rfc8928xml2.original.xml   rfc8928.xml 
<?xml version='1.0' encoding='utf-8'?> <?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent"> <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent">
<!-- updated by KC 05/21/20 -->
<?rfc toc="yes"?> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" ipr="trust200902"
<?rfc tocompact="yes"?> number="8928" tocInclude="true" obsoletes="" updates="8505" consensus="true" su
<?rfc tocdepth="3"?> bmissionType="IETF" xml:lang="en" version="3" docName="draft-ietf-6lo-ap-nd-23"
<?rfc tocindent="yes"?> symRefs="true" sortRefs="true">
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="no"?>
<?rfc subcompact="no"?>
<?rfc authorship="yes"?>
<?rfc tocappendix="yes"?>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" ipr='trust200902
' tocInclude="true" obsoletes="" updates="8505" consensus="true" submissionType
="IETF" xml:lang="en" version="3" docName="draft-ietf-6lo-ap-nd-23" >
<front> <front>
<title abbrev='Address Protection ND for LLN'> <title abbrev="Address Protection ND for LLN">
Address Protected Neighbor Discovery for Low-power and Lossy Networks Address-Protected Neighbor Discovery for Low-Power and Lossy Networks
</title> </title>
<seriesInfo name="RFC" value="8928"/>
<author initials='P.' surname='Thubert' fullname='Pascal Thubert' role='edit <author initials="P." surname="Thubert" fullname="Pascal Thubert" role="edit
or'> or">
<organization abbrev='Cisco'>Cisco Systems, Inc</organization> <organization abbrev="Cisco">Cisco Systems, Inc.</organization>
<address> <address>
<postal> <postal>
<street>Building D</street> <street>Building D</street>
<street>45 Allee des Ormes - BP1200 </street> <street>45 Allee des Ormes - BP1200 </street>
<city>MOUGINS - Sophia Antipolis</city> <city>MOUGINS - Sophia Antipolis</city>
<code>06254</code> <code>06254</code>
<country>FRANCE</country> <country>France</country>
</postal> </postal>
<phone>+33 497 23 26 34</phone> <phone>+33 497 23 26 34</phone>
<email>pthubert@cisco.com</email> <email>pthubert@cisco.com</email>
</address> </address>
</author> </author>
<author initials='B.' surname='Sarikaya' fullname='Behcet Sarikaya'> <author initials="B." surname="Sarikaya" fullname="Behcet Sarikaya">
<organization/> <organization/>
<address> <address>
<postal> <postal>
<street/> <street/>
<street/> <street/>
<city/> <region/> <code/> <city/> <region/> <code/>
<country/> <country/>
</postal> </postal>
<email>sarikaya@ieee.org</email> <email>sarikaya@ieee.org</email>
</address> </address>
</author> </author>
<author initials='M.' surname='Sethi' fullname='Mohit Sethi'> <author initials="M." surname="Sethi" fullname="Mohit Sethi">
<organization>Ericsson</organization> <organization>Ericsson</organization>
<address> <address>
<postal> <postal>
<street/> <street/>
<city>Jorvas</city> <region/> <code>02420</code> <city>Jorvas</city> <region/> <code>02420</code>
<country>Finland</country> <country>Finland</country>
</postal> </postal>
<email>mohit@piuha.net</email> <email>mohit@piuha.net</email>
</address> </address>
</author> </author>
<author initials='R.' surname='Struik' fullname='Rene Struik'> <author initials="R." surname="Struik" fullname="Rene Struik">
<organization>Struik Security Consultancy</organization> <organization>Struik Security Consultancy</organization>
<address> <address>
<postal> <postal>
<street/> <street/>
<city/> <region/> <code/> <city/> <region/> <code/>
<country/> <country/>
</postal> </postal>
<email>rstruik.ext@gmail.com</email> <email>rstruik.ext@gmail.com</email>
</address> </address>
</author> </author>
<date month="October" year="2020" />
<date/>
<workgroup>6lo</workgroup> <workgroup>6lo</workgroup>
<!-- [rfced] Please insert any keywords (beyond those that appear in
the title) for use on https://www.rfc-editor.org/search.
-->
<abstract> <abstract>
<t> <t>
This document updates the 6LoWPAN Neighbor Discovery (ND) protocol def This document updates the IPv6 over Low-Power Wireless
ined in RFC 6775 and RFC 8505. Personal Area Network (6LoWPAN) Neighbor Discovery (ND)
The new extension is called Address Protected Neighbor Discovery (AP-N protocol defined in RFCs 6775 and 8505. The new extension
D) and it protects the owner of an address against is called Address-Protected Neighbor Discovery (AP-ND), and
address theft and impersonation attacks in a low-power and lossy netw it protects the owner of an address against address theft
ork (LLN). and impersonation attacks in a Low-Power and Lossy Network
Nodes supporting this extension compute a cryptographic identifier (C (LLN). Nodes supporting this extension compute a
rypto-ID) and use it with one or more of their cryptographic identifier (Crypto-ID), and use it with one
Registered Addresses. The Crypto-ID identifies the owner of the Regis or more of their Registered Addresses. The Crypto-ID
tered Address and can be used to provide proof of identifies the owner of the Registered Address and can be
ownership of the Registered Addresses. Once an address is registered used to provide proof of ownership of the Registered
with the Crypto-ID and a proof-of-ownership is Addresses. Once an address is registered with the Crypto-ID
provided, only the owner of that address can modify the registration and a proof of ownership is provided, only the owner of
information, thereby enforcing Source Address that address can modify the registration information,
Validation. thereby enforcing Source Address Validation.
</t> </t>
</abstract> </abstract>
</front> </front>
<middle> <middle>
<section><name>Introduction</name> <section><name>Introduction</name>
<t> <t>
Neighbor Discovery Optimizations for 6LoWPAN networks <xref target='RFC67 Neighbor Discovery optimizations for 6LoWPAN networks (aka 6LoWPAN ND) <x
75'/> (6LoWPAN ND) adapts the original IPv6 ref target="RFC6775"/> adapts the original IPv6
Neighbor Discovery (IPv6 ND) protocols defined in <xref target='RFC4861'/ Neighbor Discovery protocols defined in <xref target="RFC4861"/> and <xre
> and <xref target='RFC4862'/> for constrained f target="RFC4862"/> for constrained
low-power and lossy network (LLN). In particular, 6LoWPAN ND introduces a Low-Power and Lossy Networks (LLNs). In particular, 6LoWPAN ND introduces
unicast host Address Registration mechanism a unicast host Address Registration mechanism
that reduces the use of multicast compared to the Duplicate Address Detec tion (DAD) mechanism defined in IPv6 ND. that reduces the use of multicast compared to the Duplicate Address Detec tion (DAD) mechanism defined in IPv6 ND.
6LoWPAN ND defines a new Address Registration Option (ARO) that is carri ed in the 6LoWPAN ND defines a new Address Registration Option (ARO) that is carri ed in the
unicast Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messag es exchanged between a 6LoWPAN Node (6LN) and unicast Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messag es exchanged between a 6LoWPAN Node (6LN) and
a 6LoWPAN Router (6LR). a 6LoWPAN Router (6LR).
It also defines the Duplicate Address Request (DAR) and Duplicate Addres s Confirmation (DAC) It also defines the Duplicate Address Request (DAR) and Duplicate Addres s Confirmation (DAC)
messages between the 6LR and the 6LoWPAN Border Router (6LBR). messages between the 6LR and the 6LoWPAN Border Router (6LBR).
In LLN networks, the 6LBR is the central repository of all the registered addresses in its domain. In LLNs, the 6LBR is the central repository of all the registered address es in its domain.
</t> </t>
<t> <t>
The registration mechanism in <xref target='RFC6775'>"Neighbor Discovery The registration mechanism in "Neighbor Discovery Optimization for IPv6 o
Optimization for Low-power and Lossy Networks"</xref> (aka 6LoWPAN ND) prevents ver Low-Power Wireless Personal Area Networks (6LoWPANs)" <xref target="RFC6775"
the use of an address if that address ></xref> prevents the use of an address if that address
is already registered in the subnet (first come first serve). In order to is already registered in the subnet (first come, first served). In order
validate address ownership, the registration to validate address ownership, the registration
mechanism enables the 6LR and 6LBR to validate the association between th mechanism enables the 6LR and 6LBR to validate the association between th
e registered address of a node, and its e registered address of a node and its
Registration Ownership Verifier (ROVR). The ROVR is defined in <xref targ Registration Ownership Verifier (ROVR).
et='RFC8505'>"Registration Extensions for 6LoWPAN Neighbor
Discovery"</xref> and it can be derived from the <!--[rfced] We expanded 'MAC' as 'Medium Access Control (MAC)' per use
MAC address of the device (using the 64-bit Extended Unique Identifier EU in the companion document (draft-ietf-6lo-backbone-router-20).
I-64 address format specified by IEEE). If that is not correct or you prefer otherwise (perhaps 'Media
However, the EUI-64 can be spoofed, and therefore, any node connected to Access Control (MAC)'), please let us know.
the subnet and aware of a
Original:
The ROVR is defined in
"Registration Extensions for 6LoWPAN Neighbor Discovery" [RFC8505]
and it can be derived from the MAC address of the device (using the
64-bit Extended Unique Identifier EUI-64 address format specified by
IEEE).
Updated:
The ROVR is defined in
"Registration Extensions for IPv6 over
Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery"
[RFC8505], and it can be derived from the Medium Access Control (MAC)
address of the device (using the 64-bit Extended Unique Identifier (EUI-64)
address format specified by IEEE).
-->
The ROVR is defined in "Registration Extensions for IPv6 over
Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery" <xref ta
rget="RFC8505"></xref>, and it can be derived from the
Medium Access Control (MAC) address of the device (using the 64-bit Exten
ded Unique Identifier (EUI-64) address format specified by IEEE).
However, the EUI-64 can be spoofed; therefore, any node connected to the
subnet and aware of a
registered-address-to-ROVR mapping could effectively fake the ROVR. This would allow an attacker to steal the registered-address-to-ROVR mapping could effectively fake the ROVR. This would allow an attacker to steal the
address and redirect traffic for that address. <xref target='RFC8505'/> d address and redirect traffic for that address. <xref target="RFC8505"/> d
efines an Extended Address Registration efines an Extended Address Registration
Option (EARO) option that transports alternate forms of ROVRs, and is a p Option (EARO) that transports alternate forms of ROVRs and is a prerequis
re-requisite for this specification. ite for this specification.
</t> </t>
<t> <t>
In this specification, a 6LN generates a cryptographic ID (Cryp to-ID) and places it in the ROVR field during the In this specification, a 6LN generates a cryptographic identifi er (Crypto-ID) and places it in the ROVR field during the
registration of one (or more) of its addresses with the 6LR(s). Proof of ownership of the Crypto-ID is passed with registration of one (or more) of its addresses with the 6LR(s). Proof of ownership of the Crypto-ID is passed with
the first registration exchange to a new 6LR, and enforced at t the first registration exchange to a new 6LR and enforced at th
he 6LR. e 6LR.
The 6LR validates ownership of the
The 6LR validates ownership of the Crypto-ID before it creates any new registration state or chang
cryptographic ID before it creates any new registration state, es existing information.
or changes existing information.
</t> </t>
<t> <t>
The protected address registration protocol proposed in this do The protected address registration protocol proposed in this do
cument provides the same conceptual benefit as Source Address Validation (SAVI) cument provides the same conceptual benefit as Source Address Validation Improve
<xref target='RFC7039'/> that only the owner of an IPv6 address may source packe ment (SAVI) <xref target="RFC7039"/> in that only the owner of an IPv6 address m
ts with that address. ay source packets with that address.
As opposed to <xref target='RFC7039'/>, which relies on snooping proto As opposed to <xref target="RFC7039"/>, which relies on snooping proto
cols, the protection is based on a state that is installed and maintained in the cols, the protection is based on a state that is installed and maintained in the
network by the owner of the address. With this specification, a 6LN may use a 6 network by the owner of the address. With this specification, a 6LN may use a 6
LR for forwarding an IPv6 packets if and only if it has registered the address u LR for forwarding an IPv6 packet if and only if it has registered the address us
sed as source of the packet with that 6LR. ed as the source of the packet with that 6LR.
<!--, and a first-hop 6LR that is configured to enforce this rule MUST
discard a packet that is not originated from the 6LN that registered the IPv6 s
ource address of the packet.
-->
</t> </t>
<t> <t>
With the 6lo adaptation layer in <xref target='RFC4944'/> and < <!--[rfced] Please confirm the use of "6lo" here as neither of the
xref target='RFC6282'/>, a 6LN can obtain a better compression for an IPv6 addre referenced RFCs use "6lo" by itself.
ss with an Interface ID (IID) that is derived from a Layer-2 address. As a side
note, this is incompatible with Secure Neighbor Discovery (SeND) <xref target='R Original:
FC3971'/> and Cryptographically Generated Addresses (CGAs) With the 6lo adaptation layer in [RFC4944] and [RFC6282],...
<xref target='RFC3972'/>, since they derive the IID from crypto -->
graphic keys, whereas this specification separates the IID and the key material.
With the 6lo adaptation layer in <xref
target="RFC4944"/> and <xref target="RFC6282"/>, a
6LN can obtain a better compression for an IPv6
address with an Interface ID (IID) that is derived
from a Layer 2 (L2) address. As a side note, this is incompatib
le with "SEcure Neighbor Discovery (SEND") <xref target="RFC3971"/> and "Cryptog
raphically Generated Addresses (CGAs)"
<xref target="RFC3972"/>, since they derive the IID from crypto
graphic keys, whereas this specification separates the IID and the key material.
</t> </t>
</section> </section>
<section><name>Terminology</name> <section><name>Terminology</name>
<section anchor='bcp'><name>BCP 14</name> <section anchor="bcp"><name>Requirements Language</name>
<t> <t>
The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQU
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", IRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>
"OPTIONAL" in this document are to be interpreted as described in BCP 14 RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
<xref target='RFC2119'/> <xref target='RFC8174'/> when, and only when, "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this document are to
they appear in all capitals, as shown here. be interpreted as
described in BCP&nbsp;14 <xref target="RFC2119"/> <xref target="RFC8174"/>
</t> when, and only when, they appear in all capitals, as shown here.
</section> <!-- end section "BCP 14" --> </t>
</section>
<section anchor='lo' ><name>Additional References</name> <section anchor="lo"><name>Additional References</name>
<t> <t>
The reader may get additional context for this specification from the fol lowing references: The reader may get additional context for this specification from the fol lowing references:
</t><ul spacing='compact'> </t><ul spacing="normal">
<li> <xref target='RFC3971'>"SEcure Neighbor Discovery (SEND)"</xref>,</l <li> "SEcure Neighbor Discovery (SEND)" <xref target="RFC3971"></xref>,</
i> li>
<li> <xref target='RFC3972'>"Cryptographically Generated Addresses (CGA)" <li> "Cryptographically Generated Addresses (CGA)" <xref target="RFC3972"
</xref>,</li> ></xref>,</li>
<li><xref target='RFC4861'>"Neighbor Discovery for IP version 6"</xref> , <li> "Neighbor Discovery for IP version 6 (IPv6)" <xref target="RFC4861">
</li> </xref> ,</li>
<li><xref target='RFC4862'>"IPv6 Stateless Address Autoconfiguration"</xr <li> "IPv6 Stateless Address Autoconfiguration" <xref target="RFC4862"></
ef>, and </li> xref>, and </li>
<li><xref target='RFC4919'>"IPv6 over Low-Power Wireless Personal Area Ne <li> "IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs): Ove
tworks (6LoWPANs): Overview, Assumptions, Problem Statement, and Goals "</xref>. rview, Assumptions, Problem Statement, and Goals" <xref target="RFC4919"></xref>
</li> .</li>
</ul> </ul>
</section> <!-- Additional References --> </section>
<section anchor='acronyms'><name>Abbreviations</name> <section anchor="acronyms"><name>Abbreviations</name>
<t> This document uses the following abbreviations: <t> This document uses the following abbreviations:
</t><dl spacing='compact'>
<!--[rfced] We spotted the following abbreviations that are used
throughout the document but that are not included in the
"Abbreviations" section. Should they be added there as well?
