<?xml version='1.0' encoding='utf-8'?><!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent"> <?rfc toc="yes"?> <?rfc tocompact="yes"?> <?rfc tocdepth="3"?> <?rfc tocindent="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?> <?rfc comments="yes"?> <?rfc inline="yes"?> <?rfc compact="no"?> <?rfc subcompact="no"?> <?rfc authorship="yes"?> <?rfc tocappendix="yes"?><rfc xmlns:xi="http://www.w3.org/2001/XInclude" version="3" category="std"ipr='trust200902' tocInclude="true" obsoletes="" updates="8505"consensus="true"submissionType="IETF" xml:lang="en" version="3"docName="draft-ietf-6lo-ap-nd-23">indexInclude="true" ipr="trust200902" number="8928" prepTime="2020-11-18T12:58:54" scripts="Common,Latin" sortRefs="true" submissionType="IETF" symRefs="true" tocDepth="3" tocInclude="true" updates="8505" xml:lang="en"> <link href="https://datatracker.ietf.org/doc/draft-ietf-6lo-ap-nd-23" rel="prev"/> <link href="https://dx.doi.org/10.17487/rfc8928" rel="alternate"/> <link href="urn:issn:2070-1721" rel="alternate"/> <front> <titleabbrev='Addressabbrev="Address Protection ND forLLN'> Address ProtectedLLN">Address-Protected Neighbor Discovery forLow-powerLow-Power and LossyNetworks </title>Networks</title> <seriesInfo name="RFC" value="8928" stream="IETF"/> <authorinitials='P.' surname='Thubert' fullname='Pascal Thubert' role='editor'>initials="P." surname="Thubert" fullname="Pascal Thubert" role="editor"> <organizationabbrev='Cisco'>Ciscoabbrev="Cisco" showOnFrontPage="true">Cisco Systems,Inc</organization>Inc.</organization> <address> <postal> <street>Building D</street> <street>45 Allee des Ormes -BP1200 </street>BP1200</street> <city>MOUGINS - Sophia Antipolis</city> <code>06254</code><country>FRANCE</country><country>France</country> </postal> <phone>+33 497 23 26 34</phone> <email>pthubert@cisco.com</email> </address> </author> <authorinitials='B.' surname='Sarikaya' fullname='Behcet Sarikaya'> <organization/>initials="B." surname="Sarikaya" fullname="Behcet Sarikaya"> <organization showOnFrontPage="true"/> <address> <postal> <street/> <street/> <city/> <region/> <code/> <country/> </postal> <email>sarikaya@ieee.org</email> </address> </author> <authorinitials='M.' surname='Sethi' fullname='Mohit Sethi'> <organization>Ericsson</organization>initials="M." surname="Sethi" fullname="Mohit Sethi"> <organization showOnFrontPage="true">Ericsson</organization> <address> <postal> <street/> <city>Jorvas</city> <region/> <code>02420</code> <country>Finland</country> </postal> <email>mohit@piuha.net</email> </address> </author> <authorinitials='R.' surname='Struik' fullname='Rene Struik'> <organization>Struikinitials="R." surname="Struik" fullname="Rene Struik"> <organization showOnFrontPage="true">Struik Security Consultancy</organization> <address> <postal> <street/> <city/> <region/> <code/> <country/> </postal> <email>rstruik.ext@gmail.com</email> </address> </author><date/><date month="11" year="2020"/> <workgroup>6lo</workgroup><abstract> <t><abstract pn="section-abstract"> <t indent="0" pn="section-abstract-1"> This document updates the6LoWPANIPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery (ND) protocol defined inRFCRFCs 6775 andRFC8505. The new extension is calledAddress ProtectedAddress-Protected Neighbor Discovery(AP-ND)(AP-ND), and it protects the owner of an address against address theft and impersonation attacks in alow-powerLow-Power andlossy networkLossy Network (LLN). Nodes supporting this extension compute a cryptographic identifier(Crypto-ID)(Crypto-ID), and use it with one or more of their Registered Addresses. The Crypto-ID identifies the owner of the Registered Address and can be used to provide proof of ownership of the Registered Addresses. Once an address is registered with the Crypto-ID and aproof-of-ownershipproof of ownership is provided, only the owner of that address can modify the registration information, thereby enforcing Source Address Validation. </t> </abstract> <boilerplate> <section anchor="status-of-memo" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.1"> <name slugifiedName="name-status-of-this-memo">Status of This Memo</name> <t indent="0" pn="section-boilerplate.1-1"> This is an Internet Standards Track document. </t> <t indent="0" pn="section-boilerplate.1-2"> This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841. </t> <t indent="0" pn="section-boilerplate.1-3"> Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at <eref target="https://www.rfc-editor.org/info/rfc8928" brackets="none"/>. </t> </section> <section anchor="copyright" numbered="false" removeInRFC="false" toc="exclude" pn="section-boilerplate.2"> <name slugifiedName="name-copyright-notice">Copyright Notice</name> <t indent="0" pn="section-boilerplate.2-1"> Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. </t> <t indent="0" pn="section-boilerplate.2-2"> This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (<eref target="https://trustee.ietf.org/license-info" brackets="none"/>) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. </t> </section> </boilerplate> <toc> <section anchor="toc" numbered="false" removeInRFC="false" toc="exclude" pn="section-toc.1"> <name slugifiedName="name-table-of-contents">Table of Contents</name> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1"> <li pn="section-toc.1-1.1"> <t indent="0" keepWithNext="true" pn="section-toc.1-1.1.1"><xref derivedContent="1" format="counter" sectionFormat="of" target="section-1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-introduction">Introduction</xref></t> </li> <li pn="section-toc.1-1.2"> <t indent="0" pn="section-toc.1-1.2.1"><xref derivedContent="2" format="counter" sectionFormat="of" target="section-2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-terminology">Terminology</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.2.2"> <li pn="section-toc.1-1.2.2.1"> <t indent="0" keepWithNext="true" pn="section-toc.1-1.2.2.1.1"><xref derivedContent="2.1" format="counter" sectionFormat="of" target="section-2.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-requirements-language">Requirements Language</xref></t> </li> <li pn="section-toc.1-1.2.2.2"> <t indent="0" keepWithNext="true" pn="section-toc.1-1.2.2.2.1"><xref derivedContent="2.2" format="counter" sectionFormat="of" target="section-2.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-background">Background</xref></t> </li> <li pn="section-toc.1-1.2.2.3"> <t indent="0" pn="section-toc.1-1.2.2.3.1"><xref derivedContent="2.3" format="counter" sectionFormat="of" target="section-2.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-abbreviations">Abbreviations</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.3"> <t indent="0" pn="section-toc.1-1.3.1"><xref derivedContent="3" format="counter" sectionFormat="of" target="section-3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-updating-rfc-8505">Updating RFC 8505</xref></t> </li> <li pn="section-toc.1-1.4"> <t indent="0" pn="section-toc.1-1.4.1"><xref derivedContent="4" format="counter" sectionFormat="of" target="section-4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-new-fields-and-options">New Fields and Options</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.4.2"> <li pn="section-toc.1-1.4.2.1"> <t indent="0" pn="section-toc.1-1.4.2.1.1"><xref derivedContent="4.1" format="counter" sectionFormat="of" target="section-4.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-new-crypto-id">New Crypto-ID</xref></t> </li> <li pn="section-toc.1-1.4.2.2"> <t indent="0" pn="section-toc.1-1.4.2.2.1"><xref derivedContent="4.2" format="counter" sectionFormat="of" target="section-4.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-updated-earo">Updated EARO</xref></t> </li> <li pn="section-toc.1-1.4.2.3"> <t indent="0" pn="section-toc.1-1.4.2.3.1"><xref derivedContent="4.3" format="counter" sectionFormat="of" target="section-4.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-crypto-id-parameters-option">Crypto-ID Parameters Option</xref></t> </li> <li pn="section-toc.1-1.4.2.4"> <t indent="0" pn="section-toc.1-1.4.2.4.1"><xref derivedContent="4.4" format="counter" sectionFormat="of" target="section-4.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-ndp-signature-option">NDP Signature Option</xref></t> </li> <li pn="section-toc.1-1.4.2.5"> <t indent="0" pn="section-toc.1-1.4.2.5.1"><xref derivedContent="4.5" format="counter" sectionFormat="of" target="section-4.5"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-extensions-to-the-capabilit">Extensions to the Capability Indication Option</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.5"> <t indent="0" pn="section-toc.1-1.5.1"><xref derivedContent="5" format="counter" sectionFormat="of" target="section-5"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-protocol-scope">Protocol Scope</xref></t> </li> <li pn="section-toc.1-1.6"> <t indent="0" pn="section-toc.1-1.6.1"><xref derivedContent="6" format="counter" sectionFormat="of" target="section-6"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-protocol-flows">Protocol Flows</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.6.2"> <li pn="section-toc.1-1.6.2.1"> <t indent="0" pn="section-toc.1-1.6.2.1.1"><xref derivedContent="6.1" format="counter" sectionFormat="of" target="section-6.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-first-exchange-with-a-6lr">First Exchange with a 6LR</xref></t> </li> <li pn="section-toc.1-1.6.2.2"> <t indent="0" pn="section-toc.1-1.6.2.2.1"><xref derivedContent="6.2" format="counter" sectionFormat="of" target="section-6.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-ndpso-generation-and-verifi">NDPSO Generation and Verification</xref></t> </li> <li pn="section-toc.1-1.6.2.3"> <t indent="0" pn="section-toc.1-1.6.2.3.1"><xref derivedContent="6.3" format="counter" sectionFormat="of" target="section-6.