SEcure Neighbor Discovery (SEND)
RFC 3971

Approval announcement
Draft of message to be sent after approval:

From: The IESG <iesg-secretary@ietf.org>
To: IETF-Announce <ietf-announce@ietf.org>
Cc: Internet Architecture Board <iab@iab.org>,
    RFC Editor <rfc-editor@rfc-editor.org>, 
    send mailing list <ietf-send@standards.ericsson.net>, 
    send chair <send-chairs@tools.ietf.org>
Subject: Protocol Action: 'SEcure Neighbor Discovery (SEND)' to 
         Proposed Standard 

The IESG has approved the following document:

- 'SEcure Neighbor Discovery (SEND) '
   <draft-ietf-send-ndopt-07.txt> as a Proposed Standard

This document is the product of the Securing Neighbor Discovery Working 
Group. 

The IESG contact persons are Margaret Wasserman and Mark Townsley.

A URL of this Internet-Draft is:
http://www.ietf.org/internet-drafts/draft-ietf-send-ndopt-07.txt

Technical Summary

IPv6 nodes use the Neighbor Discovery Protocol (NDP) to discover
other nodes on the link, to determine the link-layer addresses of
other nodes on the link, to find routers, and to maintain
reachability information about the paths to active neighbors.  If not
secured, NDP is vulnerable to various attacks.  This document
specifies security mechanisms for NDP.  Unlike the original NDP
specifications, these mechanisms do not make use of IPsec.

Working Group Summary

The only major issue in the WG about this document was that both
Microsoft and Ericsson declared that they had IPR on CGA technology.
This issue was resolved after license conditions agreeable to the
WG participants and suited for public domain software were posted by
the respective companies. Before this, the WG briefly investigated an
alternative that would have required the configuration of hosts with
certificates, which might have resulted in deployment problems.

Another significant issue in the WG focused around the design of the
protocol and whether it should be based on IPsec AH or stand on its
own. After documenting the alternatives and comparing their pros and
cons, the consensus of the WG was to use an ND options based approach
instead of IPsec. The benefits of this were lack of impact on IPsec
architecture and implementations, and better ability to make security
decisions based on application state. This is important, for instance,
for co-existence of SEND and insecure ND on the same link.

A minor issue involved how to represent the authorization for routers to
route a certain prefix. The WG originally favored attribute certificates,
but since the PKIX WG was planning on defining an identity certificate
extension for this purpose, the WG decided to go with the IP address
range extension in draft-ietf-pkix-x509-ipaddr-as-extn-03.txt. Note that
this constructs a normative dependence on that draft, and it would be
helpful if we could get that draft to advance as quickly as possible
(or alterntively figure out a way to remove the normative dependence)
since there is a market window on how long before it becomes too late
for SEND to achieve widespread deployment, and having an officially
published RFC is important for implementors.

Protocol Quality

The basic protocol design has been implemented on Linux.  That
 implementation was used to fine tune the design, and the results of the 
fine tuning went into the final draft.

This document was reviewed for the IESG by Margaret Wasserman.