DAD
ARO
DAR
DAC
MAC
EUI-64
SAVI
IID
ECC
EDAR
AP-ND
-->
</t><dl spacing="compact" indent="10">
<dt>6BBR:</dt><dd> 6LoWPAN Backbone Router </dd> <dt>6BBR:</dt><dd> 6LoWPAN Backbone Router </dd>
<dt>6LBR:</dt><dd> 6LoWPAN Border Router </dd> <dt>6LBR:</dt><dd> 6LoWPAN Border Router </dd>
<dt>6LN:</dt><dd> 6LoWPAN Node </dd> <dt>6LN:</dt><dd> 6LoWPAN Node </dd>
<dt>6LR:</dt><dd>6LoWPAN Router </dd> <dt>6LR:</dt><dd>6LoWPAN Router </dd>
<dt>CGA:</dt><dd>Cryptographically Generated Address</dd> <dt>CGA:</dt><dd>Cryptographically Generated Address</dd>
<dt>EARO:</dt><dd> Extended Address Registration Option</dd> <dt>EARO:</dt><dd> Extended Address Registration Option</dd>
<dt>ECDH:</dt><dd> Elliptic curve Diffie–Hellman</dd> <dt>ECDH:</dt><dd> Elliptic Curve Diffie-Hellman</dd>
<dt>ECDSA:</dt><dd> Elliptic Curve Digital Signature Algorithm</dd> <dt>ECDSA:</dt><dd> Elliptic Curve Digital Signature Algorithm</dd>
<dt>CIPO:</dt><dd>Crypto-ID Parameters Option</dd> <dt>CIPO:</dt><dd>Crypto-ID Parameters Option</dd>
<dt>LLN:</dt><dd> Low-Power and Lossy Network </dd> <dt>LLN:</dt><dd> Low-Power and Lossy Network</dd>
<dt>JSON:</dt><dd> JavaScript Object Notation</dd> <dt>JSON:</dt><dd> JavaScript Object Notation</dd>
<dt>JOSE:</dt><dd> JavaScript Object Signing and Encryption</dd> <dt>JOSE:</dt><dd> JavaScript Object Signing and Encryption</dd>
<dt>JWK:</dt><dd> JSON Web Key</dd> <dt>JWK:</dt><dd> JSON Web Key</dd>
<dt>JWS:</dt><dd> JSON Web Signature</dd> <dt>JWS:</dt><dd> JSON Web Signature</dd>
<dt>NA:</dt><dd> Neighbor Advertisement </dd> <dt>NA:</dt><dd> Neighbor Advertisement </dd>
<dt>ND:</dt><dd> Neighbor Discovery </dd> <dt>ND:</dt><dd> Neighbor Discovery </dd>
<dt>NDP:</dt><dd> Neighbor Discovery Protocol </dd> <dt>NDP:</dt><dd> Neighbor Discovery Protocol </dd>
<dt>NDPSO:</dt><dd> Neighbor Discovery Protocol Signature Option</dd> <dt>NDPSO:</dt><dd> Neighbor Discovery Protocol Signature Option</dd>
<dt>NS:</dt><dd> Neighbor Solicitation </dd> <dt>NS:</dt><dd> Neighbor Solicitation </dd>
<dt>ROVR:</dt><dd> Registration Ownership Verifier </dd> <dt>ROVR:</dt><dd> Registration Ownership Verifier </dd>
<dt>RA:</dt><dd> Router Advertisement </dd> <dt>RA:</dt><dd> Router Advertisement </dd>
<dt>RS:</dt><dd> Router Solicitation </dd> <dt>RS:</dt><dd> Router Solicitation </dd>
<dt>RSAO:</dt><dd> RSA Signature Option</dd> <dt>RSAO:</dt><dd> RSA Signature Option</dd>
<dt>SHA:</dt><dd> Secure Hash Algorithm</dd> <dt>SHA:</dt><dd> Secure Hash Algorithm</dd>
<dt>SLAAC:</dt><dd> Stateless Address Autoconfiguration</dd> <dt>SLAAC:</dt><dd> Stateless Address Autoconfiguration</dd>
<dt>TID:</dt><dd> Transaction ID </dd> <dt>TID:</dt><dd> Transaction ID </dd>
</dl><t> </dl>
</t>
</section> <!-- end section "Acronym Definitions" -->
</section> <!-- end section "Terminology" --> </section>
</section>
<section><name>Updating RFC 8505</name> <section><name>Updating RFC 8505</name>
<t> <t>
Section 5.3 of <xref target='RFC8505'/> introduces the ROVR that is used <xref target="RFC8505" sectionFormat="of" section="5.3"/> introduces the
to detect and reject duplicate registrations in the DAD process. ROVR that is used to detect and reject duplicate registrations in the DAD proces
The ROVR is a generic object that is designed for both backward compatib s.
ility and the capability to introduce new computation methods in the future. Usi The ROVR is a generic object that is designed for both backward compatib
ng a Crypto-ID per this specification is the RECOMMENDED method. <xref target='s ility and the capability to introduce new computation methods in the future. Usi
ec-col'/> discusses collisions when heterogeneous methods to compute the ROVR fi ng a Crypto-ID per this specification is the <bcp14>RECOMMENDED</bcp14> method.
eld coexist inside a same network. <xref target="sec-col"/> discusses collisions when heterogeneous methods to comp
ute the ROVR field coexist inside a same network.
</t> </t>
<t> <t>
This specification introduces a new token called a cryptographic iden tifier (Crypto-ID) that is transported in the ROVR field and used to prove indir ectly the ownership of an address that is being registered by means of <xref tar get='RFC8505'/>. The This specification introduces a new token called a Crypto-ID that is tra nsported in the ROVR field and used to indirectly prove the ownership of an addr ess that is being registered by means of <xref target="RFC8505"/>. The
Crypto-ID is derived from a cryptographic public key and additional para meters. Crypto-ID is derived from a cryptographic public key and additional para meters.
</t> </t>
<t> <t>
The overall mechanism requires the support of Elliptic Curve Cryptograph y (ECC) and of a hash function as detailed in <xref target='ndpso-generation'/>. To enable the verification of the proof, the registering node needs to supply c ertain parameters including a nonce and a signature that will demonstrate that t he node possesses the private-key corresponding to the public-key used to build the Crypto-ID. The overall mechanism requires the support of Elliptic Curve Cryptograph y (ECC) and a hash function as detailed in <xref target="ndpso-generation"/>. To enable the verification of the proof, the Registering Node needs to supply cert ain parameters including a nonce and a signature that will demonstrate that the node possesses the private key corresponding to the public key used to build the Crypto-ID.
</t> </t>
<t> The elliptic curves and the hash functions listed in <xref target='crypt
otypetable'/> in <xref target='cryptotypereg'/> can be used with this specificat <t> The elliptic curves and the hash functions listed in <xref
ion; more may be added in the future to the IANA registry. target="cryptotypetable"/> in <xref target="cryptotypereg"/> can
The signature scheme that specifies which combination is used (including be used with this specification; more may be added in the future
the curve and the representation conventions) is signaled by a Crypto-Type in a to the corresponding IANA registry.
new IPv6 ND Crypto-ID Parameters Option (CIPO, see <xref target='cryptoidopt'/>) The signature scheme that specifies which combination is used (including
that contains the parameters that are necessary for the proof, a Nonce o the curve and the representation conventions) is signaled by a Crypto-Type in a
ption (<xref target='RFC3971'/>) and a NDP Signature option (<xref target='ndpso new IPv6 ND Crypto-ID Parameters Option (CIPO) (see <xref target="cryptoidopt"/>
'/>). The NA(EARO) is modified to enable a challenge and transport a Nonce opti )
on. that contains the parameters that are necessary for the proof, a Nonce O
ption <xref target="RFC3971"/>, and an NDP Signature Option (<xref target="ndpso
"/>). The NA(EARO) is modified to enable a challenge and transport a Nonce Opti
on.
</t> </t>
<!--t>
In order to avoid the need for new ND option types, this specification reuse
s and extends options defined in SEND <xref target="RFC3971"/> and 6LoWPAN ND <x
ref target="RFC6775"/> <xref target="RFC8505"/>. This applies to the CGA option
and the RSA Signature Option. This specification provides aliases for the specif
ic variations of those options as used in this document. The presence of the EAR
O option in the NS/NA messages indicates that the options are to be processed as
specified in this document, and not as defined in SEND <xref target="RFC3971"/>
.
</t-->
</section> </section>
<section anchor='cryptoifldg'><name>New Fields and Options</name> <section anchor="cryptoifldg"><name>New Fields and Options</name>
<section anchor='cryptoidalg'><name>New Crypto-ID</name> <section anchor="cryptoidalg"><name>New Crypto-ID</name>
<t> <t>
The Crypto-ID is transported in the ROVR field of the EARO option and the EDAR message, and is associated with the Registered Address at the 6LR and the 6LBR. The Crypto-ID is transported in the ROVR field of the EARO and the Extend ed Duplicate Address Request (EDAR) message and is associated with the Registere d Address at the 6LR and the 6LBR.
The ownership of a Crypto-ID can be demonstrated by cryptographic mechani sms, and by association, the ownership of the Registered Address can be ascertai ned. The ownership of a Crypto-ID can be demonstrated by cryptographic mechani sms, and by association, the ownership of the Registered Address can be ascertai ned.
</t><t> </t><t>
A node in possession of the necessary cryptographic primitives SHOULD use Crypto-ID by default as ROVR in its registrations. Whether a ROVR is a Crypto-I D is indicated by a new "C" flag in the NS(EARO) message. A node in possession of the necessary cryptographic primitives <bcp14>SHO ULD</bcp14> use Crypto-ID by default as ROVR in its registrations. Whether a ROV R is a Crypto-ID is indicated by a new "C" flag in the NS(EARO) message.
</t> </t>
<t> <t>
The Crypto-ID is derived from the public key and a modifier as follows: The Crypto-ID is derived from the public key and a modifier as follows:
</t><ol spacing='compact'> </t><ol spacing="normal">
<li>The hash function used internally by the signature scheme indicated by th <li>The hash function used internally by the signature scheme and indicated b
e Crypto-Type (see also <xref target='cryptotypetable'/> in <xref target='crypto y the Crypto-Type (see <xref target="cryptotypetable"/> in <xref target="cryptot
typereg'/>) ypereg"/>)
is applied to the CIPO. Note that all the reserved and padding bits MUST be s is applied to the CIPO. Note that all the reserved and padding bits <bcp14>MU
et to zero. ST</bcp14> be set to zero.
</li> </li>
<li> The leftmost bits of the resulting hash, up to the desired size, are use d as the Crypto-ID. <li> The leftmost bits of the resulting hash, up to the desired size, are use d as the Crypto-ID.
</li> </li>
</ol><t> </ol><t>
At the time of this writing, a minimal size for the Crypto-ID of 128 bits is RECOMMENDED unless backward compatibility is needed <xref target='RFC8505'/>. Th is value is bound to augment in the future. At the time of this writing, a minimal size for the Crypto-ID of 128 bits is <bcp14>RECOMMENDED</bcp14> unless backward compatibility is needed <xref target= "RFC8505"/>. This value is bound to augment in the future.
</t> </t>
</section> </section>
<section anchor='cryptoEARO'><name>Updated EARO</name> <section anchor="cryptoEARO"><name>Updated EARO</name>
<t> <t>
This specification updates the EARO option to enable the use of the RO VR field to transport the Crypto-ID. The resulting format is as follows: This specification updates the EARO to enable the use of the ROVR fiel d to transport the Crypto-ID. The resulting format is as follows:
</t> </t>
<figure anchor='crypto-fig'><name>Enhanced Address Registration Option</n ame> <figure anchor="crypto-fig"><name>Enhanced Address Registration Option</n ame>
<artwork> <artwork>
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Status | Opaque | | Type | Length | Status | Opaque |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Rsvd |C| I |R|T| TID | Registration Lifetime | |Rsvd |C| I |R|T| TID | Registration Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
... Registration Ownership Verifier (ROVR) ... ... Registration Ownership Verifier (ROVR) ...
| | | |
skipping to change at line 271 skipping to change at line 315
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Status | Opaque | | Type | Length | Status | Opaque |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Rsvd |C| I |R|T| TID | Registration Lifetime | |Rsvd |C| I |R|T| TID | Registration Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
... Registration Ownership Verifier (ROVR) ... ... Registration Ownership Verifier (ROVR) ...
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork> </artwork>
</figure> </figure>
<t> <dl spacing="normal">
</t><dl spacing='normal'>
<dt>Type:</dt><dd> <dt>Type:</dt><dd>
33 33
</dd> </dd>
<dt>Length:</dt><dd> <dt>Length:</dt><dd>
Defined in <xref target='RFC8505'/> and copied in associated CIPO. Defined in <xref target="RFC8505"/> and copied in the associated CIPO.
</dd> </dd>
<dt>Status:</dt><dd> <dt>Status:</dt><dd>
Defined in <xref target='RFC8505'/>. Defined in <xref target="RFC8505"/>.
</dd> </dd>
<dt>Opaque:</dt><dd> <dt>Opaque:</dt><dd>
Defined in <xref target='RFC8505'/>. Defined in <xref target="RFC8505"/>.
</dd> </dd>
<dt>Rsvd (Reserved):</dt><dd>3-bit unsigned integer. <dt>Rsvd (Reserved):</dt><dd>3-bit unsigned integer.
It MUST be set to zero by the sender and MUST be ignored by the receiver . It <bcp14>MUST</bcp14> be set to zero by the sender and <bcp14>MUST</bcp 14> be ignored by the receiver.
</dd> </dd>
<dt>C:</dt><dd> <dt>C:</dt><dd>
This "C" flag is set to indicate that the ROVR field contains a Crypto-ID and that the 6LN MAY be challenged for ownership as specified in this document. This "C" flag is set to indicate that the ROVR field contains a Crypto-ID and that the 6LN <bcp14>MAY</bcp14> be challenged for ownership as specified in this document.
</dd> </dd>
<dt>I, R, T:</dt><dd> <dt>I, R, T:</dt><dd>
Defined in <xref target='RFC8505'/>. Defined in <xref target="RFC8505"/>.
</dd> </dd>
<dt>TID:</dt><dd> <dt>TID:</dt><dd>
Defined in <xref target='RFC8505'/>. Defined in <xref target="RFC8505"/>.
</dd> </dd>
<!--[rfced] We see that "Registration Lifetime" is not listed in the
text describing Figure 1. Please let us know what, if any, text
should be added.-->
<dt>Registration Ownership Verifier (ROVR):</dt><dd> <dt>Registration Ownership Verifier (ROVR):</dt><dd>
When the "C" flag is set, this field contains a Crypto-ID. When the "C" flag is set, this field contains a Crypto-ID.
</dd> </dd>
</dl> </dl>
<t> <t>
This specification uses Status values "Validation Requested" and This specification uses the Status values "Validation Requested" and
"Validation Failed", which are defined in <xref target='RFC8505'/>. "Validation Failed", which are defined in <xref target="RFC8505"/>.
</t><t> </t><t>
this specification does not define any new Status value. This specification does not define any new Status values.
</t> </t>
</section> </section>
<section anchor='cryptoidopt'><name>Crypto-ID Parameters Option</name> <section anchor="cryptoidopt"><name>Crypto-ID Parameters Option</name>
<t> <t>
This specification defines the Crypto-ID Parameters Option (CIPO). This specification defines the CIPO.
The CIPO carries the parameters used to form a Crypto-ID. </t> The CIPO carries the parameters used to form a Crypto-ID.</t>
<t> <t>
In order to provide cryptographic agility <xref target='RFC7696'/>, this spe cification supports different elliptic-curve based signature schemes, In order to provide cryptographic agility <xref target="RFC7696"/>, this spe cification supports different elliptic-curve-based signature schemes,
indicated by a Crypto-Type field: indicated by a Crypto-Type field:
</t> </t>
<ul> <ul>
<li> <li>
The ECDSA256 signature scheme, which uses ECDSA with the NIST P-256 curve <x The ECDSA256 signature scheme, which uses ECDSA with the NIST P-256 curve <x
ref target='FIPS186-4'/> and the hash function SHA-256 <xref target="RFC6234"></ ref target="FIPS186-4"/> and the hash function SHA-256 <xref target="RFC6234"/>
xref> internally, internally,
MUST be supported by all implementations. <bcp14>MUST</bcp14> be supported by all implementations.
</li> </li>
<li> <li>
The Ed25519 signature scheme, which uses the Pure Edwards-Curve Digital Sign The Ed25519 signature scheme, which uses the Pure Edwards-Curve Digital Sign
ature Algorithm (PureEdDSA) <xref target='RFC8032'/> with the twisted Edwards cu ature Algorithm (PureEdDSA) <xref target="RFC8032"/> with the twisted Edwards cu
rve Edwards25519 rve Edwards25519
<xref target="RFC7748"></xref> and the hash function SHA-512 <xref target <xref target="RFC7748"/> and the hash function SHA-512 <xref target="RFC6
="RFC6234"></xref> internally, MAY be supported as an alternative. 234"/> internally, <bcp14>MAY</bcp14> be supported as an alternative.
</li> </li>
<li> <li>
The ECDSA25519 signature scheme, which uses ECDSA <xref target='FIPS186-4'/> The ECDSA25519 signature scheme, which uses ECDSA <xref target="FIPS186-4"/>
with the Weierstrass curve Wei25519 (see <xref target="curves"></xref>) and the with the Weierstrass curve Wei25519 (see <xref target="curves"/>) and the hash
hash function function
SHA-256 <xref target="RFC6234"></xref> internally, MAY also be supported. SHA-256 <xref target="RFC6234"/> internally, <bcp14>MAY</bcp14> also be s
upported.
</li> </li>
</ul> </ul>
<t> This specification uses signature schemes that target similar cryptog raphic strength but rely on different curves, hash functions, signature algorith ms, and/or <t> This specification uses signature schemes that target similar cryptog raphic strength but rely on different curves, hash functions, signature algorith ms, and/or
representation conventions. Future specification may extend this to diffe rent cryptographic algorithms and key sizes, e.g., to provide better security pr operties or a representation conventions. Future specification may extend this to diffe rent cryptographic algorithms and key sizes, e.g., to provide better security pr operties or a
simpler implementation. simpler implementation.
</t> </t>
<figure anchor='cgapar-fig'><name>Crypto-ID Parameters Option</name> <art <!--[rfced] FYI: in Figures 2 and 3 (Sections 4.3 and 4.4,
work> respectively), for consistency with the other figures, we moved
0 1 2 3 the bit ruler over one space so that it begins over the dash
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 instead of the plus sign. Please let us know of any concerns.
Updated:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
-->
<figure anchor="cgapar-fig"><name>Crypto-ID Parameters Option</name> <art
work>
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |Reserved1| Public Key Length | | Type | Length |Reserved1| Public Key Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Crypto-Type | Modifier | EARO Length | | | Crypto-Type | Modifier | EARO Length | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +
| | | |
. . . .
. Public Key (variable length) . . Public Key (variable length) .
. . . .
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
. Padding . . Padding .