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-multi-hop-operation">Multi-Hop Operation</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.7"> <t indent="0" pn="section-toc.1-1.7.1"><xref derivedContent="7" format="counter" sectionFormat="of" target="section-7"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-security-considerations">Security Considerations</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.7.2"> <li pn="section-toc.1-1.7.2.1"> <t indent="0" pn="section-toc.1-1.7.2.1.1"><xref derivedContent="7.1" format="counter" sectionFormat="of" target="section-7.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-brown-field">Brown Field</xref></t> </li> <li pn="section-toc.1-1.7.2.2"> <t indent="0" pn="section-toc.1-1.7.2.2.1"><xref derivedContent="7.2" format="counter" sectionFormat="of" target="section-7.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-threats-identified-in-rfc-3">Threats Identified in RFC 3971</xref></t> </li> <li pn="section-toc.1-1.7.2.3"> <t indent="0" pn="section-toc.1-1.7.2.3.1"><xref derivedContent="7.3" format="counter" sectionFormat="of" target="section-7.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-related-to-6lowpan-nd">Related to 6LoWPAN ND</xref></t> </li> <li pn="section-toc.1-1.7.2.4"> <t indent="0" pn="section-toc.1-1.7.2.4.1"><xref derivedContent="7.4" format="counter" sectionFormat="of" target="section-7.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-compromised-6lr">Compromised 6LR</xref></t> </li> <li pn="section-toc.1-1.7.2.5"> <t indent="0" pn="section-toc.1-1.7.2.5.1"><xref derivedContent="7.5" format="counter" sectionFormat="of" target="section-7.5"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-rovr-collisions">ROVR Collisions</xref></t> </li> <li pn="section-toc.1-1.7.2.6"> <t indent="0" pn="section-toc.1-1.7.2.6.1"><xref derivedContent="7.6" format="counter" sectionFormat="of" target="section-7.6"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-implementation-attacks">Implementation Attacks</xref></t> </li> <li pn="section-toc.1-1.7.2.7"> <t indent="0" pn="section-toc.1-1.7.2.7.1"><xref derivedContent="7.7" format="counter" sectionFormat="of" target="section-7.7"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-cross-algorithm-and-cross-p">Cross-Algorithm and Cross-Protocol Attacks</xref></t> </li> <li pn="section-toc.1-1.7.2.8"> <t indent="0" pn="section-toc.1-1.7.2.8.1"><xref derivedContent="7.8" format="counter" sectionFormat="of" target="section-7.8"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-public-key-validation">Public Key Validation</xref></t> </li> <li pn="section-toc.1-1.7.2.9"> <t indent="0" pn="section-toc.1-1.7.2.9.1"><xref derivedContent="7.9" format="counter" sectionFormat="of" target="section-7.9"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-correlating-registrations">Correlating Registrations</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.8"> <t indent="0" pn="section-toc.1-1.8.1"><xref derivedContent="8" format="counter" sectionFormat="of" target="section-8"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-iana-considerations">IANA Considerations</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.8.2"> <li pn="section-toc.1-1.8.2.1"> <t indent="0" pn="section-toc.1-1.8.2.1.1"><xref derivedContent="8.1" format="counter" sectionFormat="of" target="section-8.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-cga-message-type">CGA Message Type</xref></t> </li> <li pn="section-toc.1-1.8.2.2"> <t indent="0" pn="section-toc.1-1.8.2.2.1"><xref derivedContent="8.2" format="counter" sectionFormat="of" target="section-8.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-crypto-type-subregistry">Crypto-Type Subregistry</xref></t> </li> <li pn="section-toc.1-1.8.2.3"> <t indent="0" pn="section-toc.1-1.8.2.3.1"><xref derivedContent="8.3" format="counter" sectionFormat="of" target="section-8.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-ipv6-nd-option-types">IPv6 ND Option Types</xref></t> </li> <li pn="section-toc.1-1.8.2.4"> <t indent="0" pn="section-toc.1-1.8.2.4.1"><xref derivedContent="8.4" format="counter" sectionFormat="of" target="section-8.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-new-6lowpan-capability-bit">New 6LoWPAN Capability Bit</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.9"> <t indent="0" pn="section-toc.1-1.9.1"><xref derivedContent="9" format="counter" sectionFormat="of" target="section-9"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-references">References</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.9.2"> <li pn="section-toc.1-1.9.2.1"> <t indent="0" pn="section-toc.1-1.9.2.1.1"><xref derivedContent="9.1" format="counter" sectionFormat="of" target="section-9.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-normative-references">Normative References</xref></t> </li> <li pn="section-toc.1-1.9.2.2"> <t indent="0" pn="section-toc.1-1.9.2.2.1"><xref derivedContent="9.2" format="counter" sectionFormat="of" target="section-9.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-informative-references">Informative References</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.10"> <t indent="0" pn="section-toc.1-1.10.1"><xref derivedContent="Appendix A" format="default" sectionFormat="of" target="section-appendix.a"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-requirements-addressed-in-t">Requirements Addressed in This Document</xref></t> </li> <li pn="section-toc.1-1.11"> <t indent="0" pn="section-toc.1-1.11.1"><xref derivedContent="Appendix B" format="default" sectionFormat="of" target="section-appendix.b"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-representation-conventions">Representation Conventions</xref></t> <ul bare="true" empty="true" indent="2" spacing="compact" pn="section-toc.1-1.11.2"> <li pn="section-toc.1-1.11.2.1"> <t indent="0" pn="section-toc.1-1.11.2.1.1"><xref derivedContent="B.1" format="counter" sectionFormat="of" target="section-b.1"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-signature-schemes">Signature Schemes</xref></t> </li> <li pn="section-toc.1-1.11.2.2"> <t indent="0" pn="section-toc.1-1.11.2.2.1"><xref derivedContent="B.2" format="counter" sectionFormat="of" target="section-b.2"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-representation-of-ecdsa-sig">Representation of ECDSA Signatures</xref></t> </li> <li pn="section-toc.1-1.11.2.3"> <t indent="0" pn="section-toc.1-1.11.2.3.1"><xref derivedContent="B.3" format="counter" sectionFormat="of" target="section-b.3"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-representation-of-public-ke">Representation of Public Keys Used with ECDSA</xref></t> </li> <li pn="section-toc.1-1.11.2.4"> <t indent="0" pn="section-toc.1-1.11.2.4.1"><xref derivedContent="B.4" format="counter" sectionFormat="of" target="section-b.4"/>. <xref derivedContent="" format="title" sectionFormat="of" target="name-alternative-representations">Alternative Representations of Curve25519</xref></t> </li> <li pn="section-toc.1-1.11.2.5"> <t indent="0" pn="section-toc.1-1.11.2.5.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-b.5"/><xref derivedContent="" format="title" sectionFormat="of" target="name-acknowledgments">Acknowledgments</xref></t> </li> </ul> </li> <li pn="section-toc.1-1.12"> <t indent="0" pn="section-toc.1-1.12.1"><xref derivedContent="" format="none" sectionFormat="of" target="section-appendix.c"/><xref derivedContent="" format="title" sectionFormat="of" target="name-authors-addresses">Authors' Addresses</xref></t> </li> </ul> </section> </toc> </front> <middle><section><name>Introduction</name> <t><section numbered="true" removeInRFC="false" toc="include" pn="section-1"> <name slugifiedName="name-introduction">Introduction</name> <t indent="0" pn="section-1-1"> Neighbor DiscoveryOptimizationsoptimizations for 6LoWPAN networks<xref target='RFC6775'/> (6LoWPAN(aka 6LoWPAN ND) <xref target="RFC6775" format="default" sectionFormat="of" derivedContent="RFC6775"/> adapts the original IPv6 Neighbor Discovery(IPv6 ND)protocols defined in <xreftarget='RFC4861'/>target="RFC4861" format="default" sectionFormat="of" derivedContent="RFC4861"/> and <xreftarget='RFC4862'/>target="RFC4862" format="default" sectionFormat="of" derivedContent="RFC4862"/> for constrainedlow-powerLow-Power andlossy network (LLN).Lossy Networks (LLNs). In particular, 6LoWPAN ND introduces a unicast host Address Registration mechanism that reduces the use of multicast compared to the Duplicate Address Detection (DAD) mechanism defined in IPv6 ND. 6LoWPAN ND defines a new Address Registration Option (ARO) that is carried in the unicast Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages exchanged between a 6LoWPAN Node (6LN) and a 6LoWPAN Router (6LR). It also defines the Duplicate Address Request (DAR) and Duplicate Address Confirmation (DAC) messages between the 6LR and the 6LoWPAN Border Router (6LBR). InLLN networks,LLNs, the 6LBR is the central repository of all theregistered addressesRegistered Addresses in its domain. </t><t><t indent="0" pn="section-1-2"> The registration mechanism in<xref target='RFC6775'>"Neighbor"Neighbor Discovery Optimization forLow-power and Lossy Networks"</xref> (aka 6LoWPAN ND)IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs)" <xref target="RFC6775" format="default" sectionFormat="of" derivedContent="RFC6775"/> prevents the use of an address if that address is already registered in the subnet (firstcomecome, firstserve).served). In order to validate address ownership,the registration mechanism"Registration Extensions for IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery" <xref target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/> defines a Registration Ownership Verifier (ROVR) field. <xref target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/> enablesthea 6LR and 6LBR to validate the association between theregistered addressRegistered Address of anode,node and itsRegistration Ownership Verifier (ROVR).ROVR. The ROVRis defined in <xref target='RFC8505'>"Registration Extensions for 6LoWPAN Neighbor Discovery"</xref> and itcan be derived from theMAClink-layer address of the device (using the 64-bit Extended Unique IdentifierEUI-64(EUI-64) address format specified by IEEE). However, the EUI-64 can bespoofed, andspoofed; therefore, any node connected to the subnet and aware of a registered-address-to-ROVR mapping could effectively fake the