe how stateful + address autoconfiguration works with the CGA method. + + The Target Address in Neighbor Advertisement is required to be equal + to the source address of the packet, except in proxy Neighbor + Discovery, which is not supported by this specification. + +8. Transition Issues + + During the transition to secured links, or as a policy consideration, + network operators may want to run a particular link with a mixture of + nodes accepting secured and unsecured messages. Nodes that support + SEND SHOULD support the use of secured and unsecured NDP messages at + the same time. + + In a mixed environment, SEND nodes receive both secured and unsecured + messages but give priority to secured ones. Here, the "secured" + messages are those that contain a valid signature option, as + specified above, and "unsecured" messages are those that contain no + signature option. + + A SEND node SHOULD have a configuration option that causes it to + ignore all unsecured Neighbor Solicitation and Advertisement, Router + Solicitation and Advertisement, and Redirect messages. This can be + used to enforce SEND-only networks. The default for this + configuration option SHOULD be that both secured and unsecured + messages are allowed. + + A SEND node MAY also have a configuration option whereby it disables + the use of SEND completely, even for the messages it sends itself. + This configuration option SHOULD be switched off by default; that is, + SEND is used. Plain (non-SEND) NDP nodes will obviously send only + unsecured messages. Per RFC 2461 [4], such nodes will ignore the + unknown options and will treat secured messages in the same way that + they treat unsecured ones. Secured and unsecured nodes share the + same network resources, such as subnet prefixes and address spaces. + + SEND nodes configured to use SEND at least in their own messages + behave in a mixed environment as explained below. + + SEND adheres to the rules defined for the base NDP protocol, with the + following exceptions: + + o All solicitations sent by a SEND node MUST be secured. + + + + +Arkko, et al. Standards Track [Page 42] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + o Unsolicited advertisements sent by a SEND node MUST be secured. + + o A SEND node MUST send a secured advertisement in response to a + secured solicitation. Advertisements sent in response to an + unsecured solicitation MUST be secured as well, but MUST NOT + contain the Nonce option. + + o A SEND node that uses the CGA authorization method to protect + Neighbor Solicitations SHOULD perform Duplicate Address Detection + as follows. If Duplicate Address Detection indicates that the + tentative address is already in use, the node generates a new + tentative CGA. If after three consecutive attempts no non-unique + address is generated, it logs a system error and gives up + attempting to generate an address for that interface. + + When performing Duplicate Address Detection for the first + tentative address, the node accepts both secured and unsecured + Neighbor Advertisements and Solicitations received in response to + the Neighbor Solicitations. When performing Duplicate Address + Detection for the second or third tentative address, it ignores + unsecured Neighbor Advertisements and Solicitations. (The + security implications of this are discussed in Section 9.2.3 and + in [11].) + + o The node MAY have a configuration option whereby it ignores + unsecured advertisements, even when performing Duplicate Address + Detection for the first tentative address. This configuration + option SHOULD be disabled by default. This is a recovery + mechanism for cases in which attacks against the first address + become common. + + o The Neighbor Cache, Prefix List, and Default Router list entries + MUST have a secured/unsecured flag that indicates whether the + message that caused the creation or last update of the entry was + secured or unsecured. Received unsecured messages MUST NOT cause + changes to existing secured entries in the Neighbor Cache, Prefix + List, or Default Router List. Received secured messages MUST + cause an update of the matching entries, which MUST be flagged as + secured. + + o Neighbor Solicitations for the purpose of Neighbor Unreachability + Detection (NUD) MUST be sent to that neighbor's solicited-nodes + multicast address if the entry is not secured with SEND. + + Upper layer confirmations on unsecured neighbor cache entries + SHOULD NOT update neighbor cache state from STALE to REACHABLE on + a SEND node if the neighbor cache entry has never previously been + REACHABLE. This ensures that if an entry spoofing a valid SEND + + + +Arkko, et al. Standards Track [Page 43] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + host is created by a non-SEND attacker without being solicited, + NUD will be done with the entry for data transmission within five + seconds of use. + + As a result, in mixed mode, attackers can take over a Neighbor + Cache