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork> </artwork>
</figure> </figure>
<t> <dl spacing="normal">
</t><dl spacing='normal'>
<dt>Type:</dt><dd> 8-bit unsigned integer. <dt>Type:</dt><dd> 8-bit unsigned integer.
to be assigned by IANA, see <xref target='nexndopt'/>. IANA has assigned value 39; see <xref target="nexndopt"/>.
</dd> </dd>
<dt>Length:</dt><dd> <dt>Length:</dt><dd>
8-bit unsigned integer. The length of the option in units of 8 octets . 8-bit unsigned integer. The length of the option in units of 8 octets .
</dd> </dd>
<dt>Reserved1:</dt><dd> 5-bit unsigned integer. <dt>Reserved1:</dt><dd> 5-bit unsigned integer.
It MUST be set to zero by the sender and MUST be ignored by the receiver . It <bcp14>MUST</bcp14> be set to zero by the sender and <bcp14>MUST</bcp 14> be ignored by the receiver.
</dd> </dd>
<dt>Public Key Length:</dt><dd> <dt>Public Key Length:</dt><dd>
11-bit unsigned integer. The length of the Public Key field in bytes. 11-bit unsigned integer. The length of the Public Key field in bytes.
The actual length depends on the Crypto-Type value and on how the public key is The actual length depends on the Crypto-Type value and how the public key is re
represented. presented.
The valid values with this document are provided in <xref target The valid values with this document are provided in <xref target=
="cryptotypetable"/>. "cryptotypetable"/>.
</dd> </dd>
<dt>Crypto-Type:</dt><dd>8-bit unsigned integer. <dt>Crypto-Type:</dt><dd>8-bit unsigned integer.
The type of cryptographic algorithm used in calculation Crypto-ID The type of cryptographic algorithm used in calculation of the Crypto-ID
indexed by IANA in the "Crypto-Type Subregistry" in the "Internet Contro indexed by IANA in the "Crypto-Types" subregistry in the "Internet Contr
l Message Protocol version 6 (ICMPv6) Parameters" ol Message Protocol version 6 (ICMPv6) Parameters" registry
(see <xref target='cryptotypereg'/>). (see <xref target="cryptotypereg"/>).
</dd> </dd>
<dt>Modifier:</dt><dd> <dt>Modifier:</dt><dd>
8-bit unsigned integer. Set to an arbitrary value by the creator of t he Crypto-ID. 8-bit unsigned integer. Set to an arbitrary value by the creator of t he Crypto-ID.
The role of the modifier is to enable the formation of multiple Crypto-IDs fr om a same key pair, which reduces the traceability and thus improves the privacy of a constrained node that could not maintain many key-pairs. The role of the modifier is to enable the formation of multiple Crypto-IDs fr om a same key pair, which reduces the traceability and, thus, improves the priva cy of a constrained node that could not maintain many key pairs.
</dd> </dd>
<dt>EARO Length:</dt><dd> 8-bit unsigned integer. <dt>EARO Length:</dt><dd> 8-bit unsigned integer.
The option length of the EARO that contains the Crypto-ID associated with the CIPO. The option length of the EARO that contains the Crypto-ID associated with the CIPO.
</dd> </dd>
<dt>Public Key:</dt><dd> A variable-length field, size indicated in the P ublic Key Length field. <dt>Public Key:</dt><dd> A variable-length field; the size is indicated i n the Public Key Length field.
</dd> </dd>
<dt>Padding:</dt><dd> <dt>Padding:</dt><dd>
A variable-length field completing the Public Key field to align to the next 8-bytes boundary. It MUST be set to zero by the sender and MUST be ignored by the receiver. A variable-length field that completes the Public Key field to align to the next 8-byte boundary. It <bcp14>MUST</bcp14> be set to zero by the sender an d <bcp14>MUST</bcp14> be ignored by the receiver.
</dd> </dd>
</dl><t> </dl>
</t>
<t> <t>
The implementation of multiple hash functions in a constrained device may The implementation of multiple hash functions in a constrained device may
consume excessive amounts of program memory. This specification enables t he use of the same hash function SHA-256 <xref target='RFC6234'/> for two of the three supported ECC-based signature schemes. consume excessive amounts of program memory. This specification enables t he use of the same hash function SHA-256 <xref target="RFC6234"/> for two of the three supported ECC-based signature schemes.
Some code factorization is also possible for the ECC computation itself. Some code factorization is also possible for the ECC computation itself.
</t> </t>
<t> <t>
<xref target='I-D.ietf-lwig-curve-representations'/> provides information <xref target="I-D.ietf-lwig-curve-representations"/> provides information
on how to represent Montgomery curves and (twisted) Edwards curves as cur on how to represent Montgomery curves and (twisted) Edwards curves as cur
ves in short-Weierstrass form and illustrates how this can be used to implement ves in short-Weierstrass form, and it illustrates how this can be used to implem
elliptic curve computations using existing implementations that already provide, ent elliptic curve computations using existing implementations that already prov
e.g., ECDSA and ECDH using NIST <xref target='FIPS186-4'/> prime curves. For mo ide, e.g., ECDSA and ECDH using NIST <xref target="FIPS186-4"/> prime curves. Fo
re details on representation conventions, we refer to r more details on representation conventions, refer to
<xref target='reprconv'/>.</t> <xref target="reprconv"/>.</t>
</section> </section>
<section anchor='ndpso'><name>NDP Signature Option</name> <section anchor="ndpso"><name>NDP Signature Option</name>
<t> <t>
This specification defines the NDP Signature Option (NDPSO). This specification defines the NDP Signature Option (NDPSO).
The NDPSO carries the signature that proves the ownership of the Crypto-ID. The NDPSO carries the signature that proves the ownership of the Crypto-ID.
The format of the NDPSO is illustrated in <xref target='ndpso-fig'/>. The format of the NDPSO is illustrated in <xref target="ndpso-fig"/>.
</t> </t>
<t> <t>
As opposed to the RSA Signature Option (RSAO) defined in section 5.2. of <xr ef target='RFC3971'>SEND</xref>, the NDPSO does not have a key hash field. Inste ad, the leftmost 128 bits of the ROVR field in the EARO are used as hash to retr ieve the CIPO that contains the key material used for signature verification, le ft-padded if needed. As opposed to the RSA Signature Option (RSAO) defined in <xref target="RFC39 71" sectionFormat="of" section="5.2">SEND</xref>, the NDPSO does not have a key hash field. Instead, the leftmost 128 bits of the ROVR field in the EARO are use d as hash to retrieve the CIPO that contains the key material used for signature verification, left-padded if needed.
</t> </t>
<t> <t>
Another difference is that the NDPSO signs a fixed set of fields as opposed to all options that appear prior to it in the ND message that bears the signatur e. This allows to elide a CIPO that the 6LR already received, at the expense of the capability to add arbitrary options that would signed with a RSAO. Another difference is that the NDPSO signs a fixed set of fields as opposed to all options that appear prior to it in the ND message that bears the signatur e. This allows a CIPO that the 6LR already received to be elided, at the expense of the capability to add arbitrary options that would be signed with an RSAO.
</t> </t>
<t> <t>
An ND message that carries an NDPSO MUST have one and only one EARO. The EAR O MUST contain a Crypto-ID in the ROVR field, and the Crypto-ID MUST be associat ed with the keypair used for the Digital Signature in the NDPSO. An ND message that carries an NDPSO <bcp14>MUST</bcp14> have one and only on e EARO. The EARO <bcp14>MUST</bcp14> contain a Crypto-ID in the ROVR field, and the Crypto-ID <bcp14>MUST</bcp14> be associated with the key pair used for the d igital signature in the NDPSO.
</t> </t>
<t> <t>
The CIPO may be present in the same message as the NDPSO. If it is not prese nt, it can be found in an abstract table that was created by a previous message and indexed by the hash. The CIPO may be present in the same message as the NDPSO. If it is not prese nt, it can be found in an abstract table that was created by a previous message and indexed by the hash.
</t> </t>
<figure anchor='ndpso-fig'><name>NDP signature Option</name> <figure anchor="ndpso-fig"><name>NDP Signature Option</name>
<artwork> <artwork>
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length |Reserved1| Signature Length | | Type | Length |Reserved1| Signature Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved2 | | Reserved2 |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
. . . .
. Digital Signature (variable length) . . Digital Signature (variable length) .
. . . .
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| | | |
. Padding . . Padding .
| | | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
</artwork> </artwork>
</figure> </figure>
<t> <dl spacing="normal">
</t><dl spacing='normal'>
<dt>Type:</dt><dd> <dt>Type:</dt><dd>
to be assigned by IANA, see <xref target='nexndopt'/>. IANA has assigned value 40; see <xref target="nexndopt"/>.
</dd> </dd>
<dt>Length:</dt><dd> <dt>Length:</dt><dd>
8-bit unsigned integer. The length of the option in units of 8 octets . 8-bit unsigned integer. The length of the option in units of 8 octets .
</dd> </dd>
<dt>Reserved1:</dt><dd> 5-bit unsigned integer. <dt>Reserved1:</dt><dd> 5-bit unsigned integer.
It MUST be set to zero by the sender and MUST be ignored by the receiver . It <bcp14>MUST</bcp14> be set to zero by the sender and <bcp14>MUST</bcp 14> be ignored by the receiver.
</dd> </dd>
<dt>Digital Signature Length:</dt><dd> <dt>Digital Signature Length:</dt><dd>
11-bit unsigned integer. The length of the Digital Signature field in bytes. 11-bit unsigned integer. The length of the Digital Signature field in bytes.
</dd> </dd>
<dt>Reserved2:</dt><dd> 32-bit unsigned integer. <dt>Reserved2:</dt><dd> 32-bit unsigned integer.
It MUST be set to zero by the sender and MUST be ignored by the receiver . It <bcp14>MUST</bcp14> be set to zero by the sender and <bcp14>MUST</bcp 14> be ignored by the receiver.
</dd> </dd>
<dt>Digital Signature:</dt><dd> <dt>Digital Signature:</dt><dd>
A variable-length field containing the digital signature. The length and A variable-length field containing the digital signature. The length and
computation of the digital signature both depend on the Crypto-Type which is fou computation of the digital signature both depend on the Crypto-Type, which is fo
nd in the associated CIPO, see <xref target='reprconv'/>. und in the associated CIPO; see <xref target="reprconv"/>.
For the values of the Crypto-Type defined in this specification, and for For the values of the Crypto-Type defined in this specification, and for
future values of the Crypto-Type unless specified otherwise, the signature is c future values of the Crypto-Type unless specified otherwise, the signature is c
omputed as detailed in <xref target='ndpso-generation'/>. omputed as detailed in <xref target="ndpso-generation"/>.
</dd> </dd>
<dt>Padding:</dt><dd> <dt>Padding:</dt><dd>
A variable-length field completing the Digital Signature field to align to the next 8-bytes boundary. It MUST be set to zero by the sender and MUST be i gnored by the receiver. A variable-length field completing the Digital Signature field to align to the next 8-byte boundary. It <bcp14>MUST</bcp14> be set to zero by the sender and <bcp14>MUST</bcp14> be ignored by the receiver.
</dd> </dd>
</dl><t> </dl>
</t>
</section> </section>
<section anchor='CIO'> <section anchor="CIO">
<name>Extensions to the Capability Indication Option</name> <name>Extensions to the Capability Indication Option</name>
<t> <t>
This specification defines one new capability bits in the 6CIO, This specification defines one new capability bit in the 6LoWPAN Capabili
defined by <xref target="RFC7400"/> for use by the 6LR and 6LBR in IPv6 N ty Indication Option (6CIO),
D RA messages. as defined by <xref target="RFC7400"/>, for use by the 6LR and 6LBR in IP
v6 ND RA messages.
</t> </t>
<figure anchor='fig6CIO' title="New Capability Bit in the 6CIO"> <figure anchor="fig6CIO" title="New Capability Bit in the 6CIO">
<artwork> <artwork>
<![CDATA[
0 1 2 3 0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length = 1 | Reserved |A|D|L|B|P|E|G| | Type | Length = 1 | Reserved |A|D|L|B|P|E|G|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Reserved | | Reserved |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
]]></artwork> </artwork>
</figure> </figure>
<t> New Option Field:</t> <t> New Option Field:</t>
<dl spacing='normal'> <dl spacing="normal">
<dt>A:</dt><dd> 1-bit flag. Set to indicate that AP-ND is globally activa ted in the network. <dt>A:</dt><dd> 1-bit flag. Set to indicate that AP-ND is globally activa ted in the network.
</dd> </dd>
</dl> </dl>
<t> <t>
The "A" flag is set by the 6LBR that serves the network and propagated by th e 6LRs. The "A" flag is set by the 6LBR that serves the network and is propagated by the 6LRs.
It is typically turned on when all 6LRs are migrated to this specification. It is typically turned on when all 6LRs are migrated to this specification.
</t> </t>
</section> <!--New 6LoWPAN Capability Bits in the Capability Indication Opti on --> </section>
</section> </section>
<section><name>Protocol Scope</name> <section><name>Protocol Scope</name>
<t> <t>
The scope of the protocol specified here is a 6LoWPAN LLN, typically a stub network connected to a larger IP network via a Border Router called a 6L BR per <xref target='RFC6775'/>. A 6LBR has sufficient capability to satisfy the needs of duplicate address detection. The scope of the protocol specified here is a 6LoWPAN LLN, typically a stub network connected to a larger IP network via a border router called a 6L BR per <xref target="RFC6775"/>. A 6LBR has sufficient capability to satisfy the needs of DAD.
</t> </t>
<t> <t>
The 6LBR maintains registration state for all devices in its attache d LLN. Together with the first-hop router (the 6LR), the 6LBR assures uniquenes s and grants ownership of an IPv6 address before it can be used in the LLN. This is in contrast to a traditional network that relies on IPv6 address auto-config uration <xref target='RFC4862'/>, where there is no guarantee of ownership from the network, and each IPv6 Neighbor Discovery packet must be individually secure d <xref target='RFC3971'/>. The 6LBR maintains registration state for all devices in its attache d LLN. Together with the first-hop router (the 6LR), the 6LBR assures uniquenes s and grants ownership of an IPv6 address before it can be used in the LLN. This is in contrast to a traditional network that relies on IPv6 address autoconfigu ration <xref target="RFC4862"/>, where there is no guarantee of ownership from t he network, and each IPv6 Neighbor Discovery packet must be individually secured <xref target="RFC3971"/>.
</t> </t>
<figure anchor='figco'><name>Basic Configuration</name> <figure anchor="figco"><name>Basic Configuration</name>
<artwork><![CDATA[ <artwork>
---+-------- ............ ---+-------- ............
| External Network | External Network
| |
+-----+ +-----+
| | 6LBR | | 6LBR
+-----+ +-----+
o o o o o o
o o o o o o o o
o o LLN o o o o o LLN o o o
o o o o
o o o(6LR) o o o(6LR)
^ ^
o o | LLN link o o | LLN link
o o v o o v
o(6LN) o(6LN)
o o
]]></artwork> </artwork>
</figure> </figure>
<t> <t>
In a mesh network, the 6LR is directly connected to the host device. This specification mandates that the peer-wise layer-2 security is deployed so that all the packets from a particular host are securely identifiable by the 6LR . The 6LR may be multiple hops away from the 6LBR. Packets are routed between th e 6LR and the 6LBR via other 6LRs. In a mesh network, the 6LR is directly connected to the host device. This specification mandates that the peer-wise L2 security is deployed so that all the packets from a particular host are securely identifiable by the 6LR. The 6LR may be multiple hops away from the 6LBR. Packets are routed between the 6LR and the 6LBR via other 6LRs.
</t> </t>
<t> <t>
This specification mandates that all the LLN links between the 6LR and th e 6LBR are protected so that a packet that was validated by the first 6LR can be safely routed by other on-path 6LRs to the 6LBR. This specification mandates that all the LLN links between the 6LR and th e 6LBR are protected so that a packet that was validated by the first 6LR can be safely routed by other on-path 6LRs to the 6LBR.
</t> </t>
</section> </section>
<section><name>Protocol Flows</name> <section><name>Protocol Flows</name>
<t> <t>
The 6LR/6LBR ensures first-come/first-serve by storing the ROVR associat ed to the address being registered upon the first registration and rejecting a r egistration with a different ROVR value. A 6LN can claim any address as long as it is the first to make that claim. After a successful registration, the 6LN bec omes the owner of the registered address and the address is bound to the ROVR va lue in the 6LR/6LBR registry. The 6LR/6LBR ensures first come, first served by storing the ROVR associ ated to the address being registered upon the first registration and rejecting a registration with a different ROVR value. A 6LN can claim any address as long a s it is the first to make that claim. After a successful registration, the 6LN b ecomes the owner of the registered address, and the address is bound to the ROVR value in the 6LR/6LBR registry.
</t> </t>
<t> <t>
This specification protects the ownership of the address at the first hop (t This specification protects the ownership of the address at the
he edge). Its use in a network is signaled by the "A" flag in the 6CIO. The flag first hop (the edge). Its use in a network is signaled by the "A"
is set by the 6LBR and propagated unchanged by the 6LRs. flag in the 6CIO. The flag is set by the 6LBR and propagated
unchanged by the 6LRs.
<!--[rfced] Please review the following text for clarity and let
us know how we may rephrase.
We have the following questions: 1) Who is migrating the
network?
2) Does one turn on and off the "A" flag to begin and end
migration?
3) If not for 2 above, why does one turn the "A" flag back on?
4) Other mentions of the "A" flag talk about it being set or
not vs. being turned on or off. Should this be made consistent?
Original:
The "A" flag enables to migrate a network with the
protection off and then turn it on globally.