ROVR. This would allow an attacker to steal the address and redirect traffic for that address. <xreftarget='RFC8505'/>target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/> defines an Extended Address Registration Option (EARO)optionthat transports alternate forms ofROVRs,ROVRs and is apre-requisiteprerequisite for this specification. </t><t><t indent="0" pn="section-1-3"> In this specification, a 6LN generates a cryptographicIDidentifier (Crypto-ID) and places it in the ROVR field during the registration of one (or more) of its addresses with the 6LR(s). Proof of ownership of the Crypto-ID is passed with the first registration exchange to a new6LR,6LR and enforced at the 6LR. The 6LR validates ownership of thecryptographic IDCrypto-ID before it creates any new registrationstate,state or changes existing information. </t><t><t indent="0" pn="section-1-4"> The protected address registration protocol proposed in this document provides the same conceptual benefit as Source Address Validation Improvement (SAVI) <xreftarget='RFC7039'/>target="RFC7039" format="default" sectionFormat="of" derivedContent="RFC7039"/> in that only the owner of an IPv6 address may source packets with that address. As opposed to <xreftarget='RFC7039'/>,target="RFC7039" format="default" sectionFormat="of" derivedContent="RFC7039"/>, which relies on snooping protocols, the protection provided by this document is based on a state that is installed and maintained in the network by the owner of the address. With this specification, a 6LN may use a 6LR for forwarding an IPv6packetspacket if and only if it has registered the address used as the source of the packet with that 6LR.<!--, and a first-hop 6LR that is configured to enforce this rule MUST discard a packet that is not originated from the 6LN that registered the IPv6 source address of the packet. --></t><t><t indent="0" pn="section-1-5"> With the6lo6LoWPAN adaptation layer in <xreftarget='RFC4944'/>target="RFC4944" format="default" sectionFormat="of" derivedContent="RFC4944"/> and <xreftarget='RFC6282'/>,target="RFC6282" format="default" sectionFormat="of" derivedContent="RFC6282"/>, a 6LN can obtainabetter compression for an IPv6 address with an Interface ID (IID) that is derived from aLayer-2Layer 2 (L2) address.As a side note, thisSuch compression is incompatible withSecure"SEcure Neighbor Discovery(SeND)(SEND") <xreftarget='RFC3971'/>target="RFC3971" format="default" sectionFormat="of" derivedContent="RFC3971"/> andCryptographically"Cryptographically Generated Addresses(CGAs)(CGAs)" <xreftarget='RFC3972'/>,target="RFC3972" format="default" sectionFormat="of" derivedContent="RFC3972"/>, since they derive the IID from cryptographickeys, whereas this specificationkeys. This specification, on the other hand, separates the IID generation from cryptographic computations andthe key material.can enable better compression. </t> </section><section><name>Terminology</name><sectionanchor='bcp'><name>BCP 14</name> <t>numbered="true" removeInRFC="false" toc="include" pn="section-2"> <name slugifiedName="name-terminology">Terminology</name> <section anchor="bcp" numbered="true" removeInRFC="false" toc="include" pn="section-2.1"> <name slugifiedName="name-requirements-language">Requirements Language</name> <t indent="0" pn="section-2.1-1"> The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14 <xref target='RFC2119'/>BCP 14 <xreftarget='RFC8174'/>target="RFC2119" format="default" sectionFormat="of" derivedContent="RFC2119"/> <xref target="RFC8174" format="default" sectionFormat="of" derivedContent="RFC8174"/> when, and only when, they appear in all capitals, as shown here. </t> </section><!-- end section "BCP 14" --><sectionanchor='lo' ><name>Additional References</name> <t>anchor="lo" numbered="true" removeInRFC="false" toc="include" pn="section-2.2"> <name slugifiedName="name-background">Background</name> <t indent="0" pn="section-2.2-1"> The reader may get additional context for this specification from the following references:</t><ul spacing='compact'> <li> <xref target='RFC3971'>"SEcure</t> <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-2.2-2"> <li pn="section-2.2-2.1"> "SEcure Neighbor Discovery(SEND)"</xref>,</li> <li>(SEND)" <xreftarget='RFC3972'>"Cryptographicallytarget="RFC3971" format="default" sectionFormat="of" derivedContent="RFC3971"/>,</li> <li pn="section-2.2-2.2"> "Cryptographically Generated Addresses(CGA)"</xref>,</li> <li><xref target='RFC4861'>"Neighbor(CGA)" <xref target="RFC3972" format="default" sectionFormat="of" derivedContent="RFC3972"/>,</li> <li pn="section-2.2-2.3"> "Neighbor Discovery for IP version6"</xref>6 (IPv6)" <xref target="RFC4861" format="default" sectionFormat="of" derivedContent="RFC4861"/> ,</li><li><xref target='RFC4862'>"IPv6<li pn="section-2.2-2.4"> "IPv6 Stateless AddressAutoconfiguration"</xref>,Autoconfiguration" <xref target="RFC4862" format="default" sectionFormat="of" derivedContent="RFC4862"/>, and </li><li><xref target='RFC4919'>"IPv6<li pn="section-2.2-2.5"> "IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs): Overview, Assumptions, Problem Statement, andGoals "</xref>.</li>Goals" <xref target="RFC4919" format="default" sectionFormat="of" derivedContent="RFC4919"/>.</li> </ul> </section><!-- Additional References --><sectionanchor='acronyms'><name>Abbreviations</name> <t>anchor="acronyms" numbered="true" removeInRFC="false" toc="include" pn="section-2.3"> <name slugifiedName="name-abbreviations">Abbreviations</name> <t indent="0" pn="section-2.3-1"> This document uses the following abbreviations:</t><dl spacing='compact'> <dt>6BBR:</dt><dd></t> <dl spacing="compact" indent="10" newline="false" pn="section-2.3-2"> <dt pn="section-2.3-2.1">6BBR:</dt> <dd pn="section-2.3-2.2"> 6LoWPAN BackboneRouter </dd> <dt>6LBR:</dt><dd>Router</dd> <dt pn="section-2.3-2.3">6LBR:</dt> <dd pn="section-2.3-2.4"> 6LoWPAN BorderRouter </dd> <dt>6LN:</dt><dd>Router</dd> <dt pn="section-2.3-2.5">6LN:</dt> <dd pn="section-2.3-2.6"> 6LoWPANNode </dd> <dt>6LR:</dt><dd>6LoWPAN Router </dd> <dt>CGA:</dt><dd>CryptographicallyNode</dd> <dt pn="section-2.3-2.7">6LR:</dt> <dd pn="section-2.3-2.8"> 6LoWPAN Router</dd> <dt pn="section-2.3-2.9">AP-ND:</dt> <dd pn="section-2.3-2.10"> Address-Protected Neighbor Discovery</dd> <dt pn="section-2.3-2.11">CGA:</dt> <dd pn="section-2.3-2.12"> Cryptographically Generated Address</dd><dt>EARO:</dt><dd><dt pn="section-2.3-2.13">DAD:</dt> <dd pn="section-2.3-2.14"> Duplicate Address Detection</dd> <dt pn="section-2.3-2.15">EARO:</dt> <dd pn="section-2.3-2.16"> Extended Address Registration Option</dd><dt>ECDH:</dt><dd><dt pn="section-2.3-2.17">ECC:</dt> <dd pn="section-2.3-2.18"> Ellipticcurve Diffie–Hellman</dd> <dt>ECDSA:</dt><dd>Curve Cryptography</dd> <dt pn="section-2.3-2.19">ECDH:</dt> <dd pn="section-2.3-2.20"> Elliptic Curve Diffie-Hellman</dd> <dt pn="section-2.3-2.21">ECDSA:</dt> <dd pn="section-2.3-2.22"> Elliptic Curve Digital Signature Algorithm</dd><dt>CIPO:</dt><dd>Crypto-ID<dt pn="section-2.3-2.23">EDAC:</dt> <dd pn="section-2.3-2.24"> Extended Duplicate Address Confirmation</dd> <dt pn="section-2.3-2.25">EDAR:</dt> <dd pn="section-2.3-2.26"> Extended Duplicate Address Request </dd> <dt pn="section-2.3-2.27">CIPO:</dt> <dd pn="section-2.3-2.28">Crypto-ID Parameters Option</dd><dt>LLN:</dt><dd><dt pn="section-2.3-2.29">LLN:</dt> <dd pn="section-2.3-2.30"> Low-Power and LossyNetwork </dd> <dt>JSON:</dt><dd> JavaScript Object Notation</dd> <dt>JOSE:</dt><dd> JavaScript Object Signing and Encryption</dd> <dt>JWK:</dt><dd> JSON Web Key</dd> <dt>JWS:</dt><dd> JSON Web Signature</dd> <dt>NA:</dt><dd>Network</dd> <dt pn="section-2.3-2.31">NA:</dt> <dd pn="section-2.3-2.32"> Neighbor Advertisement </dd><dt>ND:</dt><dd><dt pn="section-2.3-2.33">ND:</dt> <dd pn="section-2.3-2.34"> Neighbor Discovery </dd><dt>NDP:</dt><dd><dt pn="section-2.3-2.35">NDP:</dt> <dd pn="section-2.3-2.36"> Neighbor Discovery Protocol </dd><dt>NDPSO:</dt><dd><dt pn="section-2.3-2.37">NDPSO:</dt> <dd pn="section-2.3-2.38"> Neighbor Discovery Protocol Signature Option</dd><dt>NS:</dt><dd><dt pn="section-2.3-2.39">NS:</dt> <dd pn="section-2.3-2.40"> Neighbor Solicitation </dd><dt>ROVR:</dt><dd><dt pn="section-2.3-2.41">ROVR:</dt> <dd pn="section-2.3-2.42"> Registration Ownership Verifier </dd><dt>RA:</dt><dd><dt pn="section-2.3-2.43">RA:</dt> <dd pn="section-2.3-2.44"> Router Advertisement </dd><dt>RS:</dt><dd><dt pn="section-2.3-2.45">RS:</dt> <dd pn="section-2.3-2.46"> Router Solicitation </dd><dt>RSAO:</dt><dd><dt pn="section-2.3-2.47">RSAO:</dt> <dd pn="section-2.3-2.48"> RSA Signature Option</dd><dt>SHA:</dt><dd><dt pn="section-2.3-2.49">SHA:</dt> <dd pn="section-2.3-2.50"> Secure Hash Algorithm</dd><dt>SLAAC:</dt><dd><dt pn="section-2.3-2.51">SLAAC:</dt> <dd pn="section-2.3-2.52"> Stateless Address Autoconfiguration</dd><dt>TID:</dt><dd><dt pn="section-2.3-2.53">TID:</dt> <dd pn="section-2.3-2.54"> Transaction ID </dd></dl><t> </t></dl> </section> </section><!-- end section "Acronym Definitions" --> </section> <!