Re: Regarding offloading IPv6 addrconf and ndisc

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Stephen Hemminger <shemminger@osdl.org>
To: Hugo Santos <hsantos@av.it.pt>
Cc: David Miller <davem@davemloft.net>,
	herbert@gondor.apana.org.au, kazunori@miyazawa.org,
	yoshfuji@linux-ipv6.org, netdev@vger.kernel.org,
	usagi-core@linux-ipv6.org
Subject: Re: Regarding offloading IPv6 addrconf and ndisc
Date: Thu, 27 Jul 2006 21:07:38 -0700	[thread overview]
Message-ID: <20060727210738.36f33436@localhost.localdomain> (raw)
In-Reply-To: <20060728033132.GF29313@innerghost.net>

On Fri, 28 Jul 2006 04:31:32 +0100
Hugo Santos <hsantos@av.it.pt> wrote:

> On Thu, Jul 27, 2006 at 08:20:44PM -0700, David Miller wrote:
> > 
> > Now, if you're saying that, in response to a NDISC packet, we might
> > have to go out and obtain the certificate, before we can process
> > the NDISC packet.  This is a different issue.  Is that how this
> > secure NDISC works?  Or does the system obtain all the certificates
> > first, by some other means, and then either it can certify an NDISC
> > frame immediately or it can't?
> 
>    It might happen that the host must ask the router for a Certification
>  Path by receiving a Router Advertisement. More specifically, RFC 3971
>  Section 6.4.6. 'Processing Rules for Hosts' states the following:
> 
>       The host SHOULD retrieve a certification path when a Router
>       Advertisement has been received with a public key that is not
>       available from a certificate in the hosts' cache, or when there is
>       no certification path to one of the host's trust anchors.  In
>       these situations, the host MAY send a Certification Path
>       Solicitation message to retrieve the path.  If there is no
>       response within CPS_RETRY seconds, the message should be retried.
>       The wait interval for each subsequent retransmission MUST
>       exponentially increase, doubling each time.  If there is no
>       response after CPS_RETRY_MAX seconds, the host abandons the
>       certification path retrieval process. (...)
> 
>    If no certification path is established, the RA must be treated as
>  unsecure. Secure prefixes are given preference over non-secure ones so
>  it might cause problems.
> 
>    Hugo

A couple of basic questions:
1. Can we just proceed assuming it is non-secure until a later time when
   the certificate path is established?
2. What if user process dies? or gets overwhelmed?
   One of the assumptions of the any well designed kernel is that the system should never
   hang because some user application died or waited for ever.

   

-- 
If one would give me six lines written by the hand of the most honest
man, I would find something in them to have him hanged. -- Cardinal Richlieu

next prev parent reply	other threads:[~2006-07-28  4:08 UTC|newest]

Thread overview: 32+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2006-07-27 11:25 Regarding offloading IPv6 addrconf and ndisc Hugo Santos
2006-07-27 12:25 ` Kazunori Miyazawa
2006-07-27 17:56   ` Hugo Santos
2006-07-27 23:56   ` Herbert Xu
2006-07-28  1:34     ` David Miller
2006-07-28  1:45       ` Hugo Santos
2006-07-28  2:27         ` David Miller
2006-07-28  3:13           ` Hugo Santos
2006-07-28  3:20             ` David Miller
2006-07-28  3:31               ` Hugo Santos
2006-07-28  4:07                 ` Stephen Hemminger [this message]
2006-07-28  8:34                   ` Hugo Santos
2006-07-28 12:45                     ` Jamal Hadi Salim
2006-07-29 13:34                       ` Hugo Santos
2006-07-30  3:28                         ` Kazunori Miyazawa
2006-07-30 11:30                           ` Hugo Santos
2006-07-31 21:23                             ` David Miller
2006-08-01 11:50                               ` Hugo Santos
2006-08-01 21:54                                 ` David Miller
2006-08-01  0:16                             ` Kazunori Miyazawa
2006-07-28  2:22       ` Herbert Xu
2006-07-28  2:33         ` David Miller
2006-08-01  0:31       ` Andi Kleen
2006-08-01  0:46         ` David Miller
2006-08-01  0:49           ` Roland Dreier
2006-08-01  1:24             ` Jamal Hadi Salim
2006-08-01  1:30               ` Herbert Xu
2006-08-01  1:47                 ` Jamal Hadi Salim
2006-08-01 12:13                   ` Hugo Santos
2006-08-01 12:00           ` Hugo Santos
2006-08-01 21:57             ` David Miller
2006-08-03 13:28               ` Ingo Oeser

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20060727210738.36f33436@localhost.localdomain \
    --to=shemminger@osdl.org \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=hsantos@av.it.pt \
    --cc=kazunori@miyazawa.org \
    --cc=netdev@vger.kernel.org \
    --cc=usagi-core@linux-ipv6.org \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).