entry of a SEND node for a longer time only if (a) the SEND + node was not communicating with the victim node, so that there is + no secure entry for it, and (b) the SEND node is not currently on + the link (or is unable to respond). + + o The conceptual sending algorithm is modified so that an unsecured + router is selected only if there is no reachable SEND router for + the prefix. That is, the algorithm for selecting a default router + favors reachable SEND routers over reachable non-SEND ones. + + o A node MAY adopt a router sending unsecured messages, or a router + for which secured messages have been received but for which full + security checks have not yet been completed, while security + checking is underway. Security checks in this case include + certification path solicitation, certificate verification, CRL + checks, and RA signature checks. A node MAY also adopt a router + sending unsecured messages if a router known to be secured becomes + unreachable, but because the unreachability may be the result of + an attack it SHOULD attempt to find a router known to be secured + as soon as possible. Note that although this can speed up + attachment to a new network, accepting a router that is sending + unsecured messages or for which security checks are not complete + opens the node to possible attacks. Nodes that choose to accept + such routers do so at their own risk. The node SHOULD, in any + case, prefer a router known to be secure as soon as one is made + available with completed security checks. + +9. Security Considerations + +9.1. Threats to the Local Link Not Covered by SEND + + SEND does not provide confidentiality for NDP communications. + + SEND does not compensate for an unsecured link layer. For instance, + there is no assurance that payload packets actually come from the + same peer against which the NDP was run. + + There may not be cryptographic binding in SEND between the link layer + frame address and the IPv6 address. An unsecured link layer could + allow nodes to spoof the link layer address of other nodes. An + attacker could disrupt IP service by sending out a Neighbor + Advertisement on an unsecured link layer, with the link layer source + address on the frame set as the source address of a victim, a valid + + + +Arkko, et al. Standards Track [Page 44] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + CGA address and a valid signature corresponding to itself, and a + Target Link-layer Address extension corresponding to the victim. The + attacker could then make a traffic stream bombard the victim in a DoS + attack. This cannot be prevented just by securing the link layer. + + Even on a secured link layer, SEND does not require that the + addresses on the link layer and Neighbor Advertisements correspond. + However, performing these checks is RECOMMENDED if the link layer + technology permits. + + Prior to participating in Neighbor Discovery and Duplicate Address + Detection, nodes must subscribe to the link-scoped All-Nodes + Multicast Group and the Solicited-Node Multicast Group for the + address that they are claiming as their addresses; RFC 2461 [4]. + Subscribing to a multicast group requires that the nodes use MLD + [16]. MLD contains no provision for security. An attacker could + send an MLD Done message to unsubscribe a victim from the Solicited- + Node Multicast address. However, the victim should be able to detect + this attack because the router sends a Multicast-Address-Specific + Query to determine whether any listeners are still on the address, at + which point the victim can respond to avoid being dropped from the + group. This technique will work if the router on the link has not + been compromised. Other attacks using MLD are possible, but they + primarily lead to extraneous (but not necessarily overwhelming) + traffic. + +9.2. How SEND Counters Threats to NDP + + The SEND protocol is designed to counter the threats to NDP, as + outlined in [22]. The following subsections contain a regression of + the SEND protocol against the threats, to illustrate which aspects of + the protocol counter each threat. + +9.2.1. Neighbor Solicitation/Advertisement Spoofing + + This threat is defined in Section 4.1.1 of [22]. The threat is that + a spoofed message may cause a false entry in a node's Neighbor Cache. + There are two cases: + + 1. Entries made as a side effect of a Neighbor Solicitation or Router + Solicitation. A router receiving a Router Solicitation with a + Target Link-Layer Address extension and the IPv6 source address + unequal to the unspecified address inserts an entry for the IPv6 + address into its Neighbor Cache. Also, a node performing + Duplicate Address Detection (DAD) that receives a Neighbor + Solicitation for the same address regards the situation as a + collision and ceases to solicit for the address. + + + + +Arkko, et al. Standards Track [Page 45] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + In either case, SEND counters these