-- end section "Terminology" --> <section><name>Updating<section numbered="true" removeInRFC="false" toc="include" pn="section-3"> <name slugifiedName="name-updating-rfc-8505">Updating RFC 8505</name><t> Section 5.3 of <xref target='RFC8505'/><t indent="0" pn="section-3-1"> <xref target="RFC8505" sectionFormat="of" section="5.3" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8505#section-5.3" derivedContent="RFC8505"/> introduces the ROVR that is used to detect and reject duplicate registrations in the DAD process. The ROVR is a generic object that is designed for both backward compatibility and the capability to introduce new computation methods in the future. Using a Crypto-ID per this specification is theRECOMMENDED<bcp14>RECOMMENDED</bcp14> method. <xreftarget='sec-col'/>target="sec-col" format="default" sectionFormat="of" derivedContent="Section 7.5"/> discusses collisions when heterogeneous methods to compute the ROVR field coexist inside asamenetwork. </t><t><t indent="0" pn="section-3-2"> This specification introduces a newtokenidentifier called acryptographic identifier (Crypto-ID)Crypto-ID that is transported in the ROVR field and used toproveindirectly prove the ownership of an address that is being registered by means of <xreftarget='RFC8505'/>.target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/>. The Crypto-ID is derived from a cryptographic public key and additional parameters. </t><t><t indent="0" pn="section-3-3"> The overall mechanism requires the support of Elliptic Curve Cryptography (ECC) andofa hash function as detailed in <xreftarget='ndpso-generation'/>.target="ndpso-generation" format="default" sectionFormat="of" derivedContent="Section 6.2"/>. To enable the verification of the proof, theregistering nodeRegistering Node needs to supply certain parameters including a nonce and a signature that will demonstrate that the node possesses theprivate-keyprivate key corresponding to thepublic-keypublic key used to build the Crypto-ID. </t><t><t indent="0" pn="section-3-4"> The elliptic curves and the hash functions listed in <xreftarget='cryptotypetable'/>target="cryptotypetable" format="default" sectionFormat="of" derivedContent="Table 1"/> in <xreftarget='cryptotypereg'/>target="cryptotypereg" format="default" sectionFormat="of" derivedContent="Section 8.2"/> can be used with this specification; more may be added in the future to the corresponding IANA registry. Thesignature scheme that specifies which combination iscryptographic algorithms used (including the curve and the representation conventions)isare signaled byathe Crypto-Type field in a new IPv6 ND Crypto-ID Parameters Option(CIPO, see(CIPO) (see <xreftarget='cryptoidopt'/>)target="cryptoidopt" format="default" sectionFormat="of" derivedContent="Section 4.3"/>) that contains the parameters that are necessary forthe proof, a Nonce option (<xref target='RFC3971'/>) and aaddress validation. A new NDP SignatureoptionOption (<xreftarget='ndpso'/>). The NA(EARO)target="ndpso" format="default" sectionFormat="of" derivedContent="Section 4.4"/>) ismodifiedalso specified in this document toenable a challenge and transport a Nonce option. </t> <!--t> In order to avoidcarry theneed for new ND option types, this specification reuses and extends options defined in SEND <xref target="RFC3971"/> and 6LoWPAN ND <xref target="RFC6775"/>resulting signature. A Nonce Option <xreftarget="RFC8505"/>. This appliestarget="RFC3971" format="default" sectionFormat="of" derivedContent="RFC3971"/> is added in the NA(EARO) that is used to request theCGA optionvalidation, andthe RSA Signature Option. This specification provides aliases for the specific variations of thoseall three optionsas used in this document. The presence of the EARO optionare needed in theNS/NA messages indicatesNS(EARO) that provides theoptions are to be processed as specified in this document, and not as defined in SEND <xref target="RFC3971"/>. </t-->validation. </t> </section> <sectionanchor='cryptoifldg'><name>Newanchor="cryptoifldg" numbered="true" removeInRFC="false" toc="include" pn="section-4"> <name slugifiedName="name-new-fields-and-options">New Fields and Options</name> <sectionanchor='cryptoidalg'><name>Newanchor="cryptoidalg" numbered="true" removeInRFC="false" toc="include" pn="section-4.1"> <name slugifiedName="name-new-crypto-id">New Crypto-ID</name><t><t indent="0" pn="section-4.1-1"> The Crypto-ID is transported in the ROVR field of the EAROoptionand theEDAR message,Extended Duplicate Address Request (EDAR) message and is associated with the Registered Address at the 6LR and the 6LBR. The ownership of a Crypto-ID can be demonstrated by cryptographic mechanisms, and by association, the ownership of the Registered Address can be ascertained.</t><t></t> <t indent="0" pn="section-4.1-2"> A node in possession of the necessary cryptographic primitivesSHOULD<bcp14>SHOULD</bcp14> use Crypto-ID by default as ROVR in its registrations. Whether a ROVR is a Crypto-ID is indicated by a new "C" flag in the EARO of the NS(EARO) message. </t><t><t indent="0" pn="section-4.1-3"> The Crypto-ID is derived from the public key and a modifier as follows:</t><ol spacing='compact'> <li>The</t> <ol spacing="normal" indent="adaptive" start="1" type="1" pn="section-4.1-4"> <li pn="section-4.1-4.1" derivedCounter="1.">The hash function used internally by the signature scheme and indicated by the Crypto-Type (seealso<xreftarget='cryptotypetable'/>target="cryptotypetable" format="default" sectionFormat="of" derivedContent="Table 1"/> in <xreftarget='cryptotypereg'/>)target="cryptotypereg" format="default" sectionFormat="of" derivedContent="Section 8.2"/>) is applied to the CIPO. Note that all the reserved and padding bitsMUST<bcp14>MUST</bcp14> be set to zero. </li><li><li pn="section-4.1-4.2" derivedCounter="2."> The leftmost bits of the resulting hash, up to the desired size, are used as the Crypto-ID. </li></ol><t></ol> <t indent="0" pn="section-4.1-5"> At the time of this writing, a minimal size for the Crypto-ID of 128 bits isRECOMMENDED<bcp14>RECOMMENDED</bcp14> unless backward compatibility is needed <xreftarget='RFC8505'/>. This valuetarget="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/> (in which case it isboundat least 64 bits). The size of the Crypto-ID is likely toaugmentincrease in the future. </t> </section> <sectionanchor='cryptoEARO'><name>Updatedanchor="cryptoEARO" numbered="true" removeInRFC="false" toc="include" pn="section-4.2"> <name slugifiedName="name-updated-earo">Updated EARO</name><t><t indent="0" pn="section-4.2-1"> This specification updates the EAROoptionto enable the use of the ROVR field to transport the Crypto-ID. The resulting format is as follows: </t> <figureanchor='crypto-fig'><name>Enhancedanchor="crypto-fig" align="left" suppress-title="false" pn="figure-1"> <name slugifiedName="name-enhanced-address-registrati">Enhanced Address Registration Option</name><artwork><artwork align="left" pn="section-4.2-2.1"> 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Status | Opaque | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Rsvd |C| I |R|T| TID | Registration Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ... Registration Ownership Verifier (ROVR) ... | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ </artwork> </figure><t> </t><dl spacing='normal'> <dt>Type:</dt><dd><dl spacing="normal" indent="3" newline="false" pn="section-4.2-3"> <dt pn="section-4.2-3.1">Type:</dt> <dd pn="section-4.2-3.2"> 33 </dd><dt>Length:</dt><dd><dt pn="section-4.2-3.3">Length:</dt> <dd pn="section-4.2-3.4"> Defined in <xreftarget='RFC8505'/>target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/> and copied in the "EARO Length" field in the associated CIPO. </dd><dt>Status:</dt><dd><dt pn="section-4.2-3.5">Status:</dt> <dd pn="section-4.2-3.6"> Defined in <xreftarget='RFC8505'/>. </dd> <dt>Opaque:</dt><dd>target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/>. </dd> <dt pn="section-4.2-3.7">Opaque:</dt> <dd pn="section-4.2-3.8"> Defined in <xreftarget='RFC8505'/>. </dd> <dt>Rsvd (Reserved):</dt><dd>3-bittarget="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/>. </dd> <dt pn="section-4.2-3.9">Rsvd (Reserved):</dt> <dd pn="section-4.2-3.10">3-bit unsigned integer. ItMUST<bcp14>MUST</bcp14> be set to zero by the sender andMUST<bcp14>MUST</bcp14> be ignored by the receiver. </dd><dt>C:</dt><dd><dt pn="section-4.2-3.11">C:</dt> <dd pn="section-4.2-3.12"> This "C" flag is set to indicate that the ROVR field contains a Crypto-ID and that the 6LNMAY<bcp14>MAY</bcp14> be challenged for ownership as specified in this document. </dd><dt>I,<dt pn="section-4.2-3.13">I, R,T:</dt><dd>T:</dt> <dd pn="section-4.2-3.14"> Defined in <xreftarget='RFC8505'/>.target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/>. </dd><dt>TID:</dt><dd><dt pn="section-4.2-3.15">TID and Registration Lifetime:</dt> <dd pn="section-4.2-3.16"> Defined in <xreftarget='RFC8505'/>.target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/>. </dd><dt>Registration<dt pn="section-4.2-3.17">Registration Ownership Verifier(ROVR):</dt><dd>(ROVR):</dt> <dd pn="section-4.2-3.18"> When the "C" flag is set, this field contains a Crypto-ID. </dd> </dl><t><t indent="0" pn="section-4.2-4"> This specification usesStatus valuesthe status codes "Validation Requested" and "Validation Failed", which are defined in <xreftarget='RFC8505'/>. </t><t> thistarget="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/>. </t> <t indent="0" pn="section-4.2-5"> This specification does not define any newStatus value.status codes. </t> </section> <sectionanchor='cryptoidopt'><name>Crypto-IDanchor="cryptoidopt" numbered="true" removeInRFC="false" toc="include" pn="section-4.3"> <name slugifiedName="name-crypto-id-parameters-option">Crypto-ID Parameters Option</name><t><t indent="0" pn="section-4.3-1"> This specification defines theCrypto-ID Parameters Option (CIPO).CIPO. The CIPO carries the parameters used to form aCrypto-ID. </t> <t>Crypto-ID.