-->
The "A" flag enables to migrate a network with the protection off and then t urn it on globally. The "A" flag enables to migrate a network with the protection off and then t urn it on globally.
</t> </t>
<t> <t>
The 6LN places a cryptographic token, the Crypto-ID, in the ROVR that is associated with the address at the first registration, enabling the 6LR to late r challenge it to verify that it is the original Registering Node. The challenge may happen at any time at the discretion of the 6LR and the 6LBR. A valid regi stration in the 6LR or the 6LBR MUST NOT be altered until the challenge is compl ete. The 6LN places a cryptographic token, the Crypto-ID, in the ROVR that is associated with the address at the first registration, enabling the 6LR to late r challenge it to verify that it is the original Registering Node. The challenge may happen at any time at the discretion of the 6LR and the 6LBR. A valid regis tration in the 6LR or the 6LBR <bcp14>MUST NOT</bcp14> be altered until the chal lenge is complete.
</t> </t>
<t> <t>
When the "A" flag is on, the 6LR MUST challenge the 6LN when it creates a b <!--[rfced] Does the following suggested update retain your intended meaning?
inding with the "C" flag set in the ROVR and when a new registration attempts to
change a parameter of that binding that identifies the 6LN, for instance its So Original:
urce Link-Layer Address. The verification protects against a rogue that would s When the "A" flag is on, the 6LR MUST challenge the 6LN when it
teal an address and attract its traffic, or use it as source address. creates a binding with the "C" flag set in the ROVR and when a new
registration attempts to change a parameter of that binding that
identifies the 6LN, for instance its Source Link-Layer Address.
Perhaps:
When the "A" flag is on, the 6LR MUST challenge the 6LN 1) when the 6LN
creates a binding with the "C" flag set in the ROVR, and 2) when a new
registration attempts to change a parameter of that binding that
identifies the 6LN, for instance, its Source Link-Layer Address.
-->
When the "A" flag is on, the 6LR <bcp14>MUST</bcp14> challenge the 6LN when
it creates a binding with the "C" flag set in the ROVR and when a new registrat
ion attempts to change a parameter of that binding that identifies the 6LN, for
instance, its Source Link-Layer Address. The verification protects against a ro
gue that would steal an address and attract its traffic or use it as source addr
ess.
</t> </t>
<t> <t>
The 6LR MUST also challenge the 6LN if the 6LBR directly signals to do so, The 6LR <bcp14>MUST</bcp14> also challenge the 6LN if the 6LBR directly sig
using an EDAC Message with a "Validation Requested" status. The EDAR is nals to do so,
echoed by the 6LR in the NA (EARO) back to the registering node. The 6LR using an EDAC message with a "Validation Requested" status. The EDAR is
SHOULD also challenge all its attached 6LNs at the time the 6LBR turns the echoed by the 6LR in the NA(EARO) back to the Registering Node. The 6LR
"A" flag on in the 6CIO, to detect an issue immediately. <bcp14>SHOULD</bcp14> also challenge all its attached 6LNs at the time the
6LBR turns the
"A" flag on in the 6CIO in orders to detect an issue immediately.
</t> </t>
<t>If the 6LR does not support the Crypto-Type, it MUST reply with an EARO <t>If the 6LR does not support the Crypto-Type, it <bcp14>MUST</bcp14> reply with an EARO
Status 10 "Validation Failed" without a challenge. In that case, the 6LN Status 10 "Validation Failed" without a challenge. In that case, the 6LN
may try another Crypto-Type until it falls back to Crypto-Type 0 that MUST may try another Crypto-Type until it falls back to Crypto-Type 0, which <bcp 14>MUST</bcp14>
be supported by all 6LRs. be supported by all 6LRs.
</t> </t>
<t> <t>
A node may use more than one IPv6 address at the same time. The separ ation of the address and the cryptographic material avoids the need for the cons trained device to compute multiple keys for multiple addresses. The 6LN MAY use the same Crypto-ID to prove the ownership of multiple IPv6 addresses. The 6LN MA Y also derive multiple Crypto-IDs from a same key. A node may use more than one IPv6 address at the same time. The separ ation of the address and the cryptographic material avoids the need for the cons trained device to compute multiple keys for multiple addresses. The 6LN <bcp14>M AY</bcp14> use the same Crypto-ID to prove the ownership of multiple IPv6 addres ses. The 6LN <bcp14>MAY</bcp14> also derive multiple Crypto-IDs from a same key.
</t> </t>
<section anchor='first'><name>First Exchange with a 6LR</name> <section anchor="first"><name>First Exchange with a 6LR</name>
<t> <t>
A 6LN registers to a 6LR that is one hop away from it with the "C" fl ag set in the EARO, indicating that the ROVR field contains a Crypto-ID. The Tar get Address in the NS message indicates the IPv6 address that the 6LN is trying to register <xref target='RFC8505'/>. The on-link (local) protocol interactions are shown in <xref target='Dynamic-fig'/>. If the 6LR does not have a state with the 6LN that is consistent with the NS(EARO), then it replies with a challenge NA (EARO, status=Validation Requested) that contains a Nonce Option (shown as No nceLR in <xref target='Dynamic-fig'/>). A 6LN registers to a 6LR that is one hop away from it with the "C" fl ag set in the EARO, indicating that the ROVR field contains a Crypto-ID. The Tar get Address in the NS message indicates the IPv6 address that the 6LN is trying to register <xref target="RFC8505"/>. The on-link (local) protocol interactions are shown in <xref target="Dynamic-fig"/>. If the 6LR does not have a state with the 6LN that is consistent with the NS(EARO), then it replies with a challenge NA(EARO, status=Validation Requested) that contains a Nonce Option (shown as Non ceLR in <xref target="Dynamic-fig"/>).
</t> </t>
<figure anchor='Dynamic-fig' suppress-title='false'><name>On-link Protoco <figure anchor="Dynamic-fig" suppress-title="false"><name>On-Link Protoco
l Operation</name> l Operation</name>
<artwork><![CDATA[ <artwork>
6LN 6LR 6LN 6LR
| | | |
|<------------------------- RA -------------------------| |&lt;------------------------- RA -------------------------|
| | ^ | | ^
|---------------- NS with EARO (Crypto-ID) ------------>| | |---------------- NS with EARO (Crypto-ID) ------------&gt;| |
| | option | | option
|<- NA with EARO(status=Validation Requested), NonceLR | | |&lt;- NA with EARO(status=Validation Requested), NonceLR | |
| | v | | v
|------- NS with EARO, CIPO, NonceLN and NDPSO -------->| |------- NS with EARO, CIPO, NonceLN and NDPSO --------&gt;|
| | | |
|<------------------- NA with EARO ---------------------| |&lt;------------------- NA with EARO ---------------------|
| | | |
... ...
| | | |
|--------------- NS with EARO (Crypto-ID) ------------->| |--------------- NS with EARO (Crypto-ID) -------------&gt;|
| | | |
|<------------------- NA with EARO ---------------------| |&lt;------------------- NA with EARO ---------------------|
| | | |
... ...
| | | |
|--------------- NS with EARO (Crypto-ID) ------------->| |--------------- NS with EARO (Crypto-ID) -------------&gt;|
| | | |
|<------------------- NA with EARO ---------------------| |&lt;------------------- NA with EARO ---------------------|
| | | |
]]></artwork> </artwork>
</figure> </figure>
<t> <t>
The Nonce option contains a nonce value that, to the extent possible for The Nonce Option contains a nonce value that, to the extent
the implementation, was never employed in association with the key pair used to possible for the implementation, was never employed in
generate the Crypto-ID. This specification inherits from <xref target='RFC3971' association with the key pair used to generate the Crypto-ID.
/> that simply indicates that the nonce is a random value. Ideally, an implement This specification inherits the idea from <xref
ation uses an unpredictable cryptographically random value <xref target='RFC4086 target="RFC3971"/> that the nonce is a random value. Ideally,
'/>. But that may be impractical in some LLN scenarios where the devices do not an implementation uses an unpredictable cryptographically
have a guaranteed sense of time and for which computing complex hashes is detrim random value <xref target="RFC4086"/>. But that may be
ental to the battery lifetime. impractical in some LLN scenarios in which the devices do not have a guar
anteed sense of time and for which computing complex hashes is detrimental to th
e battery lifetime.
</t> </t>
<t> Alternatively, <t> Alternatively,
the device may use an always-incrementing value saved in the same stable storage as the key, so they are lost together, and starting at a best effort ra ndom value, either as the nonce value or as a component to its computation. the device may use an always-incrementing value saved in the same stable storage as the key, so they are lost together, and start at a best-effort rando m value as either the nonce value or a component to its computation.
</t> </t>
<t> <t>
The 6LN replies to the challenge with an NS(EARO) that includes a new The 6LN replies to the challenge with an NS(EARO) that includes a new
Nonce option (shown as NonceLN in <xref target='Dynamic-fig'/>), the CIPO (<xre Nonce Option (shown as NonceLN in <xref target="Dynamic-fig"/>), the CIPO (<xre
f target='cryptoidopt'/>), and the NDPSO containing the signature. Both Nonces a f target="cryptoidopt"/>), and the NDPSO containing the signature. Both nonces a
re included in the signed material. re included in the signed material.
This provides a "contributory behavior", so that either party that knows This provides a "contributory behavior", so either party that knows it g
it generates a good quality nonce knows that the protocol will be secure. enerates a good quality nonce and knows that the protocol will be secure.
</t> </t>
<t> <t>
The 6LR MUST store the information associated to a Crypto-ID on the firs t NS exchange where it appears in a fashion that the CIPO parameters can be retr ieved from the Crypto-ID alone. The 6LR <bcp14>MUST</bcp14> store the information associated with a Cryp to-ID on the first NS exchange where it appears in a fashion that the CIPO param eters can be retrieved from the Crypto-ID alone.
</t> </t>
<t>The steps for the registration to the 6LR are as follows: <t>The steps for the registration to the 6LR are as follows:
</t> </t>
<t> <t>
Upon the first exchange with a 6LR, a 6LN will be challenged to prov e ownership of the Crypto-ID and the Target Address being registered in the Neig hbor Solicitation message. When a 6LR receives a NS(EARO) registration with a ne w Crypto-ID as a ROVR, and unless the registration is rejected for another reaso n, it MUST challenge by responding with a NA(EARO) with a status of "Validation Requested". Upon the first exchange with a 6LR, a 6LN will be challenged to prov e ownership of the Crypto-ID and the Target Address being registered in the Neig hbor Solicitation message. When a 6LR receives an NS(EARO) registration with a n ew Crypto-ID as a ROVR, and unless the registration is rejected for another reas on, it <bcp14>MUST</bcp14> challenge by responding with an NA(EARO) with a statu s of "Validation Requested".
</t> </t>
<t> <t>
Upon receiving a first NA(EARO) with a status of "Validation Request ed" from a 6LR, the registering node SHOULD retry its registration with a Crypto -ID Parameters Option (CIPO) (<xref target='cryptoidopt'/>) that contains all th e necessary material for building the Crypto-ID, the NonceLN that it generated, and the NDP signature (<xref target='ndpso'/>) option that proves its ownership of the Crypto-ID and intent of registering the Target Address. In subsequent rev alidation with the same 6LR, the 6LN MAY try to omit the CIPO to save bandwidth, with the expectation that the 6LR saved it. If the validation fails and it gets challenged again, then it SHOULD add the CIPO again. Upon receiving a first NA(EARO) with a status of "Validation Request ed" from a 6LR, the Registering Node <bcp14>SHOULD</bcp14> retry its registratio n with a CIPO (<xref target="cryptoidopt"/>) that contains all the necessary mat erial for building the Crypto-ID, the NonceLN that it generated, and the NDP Sig nature Option (<xref target="ndpso"/>) that proves its ownership of the Crypto-I D and intent of registering the Target Address. In subsequent revalidation with the same 6LR, the 6LN <bcp14>MAY</bcp14> try to omit the CIPO to save bandwidth, with the expectation that the 6LR saved it. If the validation fails and it gets challenged again, then it <bcp14>SHOULD</bcp14> add the CIPO again.
</t> </t>
<t> <t>
In order to validate the ownership, the 6LR performs the same steps In order to validate the ownership, the 6LR performs the
as the 6LN and rebuilds the Crypto-ID based on the parameters in the CIPO. If th same steps as the 6LN and rebuilds the Crypto-ID based on
e rebuilt Crypto-ID matches the ROVR, the 6LN also verifies the signature contai the parameters in the CIPO. If the rebuilt Crypto-ID
ned in the NDPSO option. If at that point the signature in the NDPSO option can matches the ROVR, the 6LN also verifies the signature
be verified, then the validation succeeds. Otherwise the validation fails. contained in the NDPSO. At that point, if the signature in the NDPSO
can be verified, then the validation succeeds. Otherwise, the validation fails.
</t> </t>
<t> <t>
If the 6LR fails to validate the signed NS(EARO), it responds with a If the 6LR fails to validate the signed NS(EARO), it responds with a
status of "Validation Failed". After receiving a NA(EARO) with a status of "Val status of "Validation Failed". After receiving an NA(EARO) with a status of "Va
idation Failed", lidation Failed",
the registering node SHOULD try and alternate Crypto-Type and if eve the Registering Node <bcp14>SHOULD</bcp14> try an alternate Crypto-T
n Crypto-Type 0 fails, it may try to register a different address in the NS mess ype; even if Crypto-Type 0 fails, it may try to register a different address in
age. the NS message.
</t> </t>
</section> </section>
<section anchor='ndpso-generation'><name>NDPSO generation and verification</ name> <section anchor="ndpso-generation"><name>NDPSO Generation and Verification</ name>
<t> <t>
The signature generated by the 6LN to provide proof-of-ownership of The signature generated by the 6LN to provide proof of ownership of
the the
private-key is carried in the NDP Signature Option (NDPSO). private key is carried in the NDPSO.
It is generated by the 6LN in a fashion that depends on the Cryp to-Type It is generated by the 6LN in a fashion that depends on the Cryp to-Type
(see <xref target='cryptotypetable'/> in (see <xref target="cryptotypetable"/> in
<xref target='cryptotypereg'/>) chosen by the 6LN as follows: <xref target="cryptotypereg"/>) chosen by the 6LN as follows:
</t> </t>
<ul> <ul>
<li><t> Form the message to be signed, by concatenating the following b yte-strings in the order listed:</t> <li><t> Form the message to be signed, by concatenating the following b yte-strings in the order listed:</t>
<ol spacing='compact'> <ol spacing="normal">
<li>The 128-bit Message Type tag <xref target='RFC3972'/> <li>The 128-bit Message Type tag <xref
(in network byte order). target="RFC3972"/> (in network byte order).
For this specification the tag is given in <xref target='cgam'/> For this specification, the tag is given in <xref target="cgam"/
. >.
(The tag value has been generated by the editor of this specifica (The tag value has been generated by the editor of this specifica
tion on random.org).</li> tion on <eref target="https://www.random.org" brackets="angle"/>.)</li>
<li>the CIPO</li> <li>The CIPO.</li>
<li>the 16-byte Target Address (in network byte order) se <li>The 16-byte Target Address (in network byte order) se
nt in the Neighbor Solicitation (NS) message. It is the address which the 6LN is nt in the NS message. It is the address that the 6LN is registering with the 6LR
registering with the 6LR and 6LBR.</li> and 6LBR.</li>
<li>NonceLR received from the 6LR (in network byte order) <li>The NonceLR received from the 6LR (in
in the Neighbor Advertisement (NA) message. The nonce is at least 6 bytes long network byte order) in the NA message. The
as defined in <xref target='RFC3971'/>.</li> nonce is at least 6 bytes long as defined in <xref target
<li>NonceLN sent from the 6LN (in network byte order). Th ="RFC3971"/>.</li>
e nonce is at least 6 bytes long as defined in <xref target='RFC3971'/>.</li> <li>The NonceLN sent from the 6LN (in network
<li>1-byte Option Length of the EARO containing the Crypto-ID.</ byte order). The nonce is at least 6 bytes long as define
li> d in <xref target="RFC3971"/>.</li>
<li>The 1-byte option length of the EARO containing the Crypto-I
D.</li>
</ol> </ol>
</li> </li>
<li> <li>
Apply the signature algorithm specified by the Crypto-Type using the p rivate key.</li> Apply the signature algorithm specified by the Crypto-Type using the p rivate key.</li>
</ul> </ul>
<t> <t>
The 6LR on receiving the NDPSO and CIPO options first checks that th e EARO Length in the CIPO matches the length of the EARO. If so it regenerates t he Crypto-ID based on the CIPO to make sure that the leftmost bits up to the siz e of the ROVR match. Upon receiving the NDPSO and CIPO options, the 6LR first checks that the EARO Length in the CIPO matches the length of the EARO. If so, it regenerat es the Crypto-ID based on the CIPO to make sure that the leftmost bits up to the size of the ROVR match.