threats by requiring that the + RSA Signature and CGA options be present in these solicitations. + + SEND nodes can send Router Solicitation messages with a CGA source + address and a CGA option, which the router can verify, so that the + Neighbor Cache binding is correct. If a SEND node must send a + Router Solicitation with the unspecified address, the router will + not update its Neighbor Cache, as per base NDP. + + 2. Entries made as a result of a Neighbor Advertisement message. + SEND counters this threat by requiring that the RSA Signature and + CGA options be present in these advertisements. + + Also see Section 9.2.5, below, for discussion about replay protection + and timestamps. + +9.2.2. Neighbor Unreachability Detection Failure + + This attack is described in Section 4.1.2 of [22]. SEND counters it + by requiring that a node responding to Neighbor Solicitations sent as + NUD probes include an RSA Signature option and proof of authorization + to use the interface identifier in the address being probed. If + these prerequisites are not met, the node performing NUD discards the + responses. + +9.2.3. Duplicate Address Detection DoS Attack + + This attack is described in Section 4.1.3 of [22]. SEND counters + this attack by requiring that the Neighbor Advertisements sent as + responses to DAD include an RSA Signature option and proof of + authorization to use the interface identifier in the address being + tested. If these prerequisites are not met, the node performing DAD + discards the responses. + + When a SEND node performs DAD, it may listen for address collisions + from non-SEND nodes for the first address it generates, but not for + new attempts. This protects the SEND node from DAD DoS attacks by + non-SEND nodes or attackers simulating non-SEND nodes, at the cost of + a potential address collision between a SEND node and a non-SEND + node. The probability and effects of such an address collision are + discussed in [11]. + +9.2.4. Router Solicitation and Advertisement Attacks + + These attacks are described in Sections 4.2.1, 4.2.4, 4.2.5, 4.2.6, + and 4.2.7 of [22]. SEND counters them by requiring that Router + Advertisements contain an RSA Signature option, and that the + signature is calculated by using the public key of a node that can + + + +Arkko, et al. Standards Track [Page 46] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + prove its authorization to route the subnet prefixes contained in any + Prefix Information Options. The router proves its authorization by + showing a certificate containing the specific prefix or an indication + that the router is allowed to route any prefix. A Router + Advertisement without these protections is discarded. + + SEND does not protect against brute force attacks on the router, such + as DoS attacks, or against compromise of the router, as described in + Sections 4.4.2 and 4.4.3 of [22]. + +9.2.5. Replay Attacks + + This attack is described in Section 4.3.1 of [22]. SEND protects + against attacks in Router Solicitation/Router Advertisement and + Neighbor Solicitation/Neighbor Advertisement transactions by + including a Nonce option in the solicitation and requiring that the + advertisement include a matching option. Together with the + signatures, this forms a challenge-response protocol. + + SEND protects against attacks from unsolicited messages such as + Neighbor Advertisements, Router Advertisements, and Redirects by + including a Timestamp option. The following security issues are + relevant only for unsolicited messages: + + o A window of vulnerability for replay attacks exists until the + timestamp expires. + + However, such vulnerabilities are only useful for attackers if the + advertised parameters change during the window. Although some + parameters (such as the remaining lifetime of a prefix) change + often, radical changes typically happen only in the context of + some special case, such as switching to a new link layer address + due to a broken interface adapter. + + SEND nodes are also protected against replay attacks as long as + they cache the state created by the message containing the + timestamp. The cached state allows the node to protect itself + against replayed messages. However, once the node flushes the + state for whatever reason, an attacker can re-create the state by + replaying an old message while the timestamp is still valid. + Because most SEND nodes are likely to use fairly coarse-grained + timestamps, as explained in Section 5.3.1, this may affect some + nodes. + + o Attacks against time synchronization protocols such as NTP [23] + may cause SEND nodes to have an incorrect timestamp value. This + can be used to launch replay attacks, even outside the normal + window of vulnerability. To protect against these attacks, it is + + + +Arkko, et al. Standards Track [Page 47] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + recommended that SEND nodes keep independently maintained clocks + or apply