</t> <t indent="0" pn="section-4.3-2"> In order to provide cryptographic agility <xreftarget='RFC7696'/>,target="RFC7696" format="default" sectionFormat="of" derivedContent="BCP201"/>, this specification supports differentelliptic-curve basedelliptic-curve-based signature schemes, indicated by a Crypto-Type field: </t><ul> <li><ul bare="false" empty="false" indent="3" spacing="normal" pn="section-4.3-3"> <li pn="section-4.3-3.1"> The ECDSA256 signature scheme, which uses ECDSA with the NIST P-256 curve <xreftarget='FIPS186-4'/>target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/> and the hash function SHA-256 <xreftarget="RFC6234"></xref>target="RFC6234" format="default" sectionFormat="of" derivedContent="RFC6234"/> internally,MUST<bcp14>MUST</bcp14> be supported by all implementations. </li><li><li pn="section-4.3-3.2"> The Ed25519 signature scheme, which uses the Pure Edwards-Curve Digital Signature Algorithm (PureEdDSA) <xreftarget='RFC8032'/>target="RFC8032" format="default" sectionFormat="of" derivedContent="RFC8032"/> with the twisted Edwards curve Edwards25519 <xreftarget="RFC7748"></xref>target="RFC7748" format="default" sectionFormat="of" derivedContent="RFC7748"/> and the hash function SHA-512 <xreftarget="RFC6234"></xref>target="RFC6234" format="default" sectionFormat="of" derivedContent="RFC6234"/> internally,MAY<bcp14>MAY</bcp14> be supported as an alternative. </li><li><li pn="section-4.3-3.3"> The ECDSA25519 signature scheme, which uses ECDSA <xreftarget='FIPS186-4'/>target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/> with the Weierstrass curve Wei25519 (see <xreftarget="curves"></xref>)target="curves" format="default" sectionFormat="of" derivedContent="Appendix B.4"/>) and the hash function SHA-256 <xreftarget="RFC6234"></xref>target="RFC6234" format="default" sectionFormat="of" derivedContent="RFC6234"/> internally,MAY<bcp14>MAY</bcp14> also be supported. </li> </ul><t><t indent="0" pn="section-4.3-4"> This specification uses signature schemes that target similar cryptographic strength but rely on different curves, hash functions, signature algorithms, and/or representation conventions. Future specification may extend this to different cryptographic algorithms and key sizes, e.g., to provide better security properties or a simpler implementation. </t> <figureanchor='cgapar-fig'><name>Crypto-IDanchor="cgapar-fig" align="left" suppress-title="false" pn="figure-2"> <name slugifiedName="name-crypto-id-parameters-option-2">Crypto-ID Parameters Option</name><artwork><artwork align="left" pn="section-4.3-5.1"> 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length |Reserved1| Public Key Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Crypto-Type | Modifier | EARO Length | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ + | | . . . Public Key (variable length) . . . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . Padding . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ </artwork> </figure><t> </t><dl spacing='normal'> <dt>Type:</dt><dd><dl spacing="normal" indent="3" newline="false" pn="section-4.3-6"> <dt pn="section-4.3-6.1">Type:</dt> <dd pn="section-4.3-6.2"> 8-bit unsigned integer.to beIANA has assignedby IANA,value 39; see <xreftarget='nexndopt'/>. </dd> <dt>Length:</dt><dd>target="nexndopt" format="default" sectionFormat="of" derivedContent="Table 2"/>. </dd> <dt pn="section-4.3-6.3">Length:</dt> <dd pn="section-4.3-6.4"> 8-bit unsigned integer. The length of the option in units of 8 octets. </dd><dt>Reserved1:</dt><dd><dt pn="section-4.3-6.5">Reserved1:</dt> <dd pn="section-4.3-6.6"> 5-bit unsigned integer. ItMUST<bcp14>MUST</bcp14> be set to zero by the sender andMUST<bcp14>MUST</bcp14> be ignored by the receiver. </dd><dt>Public<dt pn="section-4.3-6.7">Public KeyLength:</dt><dd>Length:</dt> <dd pn="section-4.3-6.8"> 11-bit unsigned integer. The length of the Public Key field in bytes. The actual length depends on the Crypto-Type value andonhow the public key is represented. The valid values with this document are provided in <xreftarget ="cryptotypetable"/>. </dd> <dt>Crypto-Type:</dt><dd>8-bittarget="cryptotypetable" format="default" sectionFormat="of" derivedContent="Table 1"/>. </dd> <dt pn="section-4.3-6.9">Crypto-Type:</dt> <dd pn="section-4.3-6.10">8-bit unsigned integer. The type of cryptographic algorithm used in calculation of the Crypto-ID indexed by IANA in the"Crypto-Type Subregistry""Crypto-Types" subregistry in the "Internet Control Message Protocol version 6 (ICMPv6) Parameters" registry (see <xreftarget='cryptotypereg'/>). </dd> <dt>Modifier:</dt><dd>target="cryptotypereg" format="default" sectionFormat="of" derivedContent="Section 8.2"/>). </dd> <dt pn="section-4.3-6.11">Modifier:</dt> <dd pn="section-4.3-6.12"> 8-bit unsigned integer. Set to an arbitrary value by the creator of the Crypto-ID. The role of the modifier is to enable the formation of multiple Crypto-IDs fromathe same keypair, whichpair. This reduces the traceabilityand thusand, thus, improves the privacy of a constrained nodethat could not maintainwithout requiring manykey-pairs.key pairs. </dd><dt>EARO Length:</dt><dd><dt pn="section-4.3-6.13">EARO Length:</dt> <dd pn="section-4.3-6.14"> 8-bit unsigned integer. The option length of the EARO that contains the Crypto-ID associated with the CIPO. </dd><dt>Public Key:</dt><dd><dt pn="section-4.3-6.15">Public Key:</dt> <dd pn="section-4.3-6.16"> A variable-lengthfield,field; the size is indicated in the Public Key Length field. </dd><dt>Padding:</dt><dd><dt pn="section-4.3-6.17">Padding:</dt> <dd pn="section-4.3-6.18"> A variable-length fieldcompletingthat completes the Public Key field to align to the next8-bytes8-byte boundary. ItMUST<bcp14>MUST</bcp14> be set to zero by the sender andMUST<bcp14>MUST</bcp14> be ignored by the receiver. </dd></dl><t> </t> <t></dl> <t indent="0" pn="section-4.3-7"> The implementation of multiple hash functions in a constrained device may consume excessive amounts of program memory. This specification enables the use of the same hash function SHA-256 <xreftarget='RFC6234'/>target="RFC6234" format="default" sectionFormat="of" derivedContent="RFC6234"/> for two of the three supported ECC-based signature schemes. Some code factorization is also possible for the ECC computation itself. </t><t><t indent="0" pn="section-4.3-8"> <xreftarget='I-D.ietf-lwig-curve-representations'/>target="I-D.ietf-lwig-curve-representations" format="default" sectionFormat="of" derivedContent="CURVE-REPR"/> provides information on how to represent Montgomery curves and (twisted) Edwards curves as curves in short-Weierstrassformform, and it illustrates how this can be used to implement elliptic curve computations using existing implementations that already provide, e.g., ECDSA and ECDH using NIST <xreftarget='FIPS186-4'/>target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/> prime curves. For more details on representation conventions,werefer to <xreftarget='reprconv'/>.</t>target="reprconv" format="default" sectionFormat="of" derivedContent="Appendix B"/>.</t> </section> <sectionanchor='ndpso'><name>NDPanchor="ndpso" numbered="true" removeInRFC="false" toc="include" pn="section-4.4"> <name slugifiedName="name-ndp-signature-option">NDP Signature Option</name><t><t indent="0" pn="section-4.4-1"> This specification defines the NDP Signature Option (NDPSO). The NDPSO carries the signature that proves the ownership of theCrypto-ID.Crypto-ID and validates the address being registered. The format of the NDPSO is illustrated in <xreftarget='ndpso-fig'/>. </t> <t>target="ndpso-fig" format="default" sectionFormat="of" derivedContent="Figure 3"/>. </t> <t indent="0" pn="section-4.4-2"> As opposed to the RSA Signature Option (RSAO) defined insection 5.2. of<xreftarget='RFC3971'>SEND</xref>,target="RFC3971" sectionFormat="of" section="5.2" format="default" derivedLink="https://rfc-editor.org/rfc/rfc3971#section-5.2" derivedContent="RFC3971">SEND</xref>, the NDPSO does not have a key hash field. Instead, the leftmost 128 bits of the ROVR field in the EARO are used as hash to retrieve the CIPO that contains the key material used for signature verification, left-padded if needed. </t><t><t indent="0" pn="section-4.4-3"> Another difference is that the NDPSO signs a fixed set of fields as opposed to all options that appear prior to it in the ND message that bears the signature. This allowsto elidea CIPO that the 6LR alreadyreceived,received to be omitted, at the expense of the capability to add arbitrary options that would be signed withaan RSAO. </t><t><t indent="0" pn="section-4.4-4"> An ND message that carries an NDPSOMUST<bcp14>MUST</bcp14> have one and only one EARO. The EAROMUST<bcp14>MUST</bcp14> contain a Crypto-ID in the ROVR field, and the Crypto-IDMUST<bcp14>MUST</bcp14> be associated with thekeypairkey pair used for theDigital Signaturedigital signature in the NDPSO. </t><t><t indent="0" pn="section-4.4-5"> The CIPO may be present in the same message as the NDPSO. If it is not present, it can be found in an abstract table that was created by a previous message and indexed by the hash. </t> <figureanchor='ndpso-fig'><name>NDP signatureanchor="ndpso-fig" align="left" suppress-title="false" pn="figure-3"> <name slugifiedName="name-ndp-signature-option-2">NDP Signature Option</name><artwork><artwork align="left" pn="section-4.4-6.1"> 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length |Reserved1| Signature Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved2 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . . . Digital Signature (variable length) . . . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | . Padding . | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ </artwork> </figure><t> </t><dl spacing='normal'> <dt>Type:</dt><dd> to be<dl spacing="normal" indent="3" newline="false" pn="section-4.4-7"> <dt pn="section-4.4-7.1">Type:</dt> <dd pn="section-4.4-7.2"> IANA has assignedby IANA,value 40; see <xreftarget='nexndopt'/>. </dd> <dt>Length:</dt><dd>target="nexndopt" format="default" sectionFormat="of" derivedContent="Table 2"/>. </dd> <dt pn="section-4.4-7.3">Length:</dt> <dd pn="section-4.4-7.4"> 8-bit unsigned integer. The length of the option in units of 8 octets. </dd><dt>Reserved1:</dt><dd><dt pn="section-4.4-7.5">Reserved1:</dt> <dd pn="section-4.4-7.6"> 5-bit unsigned integer. ItMUST<bcp14>MUST</bcp14> be set to zero by the sender andMUST<bcp14>MUST</bcp14> be ignored by the receiver. </dd><dt>Digital<dt pn="section-4.4-7.7">Digital SignatureLength:</dt><dd>Length:</dt> <dd pn="section-4.4-7.8"> 11-bit unsigned integer. The length of the Digital Signature field in bytes. </dd><dt>Reserved2:</dt><dd><dt pn="section-4.4-7.9">Reserved2:</dt> <dd pn="section-4.4-7.10"> 32-bit unsigned integer. ItMUST<bcp14>MUST</bcp14> be set to zero by the sender andMUST<bcp14>MUST</bcp14> be ignored by the receiver. </dd><dt>Digital Signature:</dt><dd><dt pn="section-4.4-7.11">Digital Signature:</dt> <dd pn="section-4.4-7.12"> A variable-length field containing the digital signature. The length and computation of the digital signature both depend on theCrypto-TypeCrypto-Type, which is found in the associatedCIPO,CIPO; see <xreftarget='reprconv'/>.target="reprconv" format="default" sectionFormat="of" derivedContent="Appendix B"/>. For the values of the Crypto-Type defined in this specification, and for future values of the Crypto-Type