[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [DNA] Route vs Advertise

To: Sathya Narayanan <sathya@research.panasonic.com>, greg.daley@eng.monash.edu.au
Subject: Re: [DNA] Route vs Advertise
From: James Kempf <kempf@docomolabs-usa.com>
Date: Fri, 03 Jun 2005 17:50:55 -0700
Cc: Erik Nordmark <erik.nordmark@sun.com>, Dna <dna@eng.monash.edu.au>
References: <429F4329.1040807@Research.Panasonic.COM><429FBC9E.1070507@eng.monash.edu.au> <42A0733E.2060403@Research.Panasonic.COM>
Sender: owner-dna@ecselists.eng.monash.edu.au

> Before I go further, I started reading up on SEND to see how DNA should
> work with it - the questions I am asking at the moment are for my own
> clarifications - but we MAY have to address how the host can verify the
> authenticity of the prefixes in a DNAO or even in the Landmark option,
> if the certificates tightly bound the prefixes to individual routers.
> Please stop me if I am barking up the wrong tree here.
>

If the certs have prefixes in them, there is no reason why the certs must
only list the prefixes that are currently being advertised. The SEND spec
allows the certs to list a range of prefixes, or even a set of prefixes. So
the range or set could contain all the prefixes on the link, even those not
currently being advertised, indeed, the range could include all the prefixes
in the access network, if the ISP uses a "site" certificate, like many Web
services operators do.

> A router MAY, however, advertise a
>    combination of certified and uncertified subnet prefixes.
>    Uncertified subnet prefixes are treated as unsecured (i.e., processed
>    in the same way as unsecured router advertisements sent by non-SEND
>    routers).  The processing of unsecured messages is specified in
>    Section 8.  Note that SEND nodes that do not attempt to interoperate
>    with non-SEND nodes MAY simply discard the unsecured information.
>

Note that this does not imply that the router advertisement should be
considered insecure, just the uncertified prefix. If the advertisement has a
signature verifiable with the router's certified public key, then the router
is trustworthy.

> If the network operator wants to constrain which routers are
>       allowed to route particular subnet prefixes, routers should be
>       configured with certificates having subnet prefixes listed in the
>       prefix extension.  These routers SHOULD advertise the subnet
>       prefixes that they are certified to route, or a subset thereof.
>
> Upon processing a Prefix Information option within a Router
>    Advertisement, nodes SHOULD verify that the prefix specified in this
>    option falls within the range defined by the certificate, if the
>    certificate contains a prefix extension.  Options failing this check
>    are treated as containing uncertified subnet prefixes.
>
>
> Upon receiving PIO in a RA, nodes SHOULD verify that the prefix falls
> within the range defined by the certificate - if the check fails, treat
> the PIO as unsecure, if a host doesn't want to interoperate with
> non-SEND router, it can discard the unsecure PIOs. So, in a all-SEND
> nodes world, if hosts do the check on the PIOs - is it fair to conclude
> that the routing and advertising of any given prefix will have to be
> from the same router(s).
>

That was the intent, a certified prefix means the router is authorized to
route the prefix as advertised.

            jak

Follow-Ups:
- Re: [DNA] Route vs Advertise
  - From: Sathya Narayanan <sathya@research.panasonic.com>

References:
- [DNA] Route vs Advertise
  - From: Sathya Narayanan <sathya@research.panasonic.com>
- Re: [DNA] Route vs Advertise
  - From: Greg Daley <greg.daley@eng.monash.edu.au>
- Re: [DNA] Route vs Advertise
  - From: Sathya Narayanan <sathya@research.panasonic.com>

Prev by Date: Re: [DNA] Route vs Advertise
Next by Date: Re: [DNA] Route vs Advertise
Prev by thread: Re: [DNA] Route vs Advertise
Next by thread: Re: [DNA] Route vs Advertise
Index(es):
- Date
- Thread