</t> </t>
<t> <t>
If and only if the check is successful, it tries to verify the signatur If, and only if, the check is successful, it tries to verify
e in the NDPSO option using the following: the signature in the NDPSO using the following steps:
</t> </t>
<ul> <ul>
<li><t>Form the message to be verified, by concatenating the following byte-strings in the order listed:</t> <li><t>Form the message to be verified, by concatenating the following byte-strings in the order listed:</t>
<ol spacing='compact'> <ol spacing="normal">
<li>The 128-bit Message Type tag given in <xref target='cgam'/> <li>The 128-bit Message Type tag given in <xref target="cgam"/>
(in network byte order)</li> (in network byte order).</li>
<li>the CIPO</li> <li>The CIPO.</li>
<li>the 16-byte Target Address (in network byte order) received <li>The 16-byte Target Address (in network byte order) received
in the Neighbor Solicitation (NS) message. It is the address which the 6LN is re in the NS message. It is the address that the 6LN is registering with the 6LR an
gistering with the 6LR and 6LBR.</li> d 6LBR.</li>
<li>NonceLR sent in the Neighbor Advertisement (NA) message. The <li>The NonceLR sent in the NA message. The nonce is
nonce is at least 6 bytes long as defined in <xref target='RFC3971'/>.</li> at least 6 bytes long as defined in <xref target="RFC3971"/>.</li
<li>NonceLN received from the 6LN (in network byte order) in the >
NS message. The nonce is at least 6 bytes long as defined in <xref target='RFC3 <li>The NonceLN received from the 6LN (in network byte
971'/>.</li> order) in the NS message. The nonce is at least 6 bytes long as d
<li>1-byte EARO Length received in the CIPO.</li> efined in <xref target="RFC3971"/>.</li>
<li>The 1-byte EARO Length received in the CIPO.</li>
</ol> </ol>
</li> </li>
<li> <li>
Verify the signature on this message with the public-key in the CIPO a nd the locally computed values using the signature algorithm specified by the Cr ypto-Type. If the verification succeeds, the 6LR propagates the information to t he 6LBR using a EDAR/EDAC flow. Verify the signature on this message with the public key in the CIPO a nd the locally computed values using the signature algorithm specified by the Cr ypto-Type. If the verification succeeds, the 6LR propagates the information to t he 6LBR using an EDAR/EDAC flow.
</li> </li>
<li> <li>
Due to the first-come/first-serve nature of the registration, if the a <!--[rfced] Please review the use of the singular "database" in this
ddress is not registered to the 6LBR, then flow succeeds and both the 6LR and 6L text:
BR add the state information about the Crypto-ID and Target Address being regist
ered to their respective abstract database. Original:
...the address is not registered to the 6LBR, then flow succeeds and
both the 6LR and 6LBR add the state information about the Crypto-
ID and Target Address being registered to their respective
abstract database.
Perhaps:
...the address is not registered to the 6LBR, then flow succeeds and
both the 6LR and 6LBR add the state information about the Crypto-
ID and Target Address being registered to their respective
abstract databases.
-->
Due to the first-come, first-served nature of the registration, if the
address is not registered to the 6LBR, then flow succeeds and both the 6LR and
6LBR add the state information about the Crypto-ID and Target Address being regi
stered to their respective abstract database.
</li> </li>
</ul> </ul>
</section> </section>
<section anchor='mhopo'><name>Multihop Operation</name> <section anchor="mhopo"><name>Multi-Hop Operation</name>
<t> <t>
A new 6LN that joins the network auto-configures an address and performs an initial registration to a neighboring 6LR with an NS message that carries an Ad dress Registration Option (EARO) <xref target='RFC8505'/>. A new 6LN that joins the network autoconfigures an address and performs an initial registration to a neighboring 6LR with an NS message that carries an EAR O <xref target="RFC8505"/>.
</t> </t>
<t> <t>
In a multihop 6LoWPAN, the registration with Crypto-ID is propagated to 6LB R as shown in <xref target='figReg'/>, which illustrates the In a multi-hop 6LoWPAN, the registration with Crypto-ID is propagated to 6L BR as shown in <xref target="figReg"/>, which illustrates the
registration flow all the way to a 6LowPAN Backbone Router (6BBR) registration flow all the way to a 6LowPAN Backbone Router (6BBR)
<xref target='I-D.ietf-6lo-backbone-router'/>. <xref target="RFC8929"/>.
</t> </t>
<figure anchor='figReg' suppress-title='false'><name>(Re-)Registration Fl <figure anchor="figReg" suppress-title="false">
ow</name> <name>(Re-)Registration Flow</name>
<artwork><![CDATA[ <artwork>
6LN 6LR 6LBR 6BBR 6LN 6LR 6LBR 6BBR
| | | | | | | |
| NS(EARO) | | | | NS(EARO) | | |
|--------------->| | | |---------------&gt;| | |
| | Extended DAR | | | | Extended DAR | |
| |-------------->| | | |--------------&gt;| |
| | | proxy NS(EARO) | | | | proxy NS(EARO) |
| | |--------------->| | | |---------------&gt;|
| | | | NS(DAD) | | | | NS(DAD)
| | | | ------> | | | | ------&gt;
| | | | | | | |
| | | | <wait&gt; | | | | <wait&gt;
| | | | | | | |
| | | proxy NA(EARO) | | | | proxy NA(EARO) |
| | |<---------------| | | |&lt;---------------|
| | Extended DAC | | | | Extended DAC | |
| |<--------------| | | |&lt;--------------| |
| NA(EARO) | | | | NA(EARO) | | |
|<---------------| | | |&lt;---------------| | |
| | | | | | | |
]]></artwork> </artwork>
</figure> </figure>
<t> <t>
The 6LR and the 6LBR communicate using ICMPv6 Extended Duplicate Address Re quest (EDAR) and Extended Duplicate Address Confirmation (EDAC) messages <xref t arget='RFC8505'/> as shown in <xref target='figReg'/>. The 6LR and the 6LBR communicate using ICMPv6 EDAR and EDAC messages <xref target="RFC8505"/> as shown in <xref target="figReg"/>.
This specification extends EDAR/EDAC messages to carry cryptographically ge nerated ROVR. This specification extends EDAR/EDAC messages to carry cryptographically ge nerated ROVR.
</t> </t>
<t> <t>
The assumption is that the 6LR and the 6LBR maintain a security association to authenticate and protect the integrity of the EDAR and EDAC messages, so the re is no need to propagate the proof of ownership to the 6LBR. The 6LBR implicit ly trusts that the 6LR performs the verification when the 6LBR requires it, and if there is no further exchange from the 6LR to remove the state, that the verif ication succeeded. The assumption is that the 6LR and the 6LBR maintain a security association to authenticate and protect the integrity of the EDAR and EDAC messages, so the re is no need to propagate the proof of ownership to the 6LBR. The 6LBR implicit ly trusts that the 6LR performs the verification when the 6LBR requires it, and if there is no further exchange from the 6LR to remove the state, the verificati on succeeded.
</t> </t>
</section> </section>
</section> </section>
<section><name>Security Considerations</name> <section><name>Security Considerations</name>
<section><name>Brown Field</name> <section><name>Brown Field</name>
<t> <t>
Only 6LRs that are upgraded to this specification are capable to challenge a registration and repel an attack. Only 6LRs that are upgraded to this specification are capable of challenging a registration and repelling an attack.
In a brown (mixed) network, an attacker may attach to a legacy In a brown (mixed) network, an attacker may attach to a legacy
6LR and fool the 6LBR. 6LR and fool the 6LBR.
So even if the "A" flag could be set at any time to So even if the "A" flag could be set at any time to
test the protocol operation, the security will only be effective when all th e 6LRs are upgraded. test the protocol operation, the security will only be effective when all th e 6LRs are upgraded.
</t> </t>
</section> </section>
<!--[rfced] Please review the title of Section 7.2. Might the
suggested title below be more helpful to the reader?
Original:
Inheriting from RFC 3971
Perhaps:
Threats to the Local Network
-->
<section><name>Inheriting from RFC 3971</name> <section><name>Inheriting from RFC 3971</name>
<t> <t>
Observations regarding the following threats to the local network in < xref target='RFC3971'/> also apply to this specification. Observations regarding the following threats to the local network in < xref target="RFC3971"/> also apply to this specification.
</t> </t>
<dl spacing='normal'> <dl spacing="normal">
<dt>Neighbor Solicitation/Advertisement Spoofing:</dt><dd> <dt>Neighbor Solicitation/Advertisement Spoofing:</dt><dd>
Threats in section 9.2.1 of RFC3971 apply. AP-ND counter Threats in <xref target="RFC3971" sectionFormat="of" sect
s the threats on NS(EARO) messages by requiring that the NDP Signature and CIPO ion="9.2.1"/> apply. AP-ND counters the threats on NS(EARO) messages by requirin
options be present in these solicitations.</dd> g that the NDPSO and CIPO be present in these solicitations.</dd>
<!--<t hangText="Neighbor Unreachability Detection Failure">
<vspace blankLines="1"/>
With RFC6775, a Neighbor Unreadability Detection (NUD) ca
n still be used by the endpoint to assess the liveness of a device. The NUD requ
est may be protected by SEND in which case the provision in section 9.2 of RFC 3
972 applies. The response to the NUD may be proxied by a backbone router only if
it has a fresh registration state for it. For a registration being protected by
this specification, the proxied NUD response provides truthful information on t
he original owner of the address but it cannot be proven using SEND. If the NUD
response is not proxied, the 6LR will pass the lookup to the end device which wi
ll respond with a traditional NA. If the 6LR does not have a registration associ
ated for the device, it can issue a NA with EARO (status=Validation Requested) u
pon the NA from the device, which will trigger a NS that will recreate and reval
idate the ND registration.
</t>-->
<dt>Duplicate Address Detection DoS Attack:</dt><dd> <dt>Duplicate Address Detection DoS Attack:</dt><dd>
Inside the LLN, Duplicate Addresses are sorted out using t Inside the LLN, duplicate addresses are sorted out using t
he ROVR, which differentiates it from a movement. A different ROVR for the same he ROVR, which differentiates it from a movement. A different ROVR for the same
Registered address entails a rejection of the second registration <xref target=' Registered Address entails a rejection of the second registration <xref target="
RFC8505'/>. RFC8505"/>.
DAD coming from the backbone are not forwarded over the LL DAD coming from the backbone is not forwarded over the LLN
N, which provides some protection against DoS attacks inside the resource-constr , which provides some protection against DoS attacks inside the resource-constra
ained part of the network. Over the backbone, the EARO option is present in NS/N ined part of the network. Over the backbone, the EARO is present in NS/NA messag
A messages. This protects against misinterpreting a movement for a duplication, es. This protects against misinterpreting a movement for a duplication and enabl
and enables the backbone routers to determine which one has the freshest registr es the backbone routers to determine which one has the freshest registration <xr
ation <xref target='RFC8505'/> and is thus the best candidate to validate the re ef target="RFC8505"/> and is thus the best candidate to validate the registratio
gistration for the device attached to it <xref target='I-D.ietf-6lo-backbone-rou n for the device attached to it <xref target="RFC8929"/>. But this specification
ter'/>. But this specification does not guarantee that the backbone router claim does not guarantee that the backbone router claiming an address over the backbo
ing an address over the backbone is not an attacker. ne is not an attacker.
</dd> </dd>
<dt>Router Solicitation and Advertisement Attacks:</dt><dd> <dt>Router Solicitation and Advertisement Attacks:</dt><dd>
This specification does not change the protection of RS a This specification does not change the protection of RS a
nd RA which can still be protected by SEND.</dd> nd RA, which can still be protected by SEND.</dd>
<dt>Replay Attacks</dt><dd> <dt>Replay Attacks:</dt><dd>
A nonce should never repeat for a single key, but nonces do not need to be unpredictable for secure operation. Using nonces (NonceLR and NonceLN) generated by both the 6LR and 6LN ensure a contributory behavior that p rovides an efficient protection against replay attacks of the challenge/response flow. The quality of the protection by a random nonce depends on the random num ber generator and its parameters (e.g., sense of time). A nonce should never repeat for a single key, but nonces do not need to be unpredictable for secure operation. Using nonces (NonceLR and NonceLN) generated by both the 6LR and 6LN ensure a contributory behavior that p rovides an efficient protection against replay attacks of the challenge/response flow. The quality of the protection by a random nonce depends on the random num ber generator and its parameters (e.g., sense of time).
</dd> </dd>
<dt>Neighbor Discovery DoS Attack:</dt><dd> <dt>Neighbor Discovery DoS Attack:</dt><dd>
A rogue node that managed to access the L2 network may fo rm many addresses and register them using AP-ND. The perimeter of the attack is all the 6LRs in range of the attacker. The 6LR MUST protect itself against overf lows and reject excessive registration with a status 2 "Neighbor Cache Full". Th is effectively blocks another (honest) 6LN from registering to the same 6LR, but the 6LN may register to other 6LRs that are in its range but not in that of the rogue. A rogue node that managed to access the L2 network may fo rm many addresses and register them using AP-ND. The perimeter of the attack is all the 6LRs in range of the attacker. The 6LR <bcp14>MUST</bcp14> protect itsel f against overflows and reject excessive registration with a status 2 "Neighbor Cache Full". This effectively blocks another (honest) 6LN from registering to th e same 6LR, but the 6LN may register to other 6LRs that are in its range but not in that of the rogue.
</dd> </dd>
</dl> </dl>
</section> </section>
<section><name>Related to 6LoWPAN ND</name> <section><name>Related to 6LoWPAN ND</name>
<t> <t>
The threats and mediations discussed in 6LoWPAN ND <xref target=' The threats and mediations discussed in 6LoWPAN ND
RFC6775'/><xref target='RFC8505'/> also apply here, in particular denial-of-serv <xref target="RFC6775"/> <xref target="RFC8505"/> also
ice attacks against the registry at the 6LR or 6LBR. apply here, in particular, denial-of-service (DoS) attacks agains
t the registry at the 6LR or 6LBR.
</t><t> </t><t>
Secure ND <xref target='RFC3971'/> forces the IPv6 address to be cry Secure ND <xref target="RFC3971"/> forces the IPv6 address to be cry
ptographic since it integrates the CGA as the IID in the IPv6 address. In contra ptographic since it integrates the CGA as the IID in the IPv6 address.
st, this specification saves about 1Kbyte in every NS/NA message. Also, this spe
cification separates the cryptographic identifier from the registered IPv6 addre <!--[rfced] We updated 'Kbyte' to be 'KB' in the text below as 'KB' is
ss so that a node can have more than one IPv6 address protected by the same cryp used more frequently in RFCs. If you have any objections, please
tographic identifier. let us know.
Original:
In contrast, this specification saves about 1Kbyte
in every NS/NA message.
Updated:
In contrast, this specification saves about 1 KB
in every NS/NA message.
-->
In contrast, this specification saves about 1 KB in every NS/NA message. Also, t
his specification separates the cryptographic identifier from the registered IPv
6 address so that a node can have more than one IPv6 address protected by the sa
me cryptographic identifier.
</t><t> </t><t>
With this specification the 6LN can freely form its IPv6 address(es) in any fashion, thereby enabling either 6LoWPAN compression for IPv6 addresses that are derived from Layer-2 addresses, or temporary addresses, e.g., formed ps eudo-randomly and released in relatively short cycles for privacy reasons <xref target='RFC8064'/><xref target='RFC8065'/>, that cannot be compressed. With this specification, the 6LN can freely form its IPv6 address(es ) in any fashion, thereby enabling either 6LoWPAN compression for IPv6 addresses that are derived from L2 addresses or temporary addresses, e.g., formed pseudor andomly and released in relatively short cycles for privacy reasons <xref target ="RFC8064"/><xref target="RFC8065"/> that cannot be compressed.
</t><t> </t><t>
This specification provides added protection for addresses that are obtained following due procedure <xref target='RFC8505'/> but does not constrai n the way the addresses are formed or the number of addresses that are used in p arallel by a same entity. A rogue may still perform denial-of-service attack aga inst the registry at the 6LR or 6LBR, or attempt to deplete the pool of availabl e addresses at Layer-2 or Layer-3. This specification provides added protection for addresses that are obtained following due procedure <xref target="RFC8505"/> but does not constrain the way the addresses are formed or the number of addresses that are used in pa rallel by a same entity. A rogue may still perform a DoS attack against the regi stry at the 6LR or 6LBR or attempt to deplete the pool of available addresses at L2 or L3.
</t> </t>
</section> </section>
<section><name>Compromised 6LR</name> <section><name>Compromised 6LR</name>
<t> <t>
This specification distributes the challenge and its validation at the e dge of the network, between the 6LN and its 6LR. This protects against DOS attac ks targeted at that central 6LBR. This also saves back and forth exchanges acros s a potentially large and constrained network. This specification distributes the challenge and its validation at the e dge of the network, between the 6LN and its 6LR. This protects against DoS attac ks targeted at that central 6LBR. This also saves back-and-forth exchanges acros s a potentially large and constrained network.
</t><t> </t><t>
The downside is that the 6LBR needs to trust the 6LR for performing the checking adequately, and the communication between the 6LR and the 6LBR must be protected to avoid tampering with the result of the test. The downside is that the 6LBR needs to trust the 6LR to perform the chec king adequately, and the communication between the 6LR and the 6LBR must be prot ected to avoid tampering with the result of the test.
</t><t> </t><t>
If a 6LR is compromised, and provided that it knows the ROVR field used b y the real owner of the address, the 6LR may pretend that the owner has moved, i s now attached to it and has successfully passed the Crpto-ID validation. The 6L R may then attract and inject traffic at will on behalf of that address or let a rogue take ownership of the address. If a 6LR is compromised, and provided that it knows the ROVR field used b y the real owner of the address, the 6LR may pretend that the owner has moved, i s now attached to it, and has successfully passed the Crypto-ID validation. The 6LR may then attract and inject traffic at will on behalf of that address, or le t a rogue take ownership of the address.
</t> </t>
</section> </section>
<section anchor='sec-col'><name>ROVR Collisions</name> <section anchor="sec-col"><name>ROVR Collisions</name>
<t> <t>
A collision of Registration Ownership Verifiers (ROVR) (i.e., the Crypto- <!--[rfced] In the following, would you like to make use of
ID in this specification) is possible, but it is a rare event. <sup> for superscript in this document?
