[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DNA] Route vs Advertise

To: greg.daley@eng.monash.edu.au
Subject: Re: [DNA] Route vs Advertise
From: Sathya Narayanan <sathya@research.panasonic.com>
Date: Fri, 03 Jun 2005 11:11:58 -0400
Cc: Erik Nordmark <erik.nordmark@sun.com>, Dna <dna@eng.monash.edu.au>
In-reply-to: <429FBC9E.1070507@eng.monash.edu.au>
Organization: Panasonic Technologies Company
References: <429F4329.1040807@Research.Panasonic.COM><429FBC9E.1070507@eng.monash.edu.au>
Sender: owner-dna@ecselists.eng.monash.edu.au
User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

Greg -

Thanks for the response.

Before I go further, I started reading up on SEND to see how DNA should
work with it - the questions I am asking at the moment are for my own
clarifications - but we MAY have to address how the host can verify the
authenticity of the prefixes in a DNAO or even in the Landmark option,
if the certificates tightly bound the prefixes to individual routers.
Please stop me if I am barking up the wrong tree here.

<snip>

> I remember this issue from SEND.
>
> Someone else may remember better though.
>
> The issue in SEND is essentially that in some circumstances we want to
> guarantee that a router is actually delegated authority to route for
> that prefix.   This is in the Certificate, not the PIO.
>
> I'd guess that the origin of the prefix doesn't matter (which RA the
> PIO arrives in), although the certificate would indicate that only
> those prefixes which are similarly authorized should be used as next
> hops for packets with that source address.

Look at the following lines from 3971:

A router MAY, however, advertise a
   combination of certified and uncertified subnet prefixes.
   Uncertified subnet prefixes are treated as unsecured (i.e., processed
   in the same way as unsecured router advertisements sent by non-SEND
   routers).  The processing of unsecured messages is specified in
   Section 8.  Note that SEND nodes that do not attempt to interoperate
   with non-SEND nodes MAY simply discard the unsecured information.

If the network operator wants to constrain which routers are
      allowed to route particular subnet prefixes, routers should be
      configured with certificates having subnet prefixes listed in the
      prefix extension.  These routers SHOULD advertise the subnet
      prefixes that they are certified to route, or a subset thereof.

Upon processing a Prefix Information option within a Router
   Advertisement, nodes SHOULD verify that the prefix specified in this
   option falls within the range defined by the certificate, if the
   certificate contains a prefix extension.  Options failing this check
   are treated as containing uncertified subnet prefixes.


Upon receiving PIO in a RA, nodes SHOULD verify that the prefix falls
within the range defined by the certificate - if the check fails, treat
the PIO as unsecure, if a host doesn't want to interoperate with
non-SEND router, it can discard the unsecure PIOs. So, in a all-SEND
nodes world, if hosts do the check on the PIOs - is it fair to conclude
that the routing and advertising of any given prefix will have to be
from the same router(s).

thanks,
Sathya

Follow-Ups:
- Re: [DNA] Route vs Advertise
  - From: James Kempf <kempf@docomolabs-usa.com>

References:
- [DNA] Route vs Advertise
  - From: Sathya Narayanan <sathya@research.panasonic.com>
- Re: [DNA] Route vs Advertise
  - From: Greg Daley <greg.daley@eng.monash.edu.au>

Prev by Date: Re: [DNA] Route vs Advertise
Next by Date: Re: [DNA] Route vs Advertise
Prev by thread: Re: [DNA] Route vs Advertise
Next by thread: Re: [DNA] Route vs Advertise
Index(es):
- Date
- Thread