unless specified otherwise, the signature is computed as detailed in <xreftarget='ndpso-generation'/>. </dd> <dt>Padding:</dt><dd>target="ndpso-generation" format="default" sectionFormat="of" derivedContent="Section 6.2"/>. </dd> <dt pn="section-4.4-7.13">Padding:</dt> <dd pn="section-4.4-7.14"> A variable-length field completing the Digital Signature field to align to the next8-bytes8-byte boundary. ItMUST<bcp14>MUST</bcp14> be set to zero by the sender andMUST<bcp14>MUST</bcp14> be ignored by the receiver. </dd></dl><t> </t></dl> </section> <sectionanchor='CIO'> <name>Extensionsanchor="CIO" numbered="true" removeInRFC="false" toc="include" pn="section-4.5"> <name slugifiedName="name-extensions-to-the-capabilit">Extensions to the Capability Indication Option</name><t><t indent="0" pn="section-4.5-1"> This specification defines one new capabilitybitsbit in the6CIO,6LoWPAN Capability Indication Option (6CIO), as defined by <xreftarget="RFC7400"/>target="RFC7400" format="default" sectionFormat="of" derivedContent="RFC7400"/>, for use by the 6LR and 6LBR in IPv6 ND RA messages. </t> <figureanchor='fig6CIO' title="Newanchor="fig6CIO" align="left" suppress-title="false" pn="figure-4"> <name slugifiedName="name-new-capability-bit-in-the-6">New Capability Bit in the6CIO"> <artwork> <![CDATA[6CIO</name> <artwork align="left" pn="section-4.5-2.1"> 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length = 1 | Reserved |A|D|L|B|P|E|G| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+]]></artwork></artwork> </figure><t><t indent="0" pn="section-4.5-3"> New Option Field:</t> <dlspacing='normal'> <dt>A:</dt><dd>spacing="normal" indent="3" newline="false" pn="section-4.5-4"> <dt pn="section-4.5-4.1">A:</dt> <dd pn="section-4.5-4.2"> 1-bit flag. Set to indicate that AP-ND is globally activated in the network. </dd> </dl><t><t indent="0" pn="section-4.5-5"> The "A" flag is set by the 6LBR that serves the network and is propagated by the 6LRs. It is typically turned on when all 6LRs are migrated to this specification. </t> </section><!--New 6LoWPAN Capability Bits in the Capability Indication Option --></section><section><name>Protocol<section numbered="true" removeInRFC="false" toc="include" pn="section-5"> <name slugifiedName="name-protocol-scope">Protocol Scope</name><t><t indent="0" pn="section-5-1"> The scope of the protocol specified here is a 6LoWPAN LLN, typically a stub network connected to a larger IP network via aBorder Routerborder router called a 6LBR per <xreftarget='RFC6775'/>.target="RFC6775" format="default" sectionFormat="of" derivedContent="RFC6775"/>. A 6LBR has sufficient capability to satisfy the needs ofduplicate address detection.DAD. </t><t><t indent="0" pn="section-5-2"> The 6LBR maintains registration state for all devices in its attached LLN. Together with the first-hop router (the 6LR), the 6LBR assures uniqueness and grants ownership of an IPv6 address before it can be used in the LLN. This is in contrast to a traditional network that relies on IPv6 addressauto-configurationautoconfiguration <xreftarget='RFC4862'/>,target="RFC4862" format="default" sectionFormat="of" derivedContent="RFC4862"/>, where there is no guarantee of ownership from the network, and each IPv6 Neighbor Discovery packet must be individually secured <xreftarget='RFC3971'/>.target="RFC3971" format="default" sectionFormat="of" derivedContent="RFC3971"/>. </t> <figureanchor='figco'><name>Basicanchor="figco" align="left" suppress-title="false" pn="figure-5"> <name slugifiedName="name-basic-configuration">Basic Configuration</name><artwork><![CDATA[<artwork align="left" pn="section-5-3.1"> ---+-------- ............ | External Network | +-----+ | | 6LBR +-----+ o o o o o o o o o LLN o o o o o o o o(6LR) ^ o o | LLN link o o v o(6LN) o]]></artwork></artwork> </figure><t><t indent="0" pn="section-5-4"> In a mesh network, the 6LR is directly connected to the host device. This specification mandates that the peer-wiselayer-2L2 security is deployed so that all the packets from a particular host aresecurely identifiable by the 6LR.protected. The 6LR may be multiple hops away from the 6LBR. Packets are routed between the 6LR and the 6LBR via other 6LRs. </t><t><t indent="0" pn="section-5-5"> This specification mandates that all the LLN links between the 6LR and the 6LBR are protected so that a packet that was validated by the first 6LR can be safely routed by other on-path 6LRs to the 6LBR. </t> </section><section><name>Protocol<section numbered="true" removeInRFC="false" toc="include" pn="section-6"> <name slugifiedName="name-protocol-flows">Protocol Flows</name><t><t indent="0" pn="section-6-1"> The 6LR/6LBR ensuresfirst-come/first-servefirst come, first served by storing the ROVR associated to the address being registered upon the first registration and rejecting a registration with a different ROVR value. A 6LN can claim any address as long as it is the first to make that claim. After a successful registration, the 6LN becomes the owner of theregistered addressRegistered Address, and the address is bound to the ROVR value in the 6LR/6LBR registry. </t><t><t indent="0" pn="section-6-2"> This specification protects the ownership of the address at the first hop (the edge). Its use in a network is signaled by the "A" flag in the 6CIO. The flag is set by the 6LBR and propagated unchanged by the 6LRs.TheOnce every node in the network is upgraded to support this specification, the "A" flagenablescan be set tomigrate a network withturn the protectionoff and then turn iton globally. </t><t><t indent="0" pn="section-6-3"> The 6LN places a cryptographictoken,identifier, the Crypto-ID, in the ROVR that is associated with the address at the first registration, enabling the 6LR to later challenge it to verify that it is the original Registering Node. The challenge may happen at any time at the discretion of the 6LR and the 6LBR. A valid registration in the 6LR or the 6LBRMUST NOT<bcp14>MUST NOT</bcp14> be altered until the challenge is complete. </t><t><t indent="0" pn="section-6-4"> When the "A" flag in a subnet ison,set, the 6LRMUST<bcp14>MUST</bcp14> challenge the 6LNwhenbefore it creates abindingBinding with the "C" flag set in theROVR andEARO. The 6LR <bcp14>MUST</bcp14> also challenge the 6LN when a new registration attempts to change a parameter of an already validated Binding for thatbinding that identifies the6LN, forinstanceinstance, its SourceLink-Layer Address. Thelink-layer address. Such verification protects againsta roguean attacker thatwouldattempts to stealanthe addressand attract its traffic, or useof an honest node. </t> <t indent="0" pn="section-6-5"> The 6LR <bcp14>MUST</bcp14> indicate to the 6LBR that itas source address.performed a successful validation by setting a status code of 5 ("Validation Requested") in the EDAR. Upon a subsequent EDAR from a new 6LR with a status code that is not 5 for a validated Binding, the 6LBR <bcp14>MUST</bcp14> indicate to the new 6LR that it needs to challenge the 6LN using a status code of 5 in the Extended Duplicate Address Confirmation (EDAC). </t><t><t indent="0" pn="section-6-6"> The 6LRMUST also<bcp14>MUST</bcp14> challenge the 6LNifwhen the 6LBRdirectlysignals to do so,usingwhich is done with an EDACMessagemessage with a"Validation Requested" status.status code of 5. TheEDAREDAC is echoed by the 6LR in theNA (EARO)NA(EARO) back to theregistering node.Registering Node. The 6LRSHOULD<bcp14>SHOULD</bcp14> also challenge all its attached 6LNs at the time the 6LBR turns the "A" flag on in the6CIO,6CIO in orders to detect an issue immediately. </t><t>If<t indent="0" pn="section-6-7">If the 6LR does not support the Crypto-Type, itMUST<bcp14>MUST</bcp14> reply with an EAROStatusstatus code of 10 "Validation Failed" without a challenge. In that case, the 6LN may try another Crypto-Type until it falls back to Crypto-Type0 that MUST0, which <bcp14>MUST</bcp14> be supported by all 6LRs. </t><t><t indent="0" pn="section-6-8"> A node may use more than one IPv6 address at the same time. The separation of the address and the cryptographic material avoids the need for the constrained device to compute multiple keys for multiple addresses. The 6LNMAY<bcp14>MAY</bcp14> use the same Crypto-ID to prove the ownership of multiple IPv6 addresses. The 6LNMAY<bcp14>MAY</bcp14> also derive multiple Crypto-IDs fromathe samekey.key pair by changing the modifier. </t> <sectionanchor='first'><name>Firstanchor="first" numbered="true" removeInRFC="false" toc="include" pn="section-6.1"> <name slugifiedName="name-first-exchange-with-a-6lr">First Exchange with a 6LR</name><t><t indent="0" pn="section-6.1-1"> A 6LN registers to a 6LR that is one hop away from it with the "C" flag set in the EARO, indicating that the ROVR field contains a Crypto-ID. The Target Address in the NS message indicates the IPv6 address that the 6LN is trying to register <xreftarget='RFC8505'/>.target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/>. The on-link (local) protocol interactions are shown in <xreftarget='Dynamic-fig'/>.target="Dynamic-fig" format="default" sectionFormat="of" derivedContent="Figure 6"/>. If the 6LR does not have a state with the 6LN that is consistent with the NS(EARO), then it replies with a challengeNA (EARO,NA(EARO, status=Validation Requested) that contains a Nonce Option (shown as NonceLR in <xreftarget='Dynamic-fig'/>).target="Dynamic-fig" format="default" sectionFormat="of" derivedContent="Figure 6"/>). </t> <figureanchor='Dynamic-fig' suppress-title='false'><name>On-linkanchor="Dynamic-fig" suppress-title="false" align="left" pn="figure-6"> <name slugifiedName="name-on-link-protocol-operation">On-Link Protocol Operation</name><artwork><![CDATA[<artwork align="left" pn="section-6.1-2.1"> 6LN 6LR | ||<-------------------------|<------------------------- RA -------------------------| | | ^ |---------------- NS with EARO (Crypto-ID)------------>|------------>| | | | option|<-|<- NA with EARO(status=Validation Requested), NonceLR | | | | v |------- NS with EARO, CIPO, NonceLN and NDPSO-------->|-------->| | ||<-------------------|<------------------- NA with EARO ---------------------| | | ... | | |--------------- NS with EARO (Crypto-ID)------------->|------------->| | ||<-------------------|<------------------- NA with EARO ---------------------| | | ... | | |--------------- NS with EARO (Crypto-ID)------------->|------------->| | ||<-------------------|<------------------- NA with EARO ---------------------| | |]]></artwork></artwork> </figure><t><t indent="0" pn="section-6.1-3"> The NonceoptionOption contains a nonce value that, to the extent possible for the implementation, was neveremployed in association with the key pairusedto generate the Crypto-ID.before. This specification inherits the idea from <xreftarget='RFC3971'/> that simply indicatestarget="RFC3971" format="default" sectionFormat="of" derivedContent="RFC3971"/> that the nonce is a random value. Ideally, an implementation uses an unpredictable cryptographically random value <xreftarget='RFC4086'/>.target="RFC4086" format="default" sectionFormat="of" derivedContent="BCP106"/>. But that may be impractical in some LLN scenarioswhere the devices do not have a guaranteed sense of time and for which computing complex hashes is detrimental to the battery lifetime.with resource-constrained devices. </t><t><t indent="0" pn="section-6.1-4"> Alternatively, the device may use an always-incrementing value saved in the same stable storage as the key, so they are lost together, andstartingstart at abest effortbest-effort randomvalue, eithervalue as either the nonce value orasa component to its computation. </t><t><t indent="0" pn="section-6.1-5"> The 6LN replies to the challenge with an NS(EARO) that includesa newthe NonceoptionOption (shown as NonceLN in <xreftarget='Dynamic-fig'/>),target="Dynamic-fig" format="default" sectionFormat="of" derivedContent="Figure 6"/>), the CIPO (<xreftarget='cryptoidopt'/>),target="cryptoidopt" format="default" sectionFormat="of" derivedContent="Section 4.3"/>), and the NDPSO containing the signature. BothNoncesnonces are included in the signed material. This provides a "contributorybehavior", so that either party that knows it generates a good quality nonce knowsbehavior" that results in better security even when theprotocol will be secure.nonces of one party are not generated as specified. </t><t><t indent="0" pn="section-6.1-6"> The 6LRMUST<bcp14>MUST</bcp14> store the information associatedtowith a Crypto-ID on the first NS exchange where it appears in a fashion that the CIPO parameters can be retrieved from the Crypto-ID alone. </t><t>The<t indent="0" pn="section-6.1-7">The steps for the registration to the 6LR are as follows: </t><t><t indent="0" pn="section-6.1-8"> Upon the first exchange with a 6LR, a 6LN will be challenged to prove ownership of the Crypto-ID and the Target Address being registered in the Neighbor Solicitation message. When a 6LR receivesaan NS(EARO) registration with a new Crypto-ID as a ROVR, and unless the registration is rejected for another reason, itMUST<bcp14>MUST</bcp14> challenge by responding withaan NA(EARO) with a status code of "Validation Requested". </t><t><t indent="0" pn="section-6.1-9"> Upon receiving a first NA(EARO) with a status code of "Validation Requested" from a 6LR, theregistering node SHOULDRegistering Node <bcp14>SHOULD</bcp14> retry its registration with aCrypto-ID Parameters Option (CIPO)CIPO (<xreftarget='cryptoidopt'/>)target="cryptoidopt" format="default" sectionFormat="of" derivedContent="Section 4.3"/>) that contains all the necessary material for building the Crypto-ID, the NonceLN that it generated, and the NDPsignatureSignature Option (<xreftarget='ndpso'/>) optiontarget="ndpso" format="default" sectionFormat="of" derivedContent="Section 4.4"/>) that proves its ownership of the Crypto-ID and intent of registering the Target Address. In subsequent revalidation with the same 6LR, the 6LNMAY<bcp14>MAY</bcp14> try to omit the CIPO to save bandwidth, with the expectation that the 6LR saved it. If the validation fails and it gets challenged again, then itSHOULD<bcp14>SHOULD</bcp14> add the CIPO again. </t><t><t indent="0" pn="section-6.1-10"> In order to validate the ownership, the 6LR performs the same steps as the 6LN and rebuilds the Crypto-ID based on the parameters in the CIPO. If the rebuilt Crypto-ID matches the ROVR, the 6LN also verifies the signature contained in theNDPSO option. If atNDPSO. At thatpointpoint, if the signature in the NDPSOoptioncan be verified, then the validation succeeds.OtherwiseOtherwise, the validation fails. </t><t><t indent="0" pn="section-6.1-11"> If the 6LR fails to validate the signed NS(EARO), it responds with a status code of "Validation Failed". After receivingaan NA(EARO) with a status code of "Validation Failed", theregistering node SHOULDRegistering Node <bcp14>SHOULD</bcp14> tryandan alternateCrypto-Type and ifCrypto-Type; even if Crypto-Type 0 fails, it may try to register a different address in the NS message. </t> </section> <sectionanchor='ndpso-generation'><name>NDPSO generation and verification</name> <t>anchor="ndpso-generation" numbered="true" removeInRFC="false" toc="include" pn="section-6.2"> <name slugifiedName="name-ndpso-generation-and-verifi">NDPSO Generation and Verification</name> <t indent="0" pn="section-6.2-1"> The signature generated by the 6LN to provideproof-of-ownershipproof of ownership of theprivate-keyprivate key is carried in theNDP Signature Option (NDPSO).NDPSO. It is generated by the 6LN in a fashion that depends on the Crypto-Type (see <xreftarget='cryptotypetable'/>target="cryptotypetable" format="default" sectionFormat="of" derivedContent="Table 1"/> in <xreftarget='cryptotypereg'/>)target="cryptotypereg" format="default" sectionFormat="of" derivedContent="Section 8.2"/>) chosen by the 6LN as follows: </t><ul> <li><t><ul bare="false" empty="false" indent="3" spacing="normal" pn="section-6.2-2"> <li pn="section-6.2-2.1"> <t indent="0" pn="section-6.2-2.1.1"> Form the message to be signed, by concatenating the following byte-strings in the order listed:</t> <olspacing='compact'> <li>Thespacing="normal" indent="adaptive" start="1" type="1" pn="section-6.2-2.1.2"> <li pn="section-6.2-2.1.2.1" derivedCounter="1.">The 128-bit Message Type tag <xreftarget='RFC3972'/>target="RFC3972" format="default" sectionFormat="of" derivedContent="RFC3972"/> (in network byte order). For thisspecificationspecification, the tag is given in <xreftarget='cgam'/>.target="cgam" format="default" sectionFormat="of" derivedContent="Section 8.1"/>. (The tag value has been generated by the editor of this specification onrandom.org).</li> <li>the CIPO</li> <li>the<eref target="https://www.random.org" brackets="angle"/>.)</li> <li pn="section-6.2-2.1.2.2" derivedCounter="2.">The CIPO.</li> <li pn="section-6.2-2.1.2.3" derivedCounter="3.">The 16-byte Target Address (in network byte order) sent in theNeighbor Solicitation (NS)NS message. It is the addresswhichthat the 6LN is registering with the 6LR and 6LBR.</li><li>NonceLR<li pn="section-6.2-2.1.2.4" derivedCounter="4.">The NonceLR received from the 6LR (in network byte order) in theNeighbor Advertisement (NA)NA message. The nonce is at least 6 bytes long as defined in <xreftarget='RFC3971'/>.</li> <li>NonceLNtarget="RFC3971" format="default" sectionFormat="of" derivedContent="RFC3971"/>.</li> <li pn="section-6.2-2.1.2.5" derivedCounter="5.">The NonceLN sent from the 6LN (in network byte order). The nonce is at least 6 bytes long as defined in <xreftarget='RFC3971'/>.</li> <li>1-byte Option Lengthtarget="RFC3971" format="default" sectionFormat="of" derivedContent="RFC3971"/>.</li> <li pn="section-6.2-2.1.2.6" derivedCounter="6.">The 1-byte option length of the EARO containing the Crypto-ID.</li> </ol> </li><li><li pn="section-6.2-2.2"> Apply the signature algorithm specified by the Crypto-Type using the private key.</li> </ul><t> The 6LR on<t indent="0" pn="section-6.2-3"> Upon receiving the NDPSO and CIPOoptionsoptions, the 6LR first checks that the EARO Length in the CIPO matches the length of the EARO. Ifsoso, it regenerates the Crypto-ID based on the CIPO to make sure that the leftmost bits up to the size of the ROVR match. </t><t> If<t indent="0" pn="section-6.2-4"> If, and onlyifif, the check is successful, it tries to verify the signature in the NDPSOoptionusing thefollowing:following steps: </t><ul> <li><t>Form<ul bare="false" empty="false" indent="3" spacing="normal" pn="section-6.2-5"> <li pn="section-6.2-5.1"> <t indent="0" pn="section-6.2-5.1.1">Form the message to be verified, by concatenating the following byte-strings in the order listed:</t> <olspacing='compact'> <li>Thespacing="normal" indent="adaptive" start="1" type="1" pn="section-6.2-5.1.2"> <li pn="section-6.2-5.1.2.1" derivedCounter="1.">The 128-bit Message Type tag given in <xreftarget='cgam'/>target="cgam" format="default" sectionFormat="of" derivedContent="Section 8.1"/> (in network byteorder)</li> <li>the CIPO</li> <li>theorder).</li> <li pn="section-6.2-5.1.2.2" derivedCounter="2.">The CIPO.</li> <li pn="section-6.2-5.1.2.3" derivedCounter="3.">The 16-byte Target Address (in network byte order) received in theNeighbor Solicitation (NS)NS message. It is the addresswhichthat the 6LN is registering with the 6LR and 6LBR.</li><li>NonceLR<li pn="section-6.2-5.1.2.4" derivedCounter="4.">The NonceLR sent in theNeighbor Advertisement (NA)NA message. The nonce is at least 6 bytes long as defined in <xreftarget='RFC3971'/>.</li> <li>NonceLNtarget="RFC3971" format="default" sectionFormat="of" derivedContent="RFC3971"/>.</li> <li pn="section-6.2-5.1.2.5" derivedCounter="5.">The NonceLN received from the 6LN (in network byte order) in the NS message. The nonce is at least 6 bytes long as defined in <xreftarget='RFC3971'/>.</li> <li>1-bytetarget="RFC3971" format="default" sectionFormat="of" derivedContent="RFC3971"/>.</li> <li pn="section-6.2-5.1.2.6" derivedCounter="6.">The 1-byte EARO Length received in the CIPO.