Assuming in the calculations/discussion below that the hash used for cal
culating the Crypto-ID is a well-behaved cryptographic hash and thus Original:
that random collisions are the only ones possible, the formula (birthday ...a collision is 1 - e^{-p^2/(2n)} where n is the
paradox) for calculating the probability of a collision is 1 - e^{-p^2/(2n)} wh maximum population size (2^64 here, 1.84E19)
ere n is the maximum population size (2^64 here, 1.84E19) and p is the actual po
pulation (number of nodes, assuming one Crypto-ID per node). -->
A collision of ROVRs (i.e., the Crypto-ID in this specification) is possi
ble, but it is a rare event.
Assuming in the calculations/discussion below that the hash used for cal
culating the Crypto-ID is a well-behaved cryptographic hash, and, thus,
random collisions are the only ones possible, the formula (birthday para
dox) for calculating the probability of a collision is 1 - e^{-p^2/(2n)}, where
n is the maximum population size (2^64 here, 1.84E19), and p is the actual popul
ation (number of nodes, assuming one Crypto-ID per node).
</t><t> </t><t>
If the Crypto-ID is 64-bits (the least possible size allowed), the chanc If the Crypto-ID is 64 bits (the least possible size allowed), the chanc
e of a collision is 0.01% for network of 66 million nodes. Moreover, the collisi e of a collision is 0.01% for a network of 66 million nodes. Moreover, the colli
on is only relevant when this happens within one stub network (6LBR). In the cas sion is only relevant when this happens within one stub network (6LBR). In the c
e of such a collision, a third party node would be able to claim the registered ase of such a collision, a third-party node would be able to claim the registere
address of an another legitimate node, provided that it wishes to use the same a d address of an another legitimate node, provided that it wishes to use the same
ddress. address.
To prevent address disclosure and avoid the chances of collision on both To prevent address disclosure and avoid the chances of collision on both
the ROVR and the address, it is RECOMMENDED that nodes do not derive the addres the ROVR and the address, it is <bcp14>RECOMMENDED</bcp14> that nodes do not de
s being registered from the ROVR. rive the address being registered from the ROVR.
</t> </t>
</section> </section>
<section><name>Implementation Attacks</name> <section><name>Implementation Attacks</name>
<t> The signature schemes referenced in this specification comply with NI <t> The signature schemes referenced in this specification comply with NI
ST <xref target='FIPS186-4'/> or Crypto Forum Research Group (CFRG) standards ST <xref target="FIPS186-4"/> or Crypto Forum Research Group (CFRG) standards
<xref target='RFC8032'/> and offer strong algorithmic security at <xref target="RFC8032"/> and offer strong algorithmic security at
roughly 128-bit security level. These signature schemes use elliptic curves tha roughly a 128-bit security level. These signature schemes use elliptic curves t
t were either hat either
specifically designed with exception-free and constant-time arith were specifically designed with exception-free and constant-time
metic in mind <xref target='RFC7748'/> or where one has extensive implementation arithmetic in mind <xref target="RFC7748"/> or have extensive implementation exp
experience of resistance erience of resistance
to timing attacks <xref target='FIPS186-4'/>. to timing attacks <xref target="FIPS186-4"/>.
</t> </t>
<t> <t>
However, careless implementations of the signing operations could nevert heless leak information on private keys. For example, However, careless implementations of the signing operations could nevert heless leak information on private keys. For example,
there are micro-architectural side channel attacks that implement ors should be aware of <xref target='breaking-ed25519'/>. there are micro-architectural side channel attacks that implement ors should be aware of <xref target="breaking-ed25519"/>.
Implementors should be particularly aware that Implementors should be particularly aware that
a secure implementation of Ed25519 requires a protected implement ation of the hash function SHA-512, whereas this is not required with implementa tions of the hash function a secure implementation of Ed25519 requires a protected implement ation of the hash function SHA-512, whereas this is not required with implementa tions of the hash function
SHA-256 used with ECDSA256 and ECDSA25519. SHA-256 used with ECDSA256 and ECDSA25519.
</t> </t>
</section> </section>
<section><name>Cross-Algorithm and Cross-Protocol Attacks</name> <section><name>Cross-Algorithm and Cross-Protocol Attacks</name>
<t> <t>
The keypair used in this specification can be self-generated and the pub lic key does not need to be exchanged, e.g., through certificates, with a third party before it is used. The key pair used in this specification can be self-generated, and the p ublic key does not need to be exchanged, e.g., through certificates, with a thir d party before it is used.
</t> </t>
<t> <t>
New keypairs can be formed for new registration as the node desires. New key pairs can be formed for new registration as the node desires.
On the other hand, it is safer to allocate a keypair that is used only f On the other hand, it is safer to allocate a key pair that is used only
or the address protection and only for one instantiation of the signature scheme for the address protection and only for one instantiation of the signature schem
(which includes e (which includes
choice of elliptic curve domain parameters, used hash function, a the choice of elliptic curve domain parameters, a used hash funct
nd applicable representation conventions). ion, and applicable representation conventions).
</t> </t>
<t> <t>
The same private key MUST NOT be reused with more than one instantiation of the signature scheme in this specification. The same private key MUST NOT be used for anything other than computing NDPSO signatures per this specification. The same private key <bcp14>MUST NOT</bcp14> be reused with more than on e instantiation of the signature scheme in this specification. The same private key <bcp14>MUST NOT</bcp14> be used for anything other than computing NDPSO sign atures per this specification.
</t> </t>
<!--[rfced] Please clarify "MUST NOT reuse these ephemeral private
keys k across signing operations". Is the intended meaning
perhaps "MUST NOT reuse the ephemeral private key k across
signing operations"?
<t> ECDSA shall be used strictly as specified in <xref target="FI Original:
PS186-4"></xref>. In particular, each signing operation of ECDSA MUST use random ECDSA shall be used strictly as specified in [FIPS186-4]. In
ly generated particular, each signing operation of ECDSA MUST use randomly
ephemeral private keys and MUST NOT reuse these ephemeral private generated ephemeral private keys and MUST NOT reuse these ephemeral
keys k accross signing operations. This precludes the use of deterministic ECDS private keys k accross signing operations.
A without a random input
for determination of k, which is deemed dangerous for the intende Perhaps:
d applications this document aims to serve.</t> ECDSA shall be used strictly as specified in [FIPS186-4]. In
particular, each signing operation of ECDSA MUST use randomly
generated ephemeral private keys and MUST NOT reuse the ephemeral
private key k across signing operations.
-->
<t> ECDSA shall be used strictly as specified in <xref target="FI
PS186-4"/>. In particular, each signing operation of ECDSA <bcp14>MUST</bcp14> u
se randomly generated
ephemeral private keys and <bcp14>MUST NOT</bcp14> reuse these ep
hemeral private keys k across signing operations. This precludes the use of dete
rministic ECDSA without a random input
for the determination of k, which is deemed dangerous for the int
ended applications this document aims to serve.</t>
</section> </section>
<section><name>Public Key Validation</name> <section><name>Public Key Validation</name>
<t>Public keys contained in the CIPO field (which are used for signature verification) shall be verified to be correctly formed, by checking that this pu blic key is indeed a <t>Public keys contained in the CIPO field (which are used for signature verification) shall be verified to be correctly formed, by checking that this pu blic key is indeed a
point of the elliptic curve indicated by the Crypto-Type and that this po int does have the proper order. point of the elliptic curve indicated by the Crypto-Type and that this po int does have the proper order.
</t> </t>
<t> <t>
For points used with the signature scheme Ed25519, one MUST check <!--[rfced] Is Appendix B.1 of [CURVE-REPR] the correct reference in
that this point is not a point in the small subgroup (see Appendix B.1 of the sentence below? We do not see mention of "full public key
<xref target='I-D.ietf-lwig-curve-representations'/>); for points used with the validation" in this document. Please review and let us know if an
signature scheme update is needed.
ECDSA (i.e., both ECDSA256 and ECDSA25519), one MUST check that the point
has the same order as the base point of the curve in question. This is commonly Original:
called For points used with the signature scheme Ed25519, one MUST check
full public key validation (again, see Appendix B.1 of <xref target='I-D. that this point is not a point in the small subgroup (see
ietf-lwig-curve-representations'/>). </t> Appendix B.1 of [CURVE-REPR]); for points used with the signature
scheme ECDSA (i.e., both ECDSA256 and ECDSA25519), one MUST check
that the point has the same order as the base point of the curve in
question. This is commonly called full public key validation (again,
see Appendix B.1 of [CURVE-REPR]).
-->
For points used with the signature scheme Ed25519, one <bcp14>MUST</bcp1
4> check
that this point is not in the small subgroup (see <xref target="I-D.ietf-
lwig-curve-representations" sectionFormat="of" section="B.1"/>); for points used
with the signature scheme
ECDSA (i.e., both ECDSA256 and ECDSA25519), one <bcp14>MUST</bcp14> check
that the point has the same order as the base point of the curve in question. T
his is commonly called
"full public key validation" (again, see <xref target="I-D.ietf-lwig-curv
e-representations" sectionFormat="of" section="B.1"/>). </t>
</section> </section>
<section><name>Correlating Registrations</name> <section><name>Correlating Registrations</name>
<t> <t>
The ROVR field in the EARO introduced in <xref target='RFC8505'/> exte nds the EUI-64 field of the ARO defined in <xref target='RFC6775'/>. One of the drawbacks of using an EUI-64 as ROVR is that an attacker that is aware of the re gistrations can correlate traffic for a same 6LN across multiple addresses. Sect ion 3 of <xref target='RFC8505'/> indicates that the ROVR and the address being registered are decoupled. A 6LN may use a same ROVR for multiple registrations o r a different ROVR per registration, and the IID must not derive from the ROVR. In theory different 6LNs could use a same ROVR as long as they do not attempt to register the same address. The ROVR field in the EARO introduced in <xref target="RFC8505"/> exte nds the EUI-64 field of the ARO defined in <xref target="RFC6775"/>. One of the drawbacks of using an EUI-64 as ROVR is that an attacker that is aware of the re gistrations can correlate traffic for a same 6LN across multiple addresses. <xre f target="RFC8505" sectionFormat="of" section="3"/> indicates that the ROVR and the address being registered are decoupled. A 6LN may use the same ROVR for mult iple registrations or a different ROVR per registration, and the IID must not be derived from the ROVR. In theory, different 6LNs could use the same ROVR as lon g as they do not attempt to register the same address.
</t> </t>
<t> <t>
The Modifier used in the computation of the Crypto-ID enables a 6LN to build different Crypto-IDs for different addresses with a same keypair. Using t hat facility improves the privacy of the 6LN as the expense of storage in the 6L R, which will need to store multiple CIPOs that contain the same public key. Not e that if the attacker is the 6LR, then the Modifier alone does not provide a pr otection, and the 6LN would need to use different keys and MAC addresses in an a ttempt to obfuscate its multiple ownership. The modifier used in the computation of the Crypto-ID enables a 6LN to build different Crypto-IDs for different addresses with a same key pair. Using that facility improves the privacy of the 6LN at the expense of storage in the 6 LR, which will need to store multiple CIPOs that contain the same public key. No te that if the attacker is the 6LR, then the modifier alone does not provide a p rotection, and the 6LN would need to use different keys and MAC addresses in an attempt to obfuscate its multiple ownership.
</t> </t>
</section> </section>
</section> </section>
<section><name>IANA considerations</name> <section><name>IANA Considerations</name>
<section anchor='cgam'><name>CGA Message Type</name> <section anchor="cgam"><name>CGA Message Type</name>
<t> <t>
This document defines a new 128-bit value of a Message Type tag under th
e CGA Message Type <xref target='RFC3972'/> name space: 0x8701 55c8 0cca dd32 6a <!--[rfced] We noticed the following about the text in Section 8.1
b7 e415 f148 84d0. (CGA Message Type) when compared with the corresponding IANA
registry at
https://www.iana.org/assignments/cga-message-types/cga-message-types.xhtml:
a) The corresponding registry with IANA is called "CGA Extension Type
Tags". The term "Message Type" is not used by IANA in the
subregistry.
b) The IANA registry uses uppercase letters instead of lowercase.
With the above in mind, would the following updates be accurate? If
not, please let us know any necessary corrections.
Original:
8.1. CGA Message Type
This document defines a new 128-bit value of a Message Type tag under
the CGA Message Type [RFC3972] name space: namespace: 0x8701 55c8 0cca dd32 6
ab7
e415 f148 84d0.
Perhaps:
8.1. CGA Extension Type
This document defines a new 128-bit CGA Extension Type Tag under
the "CGA Extension Type Tags" subregsitry created by [RFC3972]. Tag: 0x8701 5
5C8 0CCA DD32 6AB7
E415 F148 84D0.
-->
This document defines a new 128-bit value of a Message Type tag under th
e CGA Message Type <xref target="RFC3972"/> namespace: 0x8701 55c8 0cca dd32 6ab
7 e415 f148 84d0.
</t> </t>
</section> </section>
<section anchor='cryptotypereg'><name>Crypto-Type Subregistry</name> <section anchor="cryptotypereg"><name>Crypto-Type Subregistry</name>
<t> <t>
IANA is requested to create a new subregistry "Crypto-Type Subreg IANA has created the "Crypto-Types" subregistry in the "Internet
istry" in the "Internet Control Message Protocol version 6 (ICMPv6) Parameters". Control Message Protocol version 6 (ICMPv6) Parameters" registry. The registry
The registry is indexed by is indexed by
an integer in the interval 0..255 and contains an Elliptic Curve, an integer in the interval 0..255 and contains an elliptic curve,
a Hash Function, a Signature Algorithm, Representation Conventions, a hash function, a signature algorithm, representation conventions,
Public key size, and Signature size, as shown in public key size, and signature size, as shown in
<xref target='cryptotypetable'/>, which together specify a signat <xref target="cryptotypetable"/>, which together specify a signat
ure scheme (and which are fully specified in <xref target="reprconv"></xref>). ure scheme (and are fully specified in <xref target="reprconv"/>).
</t> </t>
<!--[rfced] We had a few questions about the Crypto-Types subregistry
information captured in Section 8.2. The registry is viewable at
https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#
icmpv6-crypto-types.
a) It is unusual for us to see references in columns other than the
"Reference" column of IANA registries. Please review if these
references should remain in either or both Table 1 or the IANA
"Crypto-Types" subregistry.
b) The IANA registry uses only the values 0, 1, and 2 in the Cypto-Type
Value column, while this document uses 0 (ECDSA256), 1 (Ed25519), and
2 (ECDSA25519). Please let us know if/how these should be made
uniform.
c) The IANA registry mentions values 3-255, but with no text
following. We would generally see something like "Reserved" or
"Unassigned" etc.
d) Related to the point above, in this document we see the following
in the text preceding the figure:
Original:
The registry is indexed by an integer
in the interval 0..255 and contains...
but no mention of values 3-255 in the table itself. For the ease of
the reader, should those values be added?
-->
<t>The following Crypto-Type values are defined in this document: <t>The following Crypto-Type values are defined in this document:
</t> </t>
<table anchor="cryptotypetable"><name>Crypto-Types</name> <table anchor="cryptotypetable"><name>Crypto-Types</name>
<thead> <thead>
<tr> <tr>
<th>Crypto-Type value</th> <th>Crypto-Type Value</th>
<th align='center'> 0 (ECDSA256) </th> <th align="center"> 0 (ECDSA256) </th>
<th align='center'> 1 (Ed25519) </th> <th align="center"> 1 (Ed25519) </th>
<th align='center'> 2 (ECDSA25519) </th> <th align="center"> 2 (ECDSA25519) </th>
</tr> </tr>
</thead><tbody> </thead><tbody>
<tr><td>Elliptic curve</td> <tr><td>Elliptic Curve</td>
<td align='center'> NIST P-256 <xref target='FIPS186-4'/> <td align="center"> NIST P-256 <xref target="FIPS186-4"/>
</td> </td>
<td align='center'> Curve25519 <xref target='RFC7748'/></ <td align="center"> Curve25519 <xref target="RFC7748"/></
td> td>
<td align='center'> Curve25519 <xref target='RFC7748'/></ <td align="center"> Curve25519 <xref target="RFC7748"/></
td> td>
</tr> </tr>
<tr><td>Hash function</td> <tr><td>Hash Function</td>
<td align='center'> SHA-256 <xref target='RFC6234'/></td> <td align="center"> SHA-256 <xref target="RFC6234"/></td>
<td align='center'> SHA-512 <xref target='RFC6234 <td align="center"> SHA-512 <xref target="RFC6234
'/></td> "/></td>
<td align='center'> SHA-256 <xref target='RFC6234'/>< <td align="center"> SHA-256 <xref target="RFC6234"/><
/td> /td>
</tr> </tr>
<tr><td>Signature algorithm</td> <tr><td>Signature Algorithm</td>
<td align='center'> ECDSA <xref target='FIPS186-4 <td align="center"> ECDSA <xref target="FIPS186-4
'/></td> "/></td>
<td align='center'> Ed25519 <xref target='RFC8032'/>< <td align="center"> Ed25519 <xref target="RFC8032"/><
/td> /td>
<td align='center'> ECDSA <xref target='FIPS186-4 <td align="center"> ECDSA <xref target="FIPS186-4
'/></td> "/></td>
</tr> </tr>
<tr><td>Representation conventions</td> <tr><td>Representation Conventions</td>
<td align='center'> Weierstrass, (un)compressed, <td align="center"> Weierstrass, (un)compressed,
MSB/msb first, <xref target='RFC7518'/> </td> MSB/msb first, <xref target="RFC7518"/> </td>
<td align='center'> Edwards, compressed, LSB/lsb firs <td align="center"> Edwards, compressed, LSB/lsb firs
t, <xref target='RFC8037'/></td> t, <xref target="RFC8037"/></td>
<td align='center'> Weierstrass, (un)compressed, MSB/ <td align="center"> Weierstrass, (un)compressed, MSB/
msb first, <xref target='I-D.ietf-lwig-curve-representations'/></td></tr> msb first, <xref target="I-D.ietf-lwig-curve-representations"/></td></tr>
<tr><td>Public key size</td> <tr><td>Public Key Size</td>
<td align='center'> 33/65 bytes (compressed/uncom <td align="center"> 33/65 bytes (compressed/uncom
pressed)</td> pressed)</td>
<td align='center'> 32 bytes (compressed)</td> <td align="center"> 32 bytes (compressed)</td>
<td align='center'> 33/65 bytes (compressed/uncompres <td align="center"> 33/65 bytes (compressed/uncompres
sed) </td></tr> sed) </td></tr>
<tr><td>Signature size</td> <tr><td>Signature Size</td>
<td align='center'> 64 bytes </td> <td align="center"> 64 bytes </td>
<td align='center'> 64 bytes </td> <td align="center"> 64 bytes </td>
<td align='center'> 64 bytes </td></tr> <td align="center"> 64 bytes </td></tr>
<tr><td>Defining specification</td> <tr><td>Reference</td>
<td align='center'>This_RFC</td> <td align="center">RFC 8928</td>
<td align='center'>This_RFC</td> <td align="center">RFC 8928</td>
<td align='center'>This_RFC</td> <td align="center">RFC 8928</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<t> <t>
New Crypto-Type values providing similar or better security may be de fined in the future. New Crypto-Type values providing similar or better security may be define d in the future.