suitable security measures for the time synchronization + protocols. + +9.2.6. Neighbor Discovery DoS Attack + + This attack is described in Section 4.3.2 of [22]. In it, the + attacker bombards the router with packets for fictitious addresses on + the link, causing the router to busy itself by performing Neighbor + Solicitations for addresses that do not exist. SEND does not address + this threat because it can be addressed by techniques such as rate + limiting Neighbor Solicitations, restricting the amount of state + reserved for unresolved solicitations, and clever cache management. + These are all techniques involved in implementing Neighbor Discovery + on the router. + +9.3. Attacks against SEND Itself + + The CGAs have a 59-bit hash value. The security of the CGA mechanism + has been discussed in [11]. + + Some Denial-of-Service attacks remain against NDP and SEND itself. + For instance, an attacker may try to produce a very high number of + packets that a victim host or router has to verify by using + asymmetric methods. Although safeguards are required to prevent an + excessive use of resources, this can still render SEND non- + operational. + + When CGA protection is used, SEND deals with the DoS attacks by using + the verification process described in Section 5.2.2. In this + process, a simple hash verification of the CGA property of the + address is performed before the more expensive signature + verification. However, even if the CGA verification succeeds, no + claims about the validity of the message can be made until the + signature has been checked. + + When trust anchors and certificates are used for address validation + in SEND, the defenses are not quite as effective. Implementations + SHOULD track the resources devoted to the processing of packets + received with the RSA Signature option and start selectively + discarding packets if too many resources are spent. Implementations + MAY also first discard packets that are not protected with CGA. + + The Authorization Delegation Discovery process may also be vulnerable + to Denial-of-Service attacks. An attack may target a router by + requesting that a large number of certification paths be discovered + for different trust anchors. Routers SHOULD defend against such + attacks by caching discovered information (including negative + + + +Arkko, et al. Standards Track [Page 48] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + responses) and by limiting the number of different discovery + processes in which they engage. + + Attackers may also target hosts by sending a large number of + unnecessary certification paths, forcing hosts to spend useless + memory and verification resources on them. Hosts can defend against + such attacks by limiting the amount of resources devoted to the + certification paths and their verification. Hosts SHOULD also + prioritize advertisements sent as a response to solicitations the + hosts have sent about unsolicited advertisements. + +10. Protocol Values + +10.1. Constants + + Host constants: + + CPS_RETRY 1 second + CPS_RETRY_FRAGMENTS 2 seconds + CPS_RETRY_MAX 15 seconds + + Router constants: + + MAX_CPA_RATE 10 times per second + +10.2. Variables + + TIMESTAMP_DELTA 300 seconds (5 minutes) + TIMESTAMP_FUZZ 1 second + TIMESTAMP_DRIFT 1 % (0.01) + +11. IANA Considerations + + This document defines two new ICMP message types, used in + Authorization Delegation Discovery. These messages must be assigned + ICMPv6 type numbers from the informational message range: + + o The Certification Path Solicitation message (148), described in + Section 6.4.1. + + o The Certification Path Advertisement message (149), described in + Section 6.4.2. + + This document defines six new Neighbor Discovery Protocol [4] + options, which must be assigned Option Type values within the option + numbering space for Neighbor Discovery Protocol messages: + + o The CGA option (11), described in Section 5.1. + + + +Arkko, et al. Standards Track [Page 49] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + o The RSA Signature option (12), described in Section 5.2. + + o The Timestamp option (13), described in Section 5.3.1. + + o The Nonce option (14), described in Section 5.3.2. + + o The Trust Anchor option (15), described in Section 6.4.3. + + o The Certificate option (16), described in Section 6.4.4. + + This document defines a new 128-bit value under the CGA Message Type + [11] namespace, 0x086F CA5E 10B2 00C9 9C8C E001 6427 7C08. + + This document defines a new name space for the Name Type field in the + Trust Anchor option. Future values of this field can be allocated by + using Standards Action [3]. The current values for this field are + + 1 DER Encoded X.501 Name + + 2 FQDN + + Another new name space is allocated for the Cert Type field in the + Certificate option. Future values of this field can be allocated by + using Standards Action [3]. The current values for this field are + + 1 X.509v3 Certificate + +12. References + +12.1. Normative References + + [1] Mockapetris, P., "Domain names - concepts and facilities", STD + 13, RFC 1034, November 1987. + + [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement + Levels", BCP 14, RFC 2119, March 1997. + + [3] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA + Considerations Section in RFCs", BCP 26, RFC 2434, October + 1998. + + [4] Narten, T., Nordmark, E. and W. Simpson, "Neighbor Discovery + for IP Version 6 (IPv6)", RFC 2461, December 1998. + + [5] Thomson, S. and T. Narten, "IPv6 Stateless Address + Autoconfiguration", RFC 2462, December 1998. + + + + + +Arkko, et al. Standards Track [Page 50] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + [6] Conta, A. and S. Deering, "Internet Control Message Protocol + (ICMPv6) for the Internet Protocol Version 6 (IPv6) + Specification", RFC 2463, December 1998. + + [7] Housley, R., Polk, W., Ford, W. and D. Solo, "Internet X.509 + Public Key Infrastructure Certificate and Certificate + Revocation List (CRL) Profile", RFC 3280, April 2002. + + [8] Farrell, S. and R. Housley, "An Internet Attribute Certificate + Profile for Authorization", RFC 3281, April 2002. + + [9] Faltstrom, P., Hoffman, P. and A. Costello, "Internationalizing + Domain Names in Applications (IDNA)", RFC 3490, March 2003. + + [10] Lynn, C., Kent, S. and K. Seo, "X.509 Extensions for IP + Addresses and AS Identifiers", RFC 3779, June 2004. + + [11] Aura, T., "Cryptographically Generated Addresses (CGA)", RFC + 3972, March 2005. + + [12] International Telecommunications Union, "Information Technology + - ASN.1 encoding rules: Specification of Basic Encoding Rules + (BER), Canonical Encoding Rules (CER) and Distinguished + Encoding Rules (DER)", ITU-T Recommendation X.690, July 2002. + + [13] RSA Laboratories, "RSA Encryption Standard, Version 2.1", PKCS + 1, November 2002. + + [14] National Institute of Standards and Technology, "Secure Hash + Standard", FIPS PUB 180-1, April 1995, + . + +12.2. Informative References + + [15] Harkins, D. and D. Carrel, "The Internet Key Exchange (IKE)", + RFC 2409, November 1998. + + [16] Deering, S., Fenner, W. and B. Haberman, "Multicast Listener + Discovery (MLD) for IPv6", RFC 2710, October 1999. + + [17] Narten, T. and R. Draves, "Privacy Extensions for Stateless + Address Autoconfiguration in IPv6", RFC 3041, January 2001. + + [18] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C. and M. + Carney, "Dynamic Host Configuration Protocol for IPv6 + (DHCPv6)", RFC 3315, July 2003. + + + + + +Arkko, et al. Standards Track [Page 51] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + [19] Arkko, J., "Effects of ICMPv6 on IKE and IPsec Policies", Work + in Progress, March 2003. + + [20] Arkko, J., "Manual SA Configuration for IPv6 Link Local + Messages", Work in Progress, June 2002. + + [21] Nordmark, E., Chakrabarti, S. and J. Laganier, "IPv6 Socket API + for Address Selection", Work in Progress, October 2003. + + [22] Nikander, P., Kempf, J., and E. Nordmark, "IPv6 Neighbor + Discovery (ND) Trust Models and Threats", RFC 3756, May 2004. + + [23] Bishop, M., "A Security Analysis of the NTP Protocol", Sixth + Annual Computer Security Conference Proceedings, December 1990. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +Arkko, et al. Standards Track [Page 52] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +Appendix A. Contributors and Acknowledgments + + Tuomas Aura contributed the transition mechanism specification in + Section 8. Jonathan Trostle contributed the certification path + example in Section 6.3.1. Bill Sommerfeld was involved with much of + the early design work. + + The authors would also like to thank Tuomas Aura, Bill Sommerfeld, + Erik Nordmark, Gabriel Montenegro, Pasi Eronen, Greg Daley, Jon Wood, + Julien Laganier, Francis Dupont, Pekka Savola, Wenxiao He, Valtteri + Niemi, Mike Roe, Russ Housley, Thomas Narten, and Steven Bellovin for + interesting discussions in this problem space and for feedback + regarding the SEND protocol. + +Appendix B. Cache Management + + In this section, we outline a cache management algorithm that allows + a node to remain partially functional even under a cache-filling DoS + attack. This appendix is informational, and real implementations + SHOULD use different algorithms in order to avoid the dangers of a + mono-cultural code. + + There are at least two distinct cache-related attack scenarios: + + 1. There are a number of nodes on a link, and someone launches a + cache filling attack. The goal here is to make sure that the + nodes can continue to communicate even if the attack is going on. + + 2. There is already a cache-filling attack going on, and a new node + arrives to the link. The goal here is to make it possible for the + new node to become attached to the network, in spite of the + attack. + + As the intent is to limit the damage to existing, valid cache + entries, it is clearly better to be very selective in throwing out + entries. Reducing