Re: Regarding offloading IPv6 addrconf and ndisc

[Hugo Santos <hsantos@av.it.pt>]

[-- Attachment #1: Type: text/plain, Size: 1583 bytes --]

On Thu, Jul 27, 2006 at 08:20:44PM -0700, David Miller wrote:
> 
> Now, if you're saying that, in response to a NDISC packet, we might
> have to go out and obtain the certificate, before we can process
> the NDISC packet.  This is a different issue.  Is that how this
> secure NDISC works?  Or does the system obtain all the certificates
> first, by some other means, and then either it can certify an NDISC
> frame immediately or it can't?

   It might happen that the host must ask the router for a Certification
 Path by receiving a Router Advertisement. More specifically, RFC 3971
 Section 6.4.6. 'Processing Rules for Hosts' states the following:

      The host SHOULD retrieve a certification path when a Router
      Advertisement has been received with a public key that is not
      available from a certificate in the hosts' cache, or when there is
      no certification path to one of the host's trust anchors.  In
      these situations, the host MAY send a Certification Path
      Solicitation message to retrieve the path.  If there is no
      response within CPS_RETRY seconds, the message should be retried.
      The wait interval for each subsequent retransmission MUST
      exponentially increase, doubling each time.  If there is no
      response after CPS_RETRY_MAX seconds, the host abandons the
      certification path retrieval process. (...)

   If no certification path is established, the RA must be treated as
 unsecure. Secure prefixes are given preference over non-secure ones so
 it might cause problems.

   Hugo

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]