</t> </t>
<t> <t>
Assignment of new values for new Crypto-Type MUST be done through IANA with Assignment of new values for new Crypto-Type <bcp14>MUST</bcp14> be done thr
either "Specification Required" or "IESG Approval" as defined in BCP 26 ough IANA with
<xref target='RFC8126'/>. either "Specification Required" or "IESG Approval" as defined in
<xref target="RFC8126">BCP 26</xref>.
</t> </t>
</section> </section>
<section anchor='ndopt'><name>IPv6 ND option types </name> <section anchor="ndopt"><name>IPv6 ND Option Types</name>
<t> <t>
This document registers two new ND option types under the subregistry "I Pv6 Neighbor Discovery Option Formats": This document registers two new ND option types under the subregistry "I Pv6 Neighbor Discovery Option Formats":
</t> </t>
<table anchor="nexndopt"><name>New ND options</name> <table anchor="nexndopt"><name>New ND Options</name>
<thead> <thead>
<tr> <tr>
<th align='center'>Option Name</th> <th align="left">Description</th>
<th align='center'>Suggested Value</th> <th align="center">Type</th>
<th align='left'>Reference</th> <th align="left">Reference</th>
</tr> </tr>
</thead><tbody> </thead><tbody>
<tr> <tr>
<td align='center'>NDP Signature Option (NDPSO)</td> <td align="left">Crypto-ID Parameters Option (CIPO)</td>
<td align='center'>38</td> <td align="center">39</td>
<td align='left'>This document</td> <td align="left">RFC 8928</td>
</tr> </tr>
<tr> <tr>
<td align='center'>Crypto-ID Parameters Option (CIPO)</td> <td align="left">NDP Signature Option (NDPSO)</td>
<td align='center'>39</td> <td align="center">40</td>
<td align='left'>This document</td> <td align="left">RFC 8928</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> </section>
<section title="New 6LoWPAN Capability Bit"> <section title="New 6LoWPAN Capability Bit">
<t> <t>
IANA is requested to make additions to the Subregistry for IANA has made an addition to the subregistry for
"6LoWPAN Capability Bits" created for <xref target='RFC7400'/> "6LoWPAN Capability Bits" created for <xref target="RFC7400"/>
as follows: as follows:
</t> </t>
<table anchor="CIOdat"><name>New 6LoWPAN Capability Bit</name> <table anchor="CIOdat"><name>New 6LoWPAN Capability Bit</name>
<thead> <thead>
<tr> <tr>
<th align='center'>Capability Bit</th> <th align="center">Bit</th>
<th align='left'>Description </th> <th align="left">Description </th>
<th align='left'>Document</th> <th align="left">Reference</th>
</tr> </tr>
</thead><tbody> </thead><tbody>
<tr> <tr>
<td align='center'>09</td> <td align="center">9</td>
<td align='left'>AP-ND Enabled (1 bit)</td> <td align="left">AP-ND Enabled (1 bit)</td>
<td align='left'>This_RFC</td> <td align="left">RFC 8928</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</section> <!-- end section "New 6LoWPAN Capability Bits" --> </section>
</section>
<section><name>Acknowledgments</name>
<t>
Many thanks to Charlie Perkins for his in-depth review and constructive
suggestions. The authors are also especially grateful to Robert Moskowitz
and Benjamin Kaduk for their comments and discussions that led to many impr
ovements.
The authors wish to also thank Shwetha Bhandari for actively shepherding th
is document and Roman Danyliw, Alissa Cooper, Mirja Kuhlewind, Eric Vyncke, Vija
y Gurbani, Al Morton, and Adam Montville for their constructive reviews during t
he IESG process.
Finally Many thanks to our INT area ADs, Suresh Krishnan and then Erik Klin
e, who
supported us along the whole process.
</t>
</section> </section>
</middle> </middle>
<back> <back>
<displayreference target="I-D.ietf-6lo-backbone-router" to="BACK <displayreference target="I-D.ietf-lwig-curve-representations" to="CURVE-REPR
BONE-ROUTER"/> "/>
<displayreference target="I-D.ietf-lwig-curve-representations" to="CURV <displayreference target="RFC7696" to="BCP201"/>
E-REPR"/> <displayreference target="RFC4086" to="BCP106"/>
<displayreference target="RFC7696" to="BCP 201"/> <references><name>References</name>
<displayreference target="RFC4086" to="BCP 106"/>
<references><name>Normative References</name> <references><name>Normative References</name>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.2119.xml'/> nce.RFC.2119.xml"/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.3971.xml'/> nce.RFC.3971.xml"/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.6234.xml'/> nce.RFC.6234.xml"/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.6775.xml'/> nce.RFC.6775.xml"/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.7400.xml'/> nce.RFC.7400.xml"/>
<!--xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/ref <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
erence.RFC.7515.xml'/> nce.RFC.7748.xml"/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.7517.xml'/--> nce.RFC.8032.xml"/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.7748.xml'/> nce.RFC.8174.xml"/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.8032.xml'/> nce.RFC.8505.xml"/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.8174.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.8505.xml'/>
<reference anchor='FIPS186-4'> <reference anchor="FIPS186-4" target="https://nvlpubs.nist.gov/nistpubs/fips/n ist.fips.186-4.pdf">
<front> <front>
<title> Digital Signature Standard (DSS), Federal Information <title>Digital Signature Standard (DSS)</title>
Processing Standards Publication 186-4 </title>
<author> <author>
<organization> <organization>
FIPS 186-4 National Institute of Standards and Technology
</organization> </organization>
</author> </author>
<date month='July' year='2013'/> <date month="July" year="2013"/>
</front> </front>
<seriesInfo name='US Department of Commerce/National Institute of Standa <seriesInfo name="FIPS" value="186-4"/>
rds and Technology' value=''/> <seriesInfo name="DOI" value="10.6028/NIST.FIPS.186-4"/>
</reference> </reference>
<reference anchor='SEC1'> <reference anchor="SEC1" target="https://www.secg.org/sec1-v2.pdf">
<front> <front>
<title>SEC 1: Elliptic Curve Cryptography, Version 2.0 </title> <title>SEC 1: Elliptic Curve Cryptography</title>
<author> <author>
<organization> <organization>
SEC1 Standards for Efficient Cryptography
</organization> </organization>
</author> </author>
<date month='June' year='2009'/> <date month="May" year="2009"/>
</front> </front>
<seriesInfo name='Standards for Efficient Cryptography' value=''/> <refcontent>Version 2</refcontent>
</reference> </reference>
</references> </references>
<references><name>Informative references</name> <references><name>Informative References</name>
<!--reference anchor="IANA.JOSE.Algorithms"> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
<front> nce.RFC.3972.xml"/>
<title> JSON Web Signature and Encryption Algorithms </ti <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
tle> nce.RFC.4086.xml"/>
<author> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
<organization> nce.RFC.4861.xml"/>
IANA <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
</organization> nce.RFC.4862.xml"/>
</author> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
<date year=""></date> nce.RFC.4919.xml"/>
</front> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
<seriesInfo name="IANA," value="https://www.iana.org/assignments/ nce.RFC.4944.xml"/>
jose/jose.xhtml#web-signature-encryption-algorithms"></seriesInfo> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
</reference> nce.RFC.6282.xml"/>
<reference anchor="IANA.JOSE.Curves"> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
<front> nce.RFC.7039.xml"/>
<title> JSON Web Key Elliptic Curve </title> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
<author> nce.RFC.7217.xml"/>
<organization> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
IANA nce.RFC.7518.xml"/>
</organization> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
</author> nce.RFC.7696.xml"/>
<date year=""></date> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
</front> nce.RFC.8037.xml"/>
<seriesInfo name="IANA," value="https://www.iana.org/assignments/ <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
jose/jose.xhtml#web-key-elliptic-curve"></seriesInfo> nce.RFC.8064.xml"/>
</reference--> <xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.8065.xml"/>
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.8126.xml"/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere <!--draft-ietf-6lo-backbone-router-20; in REF - part of
nce.RFC.3972.xml'/> C310-->
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.4086.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.4861.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.4862.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.4919.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.4944.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.6282.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.7039.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.7217.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.7518.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.7696.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.8037.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.8064.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.8065.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere
nce.RFC.8126.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/refer
ence.I-D.ietf-6lo-backbone-router.xml'/>
<xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/refer
ence.I-D.ietf-lwig-curve-representations.xml'/>
<reference anchor='breaking-ed25519' target='https://link.springer.com/ch <reference anchor='RFC8929' target='https://www.rfc-editor.org/info/rfc8929'>
apter/10.1007/978-3-319-76953-0_1'> <front>
<title>IPv6 Backbone Router</title>
<author initials='P' surname='Thubert' fullname='Pascal Thubert' role='editor'>
<organization />
</author>
<author initials='C.E.' surname='Perkins' fullname='Charles Perkins'>
<organization />
</author>
<author initials='E' surname='Levy-Abegnoli' fullname='Eric Levy-Abegnoli'>
<organization />
</author>
<date month='October' year='2020' />
</front>
<seriesInfo name='RFC' value='8929' />
<seriesInfo name="DOI" value="10.17487/RFC8929"/>
</reference>
<!--draft-ietf-lwig-curve-representations-10; Active - AD Evaluation::AD
Followup-->
<xi:include href="https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/refer
ence.I-D.ietf-lwig-curve-representations.xml"/>
<reference anchor="breaking-ed25519" target="https://link.springer.com/ch
apter/10.1007/978-3-319-76953-0_1">
<front> <front>
<title>Breaking Ed25519 in WolfSSL</title> <title>Breaking Ed25519 in WolfSSL</title>
<author initials='N.' surname='Samwel' fullname='Niels Samwel'> <author initials="N." surname="Samwel" fullname="Niels Samwel">
</author> </author>
<author initials='L.' surname='Batina' fullname='Leija Batina'> <author initials="L." surname="Batina" fullname="Leija Batina">
</author> </author>
<author initials='G.' surname='Bertoni' fullname='Guido Bertoni'> <author initials="G." surname="Bertoni" fullname="Guido Bertoni">
</author> </author>
<author initials='J.' surname='Daemen' fullname='Joan Daemen'> <author initials="J." surname="Daemen" fullname="Joan Daemen">
</author> </author>
<author initials='R.' surname='Susella' fullname='Ruggero Susella'> <author initials="R." surname="Susella" fullname="Ruggero Susella">
</author> </author>
<date year='2018'/> <date month="March" year="2018"/>
</front> </front>
<seriesInfo name='Cryptographers’ Track at the RSA Conference' value=''/ > <refcontent>Topics in Cryptology - CT-RSA, pp. 1-20</refcontent>
</reference> </reference>
</references> </references>
</references>
<section anchor='ps'><name>Requirements Addressed in this Document</name> <section anchor="ps"><name>Requirements Addressed in This Document</name>
<t> <t>
In this section we state requirements of a secure neighbor discovery In this section, the requirements of a secure Neighbor Discovery pro
protocol for low-power and lossy networks. tocol for LLNs are stated.
</t><ul spacing='compact'> </t><ul spacing="normal">
<li> <li>
The protocol MUST be based on the Neighbor Discovery Optimization f or Low-power and Lossy Networks protocol defined in <xref target='RFC6775'/>. RF C6775 utilizes optimizations such as host-initiated interactions for sleeping re source-constrained hosts and elimination of multicast address resolution. The protocol <bcp14>MUST</bcp14> be based on the Neighbor Discovery Optimization for the LLN protocol defined in <xref target="RFC6775"/>. RFC 6775 utilizes optimizations such as host-initiated interactions for sleeping resourc e-constrained hosts and the elimination of multicast address resolution.
</li> </li>
<li> <li>
New options to be added to Neighbor Solicitation messages MUST lea d to small packet sizes, especially compared with existing protocols such as SEc ure Neighbor Discovery (SEND). Smaller packet sizes facilitate low-power transmi ssion by resource-constrained nodes on lossy links. New options to be added to Neighbor Solicitation messages <bcp14>M UST</bcp14> lead to small packet sizes, especially compared with existing protoc ols such as SEND. Smaller packet sizes facilitate low-power transmission by reso urce-constrained nodes on lossy links.
</li> </li>
<li> <li>
The support for this registration mechanism SHOULD be extensible t o more LLN links than IEEE 802.15.4 only. Support for at least the LLN links for which a 6lo "IPv6 over foo" specification exists, as well as Low-Power Wi-Fi SH OULD be possible. The support for this registration mechanism <bcp14>SHOULD</bcp14> be extensible to more LLN links than IEEE 802.15.4 only. Support for at least th e LLN links for which a 6lo "IPv6 over foo" specification exists, as well as low -power Wi-Fi <bcp14>SHOULD</bcp14> be possible.
</li> </li>
<li> <li>
As part of this extension, a mechanism to compute a unique Identif ier should be provided with the capability to form a Link Local Address that SHO ULD be unique at least within the LLN connected to a 6LBR. As part of this extension, a mechanism to compute a unique Identif ier should be provided with the capability to form a Link Local Address that <bc p14>SHOULD</bcp14> be unique at least within the LLN connected to a 6LBR.
</li> </li>
<!--[rfced] Please confirm if 'Unique Interface Identifier' and
'unique identifier' are the same term. If so, may we update the
text to reflect 'unique identifier' for consistency (only 1
instance)?
Original:
* The Address Registration Option used in the ND registration SHOULD
be extended to carry the relevant forms of Unique Interface
Identifier.
Perhaps:
* The Address Registration Option used in the ND registration SHOULD
be extended to carry the relevant forms of the unique identifier.
-->
<li> <li>
The Address Registration Option used in the ND registration SHOULD be extended to carry the relevant forms of The Address Registration Option used in the ND registration <bcp14 >SHOULD</bcp14> be extended to carry the relevant forms of the
Unique Interface Identifier. Unique Interface Identifier.
</li> </li>
<li> <li>
The Neighbor Discovery should specify the formation of a site-loca l address that follows the security recommendations from <xref target='RFC7217'/ >. The Neighbor Discovery should specify the formation of a site-loca l address that follows the security recommendations from <xref target="RFC7217"/ >.