the timestamp Delta value is very discriminatory + against nodes with a large clock difference, as an attacker can + reduce its clock difference arbitrarily. Throwing out old entries + just because their clock difference is large therefore seems like a + bad approach. + + It is reasonable to have separate cache spaces for new and old + entries, where when under attack, the newly cached entries would be + more readily dropped. One could track traffic and only allow + reasonable new entries that receive genuine traffic to be converted + into old cache entries. Although such a scheme can make attacks + harder, it will not fully prevent them. For example, an attacker + could send a little traffic (i.e., a ping or TCP syn) after each NS + + + +Arkko, et al. Standards Track [Page 53] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + + to trick the victim into promoting its cache entry to the old cache. + To counter this, the node can be more intelligent in keeping its + cache entries than it would be just by having a black/white old/new + boundary. + + Distinction of the Sec parameter from the CGA Parameters when forcing + cache entries out -- by keeping entries with larger Sec parameters + preferentially -- also appears to be a possible approach, as CGAs + with higher Sec parameters are harder to spoof. + +Appendix C. Message Size When Carrying Certificates + + In one example scenario using SEND, an Authorization Delegation + Discovery test run was made with a certification path length of 4. + Three certificates are sent by using Certification Path Advertisement + messages, as the trust anchor's certificate is already known by both + parties. With a key length of 1024 bits, the certificate lengths in + the test run ranged from 864 to 888 bytes; the variation is due to + the differences in the certificate issuer names and address prefix + extensions. The different certificates had between 1 and 4 address + prefix extensions. + + The three Certification Path Advertisement messages ranged from 1050 + to 1,066 bytes on an Ethernet link layer. The certificate itself + accounts for the bulk of the packet. The rest is the trust anchor + option, ICMP header, IPv6 header, and link layer header. + + + + + + + + + + + + + + + + + + + + + + + + + +Arkko, et al. Standards Track [Page 54] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +Authors' Addresses + + Jari Arkko + Ericsson + Jorvas 02420 + Finland + + EMail: jari.arkko@ericsson.com + + + James Kempf + DoCoMo Communications Labs USA + 181 Metro Drive + San Jose, CA 94043 + USA + + EMail: kempf@docomolabs-usa.com + + + Brian Zill + Microsoft Research + One Microsoft Way + Redmond, WA 98052 + USA + + EMail: bzill@microsoft.com + + + Pekka Nikander + Ericsson + Jorvas 02420 + Finland + + EMail: Pekka.Nikander@nomadiclab.com + + + + + + + + + + + + + + + + + +Arkko, et al. Standards Track [Page 55] + +RFC 3971 SEcure Neighbor Discovery March 2005 + + +Full Copyright Statement + + Copyright (C) The Internet Society (2005). + + This document is subject to the rights, licenses and restrictions + contained in BCP 78, and except as set forth therein, the authors + retain all their rights. + + This document and the information contained herein are provided on an + "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS + OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET + ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, + INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE + INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED + WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + +Intellectual Property + + The IETF takes no position regarding the validity or scope of any + Intellectual Property Rights or other rights that might be claimed to + pertain to the implementation or use of the technology described in + this document or the extent to which any license under such rights + might or might not be available; nor does it represent that it has + made any independent effort to identify any such rights. Information + on the procedures with respect to rights in RFC documents can be + found in BCP 78 and BCP 79. + + Copies of IPR disclosures made to the IETF Secretariat and any + assurances of licenses to be made available, or the result of an + attempt made to obtain a general license or permission for the use of + such proprietary rights by implementers or users of this + specification can be obtained from the IETF on-line IPR repository at + http://www.ietf.org/ipr. + + The IETF invites any interested party to bring to its attention any + copyrights, patents or patent applications, or other proprietary + rights that may cover technology that may be required to implement + this standard. Please address the information to the IETF at ietf- + ipr@ietf.org. + +Acknowledgement + + Funding for the RFC Editor function is currently provided by the + Internet Society. + + + + + + + +Arkko, et al. Standards Track [Page 56] + -- cgit v1.2.3