</li> </li>
</ul><t> </ul>
</t>
</section> </section>
<section anchor='reprconv'><name>Representation Conventions</name> <section anchor="reprconv"><name>Representation Conventions</name>
<section><name>Signature Schemes</name> <section><name>Signature Schemes</name>
<t> The signature scheme ECDSA256 corresponding to Crypto-Type 0 is ECDSA
, as specified in <xref target='FIPS186-4'/>, instantiated with the NIST prime c
urve P-256,
as specified in Appendix B of <xref target='FIPS186-4'/>, and the hash fu
nction SHA-256, as specified in <xref target='RFC6234'/>, where points of this N
IST curve are
represented as points of a short-Weierstrass curve (see <xref target='FIP
S186-4'/>) and are encoded as octet strings in most-significant-bit first (msb)
and
most-significant-byte first (MSB) order. The signature itself consists of
two integers (r and s), which are each encoded as fixed-size octet strings in m
ost-significant-bit
first and most-significant-byte first order. For details on ECDSA, see <x
ref target='FIPS186-4'/>; for details on the encoding of public keys, see <xref
target="weirepr"></xref>;
for details on the signature encoding, see <xref target='bitrepr'/>.</t>
<t> The signature scheme Ed25519 corresponding to Crypto-Type 1 is EdDSA, <!--[rfced] Please confirm if Appendix B of [FIPS186-4] is the correct
as specified in <xref target='RFC8032'/>, instantiated with the Montgomery curv section reference below. FYI: we see 'curve P-256' discussed in
e Curve25519, as Appendix D.2.3.
specified in <xref target='RFC7748'/>, and the hash function SHA-512, as
specified in <xref target='RFC6234'/>, where points of this Montgomery curve are
represented as points of the corresponding twisted Edwards curve Edwards2
5519 (see <xref target='curves'/>) and are encoded as octet strings in least-sig
nificant-bit first (lsb)
and least-significant-byte first (LSB) order. The signature itself consis
ts of a bit string that encodes a point of this twisted Edwards curve, in compre
ssed format, and an
integer encoded in least-significant-bit first and least-significant-byte
first order. For details on EdDSA, the encoding of public keys and that of sign
atures, see the
specification of pure Ed25519 in <xref target='RFC8032'></xref>.</t>
<t> The signature scheme ECDSA25519 corresponding to Crypto-Type 2 is ECD Original:
SA, as specified in <xref target='FIPS186-4'/>, instantiated with the Montgomery The signature scheme ECDSA256 corresponding to Crypto-Type 0 is
curve ECDSA, as specified in [FIPS186-4], instantiated with the NIST prime
Curve25519, as specified in <xref target='RFC7748'/>, and the hash functi curve P-256, as specified in Appendix B of [FIPS186-4], and the hash
on SHA-256, as specified in <xref target='RFC6234'/>, where points of this Montg function SHA-256, as specified in [RFC6234], where points of this
omery NIST curve are represented as points of a short-Weierstrass curve
curve are represented as points of the corresponding short-Weierstrass cu (see [FIPS186-4]) and are encoded as octet strings in most-
rve Wei25519 (see <xref target='curves'/>) and are encoded as octet strings in significant-bit first (msb) and most-significant-byte first (MSB)
most-significant-bit first and most-significant-byte first order. The sig order.
nature itself consists of a bit string that encodes two integers, each encoded a -->
s fixed-size
octet strings in most-significant-bit first and most-significant-byte fir <t> The signature scheme ECDSA256 corresponding to Crypto-Type 0 is ECDSA
st order. For details on ECDSA, see <xref target='FIPS186-4'/>; for details on t , as specified in <xref target="FIPS186-4"/>, instantiated with the NIST prime c
he encoding of urve P-256,
public keys, see <xref target="weirepr"></xref>; for details on the signa as specified in Appendix B of <xref target="FIPS186-4"/>, and the hash fu
ture encoding, see <xref target='bitrepr'/></t> nction SHA-256, as specified in <xref target="RFC6234"/>, where points of this N
IST curve are
represented as points of a short-Weierstrass curve (see <xref target="FIP
S186-4"/>) and are encoded as octet strings in most-significant-bit (msb) first
and
most-significant-byte (MSB) first order. The signature itself consists of
two integers (r and s), which are each encoded as fixed-size octet strings in m
sb
first and MSB first order. For further details, see <xref target="FIPS186
-4"/> for ECDSA, see <xref target="weirepr"/> for the encoding of public keys, a
nd see
<xref target="bitrepr"/> for signature encoding.</t>
<t> The signature scheme Ed25519 corresponding to Crypto-Type 1 is EdDSA,
as specified in <xref target="RFC8032"/>, instantiated with the Montgomery curv
e Curve25519, as
specified in <xref target="RFC7748"/>, and the hash function SHA-512, as
specified in <xref target="RFC6234"/>, where points of this Montgomery curve are
represented as points of the corresponding twisted Edwards
curve Edwards25519 (see <xref target="curves"/>) and are
encoded as octet strings in least-significant-bit (lsb) first
and least-significant-byte (LSB) first order. The signature itself consis
ts of a bit string that encodes a point of this twisted Edwards curve, in compre
ssed format, and an
integer encoded in lsb first and LSB first order. For details on EdDSA an
d the encoding of public keys and signatures, see the
specification of pure Ed25519 in <xref target="RFC8032"/>.</t>
<t> The signature scheme ECDSA25519 corresponding to Crypto-Type 2 is ECD
SA, as specified in <xref target="FIPS186-4"/>, instantiated with the Montgomery
curve
Curve25519, as specified in <xref target="RFC7748"/>, and the hash functi
on SHA-256, as specified in <xref target="RFC6234"/>, where points of this Montg
omery
curve are represented as points of the corresponding short-Weierstrass cu
rve Wei25519 (see <xref target="curves"/>) and are encoded as octet strings in
msb first and MSB first order. The signature itself consists of a bit str
ing that encodes two integers, each encoded as fixed-size
octet strings in msb first and MSB first order. For further details, see
<xref target="FIPS186-4"/> for ECDSA, see <xref target="weirepr"/> for the encod
ing of
public keys, and see <xref target="bitrepr"/> for signature encoding.</t>
</section> </section>
<section anchor='bitrepr'><name>Representation of ECDSA Signatures</name> <section anchor="bitrepr"><name>Representation of ECDSA Signatures</name>
<t> With ECDSA, each signature is an ordered pair (r, s) of integers <xre <t> With ECDSA, each signature is an ordered pair (r, s) of integers <xre
f target='FIPS186-4'/>, where each integer is represented as a 32-octet string a f target="FIPS186-4"/>, where each integer is represented as a 32-octet string a
ccording to the ccording to the
Field Element to Octet String conversion rules in <xref target='SEC1'/> a Field-Element-to-Octet-String conversion rules in <xref target="SEC1"/> a
nd where the ordered pair of integers is represented as the rightconcatenation o nd where the ordered pair of integers is represented as the right concatenation
f these representation of these representation
values (thereby resulting in a 64-octet string). The inverse operation ch ecks that the signature is a 64-octet string and represents the left-side and ri ght-side halves of this values (thereby resulting in a 64-octet string). The inverse operation ch ecks that the signature is a 64-octet string and represents the left-side and ri ght-side halves of this
string (each a 32-octet string) as the integers r and s, respectively, us ing the Octet String to Field Element conversion rules in <xref target='SEC1'/>. string (each a 32-octet string) as the integers r and s, respectively, us ing the Octet-String-to-Field-Element conversion rules in <xref target="SEC1"/>.
</t></section> </t></section>
<section anchor='weirepr'><name>Representation of Public Keys Used with E <section anchor="weirepr"><name>Representation of Public Keys Used with E
CDSA</name> CDSA</name>
<t> ECDSA is specified to be used with elliptic curves in short-Weierstra <t> ECDSA is specified to be used with elliptic curves in short-Weierstra
ss form. Each point of such a curve is represented as an octet string using the ss form. Each point of such a curve is represented as an octet string using the
Elliptic Curve Point to Elliptic-Curve-Point-to-Octet-String
Octet String conversion rules in <xref target='SEC1'/>, where point compr conversion rules in <xref target="SEC1"/>, where point compression may b
ession may be enabled (which is indicated by the leftmost octet of this represen e enabled (which is indicated by the leftmost octet of this representation). The
tation). The inverse inverse
operation converts an octet string to a point of this curve using the Oct operation converts an octet string to a point of this curve using the Oct
et String to Elliptic Curve Point conversion rules in <xref target='SEC1'/>, whe et-String-to-Elliptic-Curve-Point conversion rules in <xref target="SEC1"/>, whe
reby the point is rejected reby the point is rejected
if this is the so-called point at infinity. (This is the case if the inpu t to this inverse operation is an octet string of length 1.) </t> if this is the so-called point at infinity. (This is the case if the inpu t to this inverse operation is an octet string of length 1.) </t>
</section> </section>
<section anchor='curves'><name>Alternative Representations of Curve25519< <!--[rfced] In Appendix B.4, for the lists of curve parameters, there
/name> are options for the correct formatting. Please review this file
<t> The elliptic curve Curve25519, as specified in <xref target='RFC7748' and let us know which option you prefer:
/>, is a so-called Montgomery curve. Each point of this curve can also be repres
ented as a point https://www.rfc-editor.org/authors/rfc8928_options.html#section-b.4
where:
Option A: dictionary list (what currently appears in the file)
Option B: sourcecode element (fixed-width font)
Option C: dictionary list (using <tt> for fixed-width font in HTML and
PDF; however, this yields quotation marks in the text output)
If you don't have a preference, we'll go with Option B because it best matches t
he original.
We sought guidance from Henrik Levkowetz on this formatting, and he
said that <sourcecode> should be used if there is a likelihood of
automated consumption of these lists. If a new type value such as
<sourcecode type="elliptic-curve-parameters"> would be useful, please
let us know. The current list is here:
https://www.rfc-editor.org/materials/sourcecode-types.txt
For definitions of the elements, please see
https://xml2rfc.tools.ietf.org/xml2rfc-doc.html#name-dl-2
https://xml2rfc.tools.ietf.org/xml2rfc-doc.html#name-sourcecode-2
-->
<section anchor="curves"><name>Alternative Representations of Curve25519<
/name>
<t> The elliptic curve Curve25519, as specified in <xref target="RFC7748"
/>, is a so-called Montgomery curve. Each point of this curve can also be repres
ented as a point
of a twisted Edwards curve or as a point of an elliptic curve in short-We ierstrass form, via a coordinate transformation (a so-called isomorphic mapping) . The parameters of the of a twisted Edwards curve or as a point of an elliptic curve in short-We ierstrass form, via a coordinate transformation (a so-called isomorphic mapping) . The parameters of the
Montgomery curve and the corresponding isomorphic curves in twisted Edwar ds curve and short-Weierstrass form are as indicated below. Here, the domain par ameters of the Montgomery Montgomery curve and the corresponding isomorphic curves in twisted Edwar ds curve and short-Weierstrass form are as indicated below. Here, the domain par ameters of the Montgomery
curve Curve25519 and of the twisted Edwards curve Edwards25519 are as spe curve Curve25519 and of the twisted Edwards curve Edwards25519 are as spe
cified in <xref target='RFC7748'/>; the domain parameters of the elliptic curve cified in <xref target="RFC7748"/>; the domain parameters of the elliptic curve
Wei25519 in Wei25519 in
short-Weierstrass curve comply with Section 6.1.1 of <xref target='FIPS18 short-Weierstrass form comply with Section 6.1.1 of <xref target="FIPS186
6-4'/>. For further details on these curves and on the coordinate transformation -4"/>. For further details on these curves and on the coordinate transformations
s referenced above, see referenced above, see
<xref target='I-D.ietf-lwig-curve-representations'/>. </t> <xref target="I-D.ietf-lwig-curve-representations"/>. </t>
<t> General parameters (for all curve models): <t> General parameters (for all curve models):
</t><dl spacing='compact'> </t><dl spacing="compact">
<dt>p</dt><dd> 2^{255}-19 </dd> <dt>p</dt><dd> 2^{255}-19<br/>
<dt></dt><dd> (=0x7fffffff ffffffff ffffffff ffffffff fff (=0x7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff
fffff ffffffff ffffffff ffffffed) </dd> ffffffff ffffffed) </dd>
<dt>h</dt><dd> 8 </dd> <dt>h</dt><dd> 8 </dd>
<dt>n</dt><dd> 723700557733226221397318656304299424085711 <dt>n</dt><dd> 723700557733226221397318656304299424085711
6359379907606001950938285454250989 </dd> 6359379907606001950938285454250989 <br/>
<dt></dt><dd> (=2^{252} + 0x14def9de a2f79cd6 5812631a 5 (=2^{252} + 0x14def9de a2f79cd6 5812631a 5cf5d3ed) </dd>
cf5d3ed) </dd> </dl>
</dl><t> </t>
<t> Montgomery curve-specific parameters (for Curve25519): <t> Montgomery curve-specific parameters (for Curve25519):
</t><dl spacing='compact'> </t><dl spacing="compact">
<dt>A</dt><dd> 486662 </dd> <dt>A</dt><dd> 486662 </dd>
<dt>B</dt><dd> 1 </dd> <dt>B</dt><dd> 1 </dd>
<dt>Gu</dt><dd> 9 (=0x9) </dd> <dt>Gu</dt><dd> 9 (=0x9) </dd>
<dt>Gv</dt><dd> 14781619447589544791020593568409986887264 <dt>Gv</dt><dd> 14781619447589544791020593568409986887264
606134616475288964881837755586237401 </dd> 606134616475288964881837755586237401 <br/>
<dt></dt><dd> (=0x20ae19a1 b8a086b4 e01edd2c 7748d14c 923 (=0x20ae19a1 b8a086b4 e01edd2c 7748d14c 923d4d7e 6d7c61b2
d4d7e 6d7c61b2 29e9c5a2 7eced3d9) </dd> 29e9c5a2 7eced3d9) </dd>
</dl><t> </t> </dl>
<t> Twisted Edwards curve-specific parameters (for Edwards25519): <t> Twisted Edwards curve-specific parameters (for Edwards25519):
</t><dl spacing='compact'> </t><dl spacing="compact">
<dt>a</dt><dd> -1 (-0x01) </dd> <dt>a</dt><dd> -1 (-0x01) </dd>
<dt>d</dt><dd> -121665/121666 </dd> <dt>d</dt><dd> -121665/121666 <br/>
<dt></dt><dd> (=37095705934669439343138083508754565189542 (=3709570593466943934313808350875456518954211387984321901
113879843219016388785533085940283555) </dd> 6388785533085940283555) <br/>
<dt></dt><dd> (=0x52036cee 2b6ffe73 8cc74079 7779e898 007 (=0x52036cee 2b6ffe73 8cc74079 7779e898 00700a4d 4141d8ab
00a4d 4141d8ab 75eb4dca 135978a3) </dd> 75eb4dca 135978a3) </dd>
<dt>Gx</dt><dd> 15112221349535400772501151409588531511454 <dt>Gx</dt><dd> 15112221349535400772501151409588531511454
012693041857206046113283949847762202 </dd> 012693041857206046113283949847762202 <br/>
<dt></dt><dd> (=0x216936d3 cd6e53fe c0a4e231 fdd6dc5c 692 (=0x216936d3 cd6e53fe c0a4e231 fdd6dc5c 692cc760 9525a7b2
cc760 9525a7b2 c9562d60 8f25d51a) </dd> c9562d60 8f25d51a) </dd>
<dt>Gy</dt><dd> 4/5 </dd> <dt>Gy</dt><dd> 4/5 <br/>
<dt></dt><dd> (=46316835694926478169428394003475163141307 (=4631683569492647816942839400347516314130799386625622561
993866256225615783033603165251855960) </dd> 5783033603165251855960) <br/>
<dt></dt><dd>(=0x66666666 66666666 66666666 66666666 6666 (=0x66666666 66666666 66666666 66666666 66666666 66666666
6666 66666666 66666666 66666658) </dd> 66666666 66666658) </dd>
</dl><t> </t> </dl>
<t> Weierstrass curve-specific parameters (for Wei25519): <t> Weierstrass curve-specific parameters (for Wei25519):
</t><dl spacing='compact'> </t><dl spacing="compact">
<dt>a</dt><dd> 192986815395526992372618308347813179755449 <dt>a</dt><dd> 192986815395526992372618308347813179755449
97444273427339909597334573241639236 </dd> 97444273427339909597334573241639236 <br/>
<dt></dt><dd> (=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaa (=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa
aaaaa aaaaaaaa aaaaaa98 4914a144) </dd> aaaaaa98 4914a144) </dd>
<dt>b</dt><dd> 557517466698189089076452890782571408182411 <dt>b</dt><dd> 557517466698189089076452890782571408182411
03727901012315294400837956729358436 </dd> 03727901012315294400837956729358436 <br/>
<dt></dt><dd> (=0x7b425ed0 97b425ed 097b425e d097b425 ed0 (=0x7b425ed0 97b425ed 097b425e d097b425 ed097b42 5ed097b4
97b42 5ed097b4 260b5e9c 7710c864) </dd> 260b5e9c 7710c864) </dd>
<dt>GX</dt><dd> 19298681539552699237261830834781317975544 <dt>GX</dt><dd> 19298681539552699237261830834781317975544
997444273427339909597334652188435546 </dd> 997444273427339909597334652188435546 <br/>
<dt></dt><dd> (=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaa (=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa
aaaaa aaaaaaaa aaaaaaaa aaad245a) </dd> aaaaaaaa aaad245a) </dd>
<dt>GY</dt><dd> 14781619447589544791020593568409986887264 <dt>GY</dt><dd> 14781619447589544791020593568409986887264
606134616475288964881837755586237401 </dd> 606134616475288964881837755586237401 <br/>
<dt></dt><dd> (=0x20ae19a1 b8a086b4 e01edd2c 7748d14c 923 (=0x20ae19a1 b8a086b4 e01edd2c 7748d14c 923d4d7e 6d7c61b2
d4d7e 6d7c61b2 29e9c5a2 7eced3d9) </dd> 29e9c5a2 7eced3d9) </dd>
</dl><t> </t> </dl>
</section> </section>
<section numbered="false"><name>Acknowledgments</name>
<t>
Many thanks to <contact fullname="Charlie Perkins"/> for his in-depth revie
w and constructive
suggestions. The authors are also especially grateful to <contact fullname=
"Robert Moskowitz"/>
and <contact fullname="Benjamin Kaduk"/> for their comments and discussions
that led to many improvements.
The authors wish to also thank <contact fullname="Shwetha Bhandari"/> for a
ctively shepherding this document and <contact fullname="Roman Danyliw"/>, <cont
act fullname="Alissa Cooper"/>, <contact fullname="Mirja Kuehlewind"/>, <contact
fullname="Eric Vyncke"/>, <contact fullname="Vijay Gurbani"/>, <contact fullnam
e="Al Morton"/>, and <contact fullname="Adam Montville"/> for their constructive
reviews during the IESG process.
Finally, many thanks to our INT area ADs, <contact fullname="Suresh Krishna
n"/> and <contact fullname="Erik Kline"/>, who
supported us along the whole process.
</t>
</section> </section>
</section>
<!-- [rfced] Throughout the text, we saw both NA(EARO) and NA (EARO).
We have updated to use the former consistently (no space before
the opening parenthesis). Please let us know any objections.
-->
</back> </back>
</rfc> </rfc>
<!-- CONVERT WARNING: wide character found at character 52617 of the output -->
 End of changes. 261 change blocks. 
860 lines changed or deleted 1131 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/