</li> </ol> </li><li><li pn="section-6.2-5.2"> Verify the signature on this message with thepublic-keypublic key in the CIPO and the locally computed values using the signature algorithm specified by the Crypto-Type. If the verification succeeds, the 6LR propagates the information to the 6LBR usingaan EDAR/EDAC flow. </li><li><li pn="section-6.2-5.3"> Due to thefirst-come/first-servefirst-come, first-served nature of the registration, if the address is not registered to the 6LBR, then flow succeeds and both the 6LR and 6LBR add the state information about the Crypto-ID and Target Address being registered to their respective abstractdatabase.databases. </li> </ul> </section> <sectionanchor='mhopo'><name>Multihopanchor="mhopo" numbered="true" removeInRFC="false" toc="include" pn="section-6.3"> <name slugifiedName="name-multi-hop-operation">Multi-Hop Operation</name><t><t indent="0" pn="section-6.3-1"> A new 6LN that joins the networkauto-configuresautoconfigures an address and performs an initial registration to a neighboring 6LR with an NS message that carries anAddress Registration Option (EARO)EARO <xreftarget='RFC8505'/>. </t> <t>target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/>. </t> <t indent="0" pn="section-6.3-2"> In amultihopmulti-hop 6LoWPAN, the registration with Crypto-ID is propagated to 6LBR as shown in <xreftarget='figReg'/>,target="figReg" format="default" sectionFormat="of" derivedContent="Figure 7"/>, which illustrates the registration flow all the way to a6LowPAN6LoWPAN Backbone Router (6BBR) <xreftarget='I-D.ietf-6lo-backbone-router'/>.target="RFC8929" format="default" sectionFormat="of" derivedContent="RFC8929"/>. </t> <figureanchor='figReg' suppress-title='false'><name>(Re-)Registrationanchor="figReg" suppress-title="false" align="left" pn="figure-7"> <name slugifiedName="name-re-registration-flow">(Re-)Registration Flow</name><artwork><![CDATA[<artwork align="left" pn="section-6.3-3.1"> 6LN 6LR 6LBR 6BBR | | | | | NS(EARO) | | ||--------------->||--------------->| | | | | Extended DAR | | ||-------------->||-------------->| | | | | proxy NS(EARO) | | ||--------------->||--------------->| | | | | NS(DAD) | | | |------>------> | | | | | | | |<wait><wait> | | | | | | | proxy NA(EARO) | | ||<---------------||<---------------| | | Extended DAC | | ||<--------------||<--------------| | | NA(EARO) | | ||<---------------||<---------------| | | | | | |]]></artwork></artwork> </figure><t><t indent="0" pn="section-6.3-4"> The 6LR and the 6LBR communicate using ICMPv6Extended Duplicate Address Request (EDAR)EDAR andExtended Duplicate Address Confirmation (EDAC)EDAC messages <xreftarget='RFC8505'/>target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/> as shown in <xreftarget='figReg'/>.target="figReg" format="default" sectionFormat="of" derivedContent="Figure 7"/>. This specification extends EDAR/EDAC messages to carry cryptographically generated ROVR. </t><t><t indent="0" pn="section-6.3-5"> The assumption is that the 6LR and the 6LBR maintain a security association to authenticate and protect the integrity of the EDAR and EDAC messages, so there is no need to propagate the proof of ownership to the 6LBR. The 6LBR implicitly trusts that the 6LR performs the verification when the 6LBR requires it, and if there is no further exchange from the 6LR to remove the state,thatthe verification succeeded. </t> </section> </section><section><name>Security<section numbered="true" removeInRFC="false" toc="include" pn="section-7"> <name slugifiedName="name-security-considerations">Security Considerations</name><section><name>Brown<section numbered="true" removeInRFC="false" toc="include" pn="section-7.1"> <name slugifiedName="name-brown-field">Brown Field</name><t><t indent="0" pn="section-7.1-1"> Only 6LRs that are upgraded to this specification are capableto challengeof challenging a registration andrepelavoiding an attack. In a brown (mixed) network, an attacker may attach to a legacy 6LR and fool the 6LBR. So even if the "A" flag could be set at any time to test the protocol operation, the security will only be effective when all the 6LRs are upgraded. </t> </section><section><name>Inheriting from<section numbered="true" removeInRFC="false" toc="include" pn="section-7.2"> <name slugifiedName="name-threats-identified-in-rfc-3">Threats Identified in RFC 3971</name><t><t indent="0" pn="section-7.2-1"> Observations regarding the following threats to the local network in <xreftarget='RFC3971'/>target="RFC3971" format="default" sectionFormat="of" derivedContent="RFC3971"/> also apply to this specification. </t> <dlspacing='normal'> <dt>Neighborspacing="normal" indent="3" newline="false" pn="section-7.2-2"> <dt pn="section-7.2-2.1">Neighbor Solicitation/AdvertisementSpoofing:</dt><dd>Spoofing:</dt> <dd pn="section-7.2-2.2"> Threats insection 9.2.1 of RFC3971<xref target="RFC3971" sectionFormat="of" section="9.2.1" format="default" derivedLink="https://rfc-editor.org/rfc/rfc3971#section-9.2.1" derivedContent="RFC3971"/> apply. AP-ND counters the threats on NS(EARO) messages by requiring that theNDP SignatureNDPSO and CIPOoptionsbe present in these solicitations.</dd><!--<t hangText="Neighbor Unreachability Detection Failure"> <vspace blankLines="1"/> With RFC6775, a Neighbor Unreadability<dt pn="section-7.2-2.3">Duplicate Address Detection(NUD) can still be used byDoS Attack:</dt> <dd pn="section-7.2-2.4"> Inside theendpoint to assessLLN, duplicate addresses are sorted out using theliveness of a device. The NUD request may be protected by SEND in which caseROVR. A different ROVR for theprovision in section 9.2same Registered Address entails a rejection ofRFC 3972 applies. The response totheNUD may be proxied by a backbone router only if it has a fresh registration state for it. For asecond registrationbeing protected by this specification,<xref target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/>. DADs coming from theproxied NUD response provides truthful information onbackbone network are not forwarded over theoriginal ownerLLN to provide some protection against DoS attacks inside the resource-constrained part of theaddress but it cannot be proven using SEND. Ifnetwork. However, theNUD responseEARO isnot proxied, the 6LR will passpresent in thelookup to the end device which will respond with a traditional NA. If the 6LR does not have a registration associated for the device, it can issue a NA with EARO (status=Validation Requested) upon the NA from the device, which will trigger a NS that will recreate and revalidate the ND registration. </t>--> <dt>Duplicate Address Detection DoS Attack:</dt><dd> Inside the LLN, Duplicate Addresses are sorted out using the ROVR, which differentiates it from a movement. A different ROVR for the same Registered address entails a rejection of the second registration <xref target='RFC8505'/>. DAD coming fromNS/NA messages exchanged over the backboneare not forwarded over the LLN, which provides some protection against DoS attacks inside the resource-constrained part of thenetwork.Over the backbone, the EARO option is present in NS/NA messages.This protects against misinterpretinganode movementforas aduplication,duplication and enables thebackbone routersBackbone Routers to determine whichonesubnet has thefreshestmost recent registration <xreftarget='RFC8505'/>target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/> and is thus the best candidate to validate the registrationfor the device attached to it<xreftarget='I-D.ietf-6lo-backbone-router'/>. But this specification does not guarantee that the backbone router claiming an address over the backbone is not an attacker.target="RFC8929" format="default" sectionFormat="of" derivedContent="RFC8929"/>. </dd><dt>Router<dt pn="section-7.2-2.5">Router Solicitation and AdvertisementAttacks:</dt><dd>Attacks:</dt> <dd pn="section-7.2-2.6"> This specification does not change the protection of RS andRARA, which can still be protected by SEND.</dd><dt>Replay Attacks</dt><dd> A nonce<dt pn="section-7.2-2.7">Replay Attacks:</dt> <dd pn="section-7.2-2.8"> Nonces should never repeatfor a single key,butnoncesthey do not need to be unpredictable for secure operation. Using nonces (NonceLR and NonceLN) generated by both the 6LR and 6LNensureensures a contributory behavior that provides an efficient protection against replay attacks of the challenge/response flow. The quality of the protection by a random nonce depends on the random numbergenerator and its parameters (e.g., sense of time).generator. </dd><dt>Neighbor<dt pn="section-7.2-2.9">Neighbor Discovery DoSAttack:</dt><dd>Attack:</dt> <dd pn="section-7.2-2.10"> A rogue node thatmanaged tocan access the L2 network may form many addresses and register them using AP-ND. The perimeter of the attack is all the 6LRs in range of the attacker. The 6LRMUST<bcp14>MUST</bcp14> protect itself against overflows and reject excessive registration with a status code of 2 "Neighbor Cache Full". This effectively blocks another (honest) 6LN from registering to the same 6LR, but the 6LN may register to other 6LRs that are in its range but not in that of therogue.attacker. </dd> </dl> </section><section><name>Related<section numbered="true" removeInRFC="false" toc="include" pn="section-7.3"> <name slugifiedName="name-related-to-6lowpan-nd">Related to 6LoWPAN ND</name><t><t indent="0" pn="section-7.3-1"> The threats andmediationsmitigations discussed in 6LoWPAN ND <xreftarget='RFC6775'/><xref target='RFC8505'/>target="RFC6775" format="default" sectionFormat="of" derivedContent="RFC6775"/> <xref target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/> also apply here, inparticularparticular, denial-of-service (DoS) attacks against the registry at the 6LR or 6LBR.</t><t></t> <t indent="0" pn="section-7.3-2"> Secure ND <xreftarget='RFC3971'/>target="RFC3971" format="default" sectionFormat="of" derivedContent="RFC3971"/> forces the IPv6 address to be cryptographic since it integrates the CGA as the IID in the IPv6 address. In contrast, this specification saves about1Kbyte1 KB in every NS/NA message. Also, this specification separates the cryptographic identifier from the registered IPv6 address so that a node can have more than one IPv6 address protected by the same cryptographic identifier.</t><t></t> <t indent="0" pn="section-7.3-3"> With thisspecificationspecification, the 6LN can freely form its IPv6 address(es) in any fashion, thereby enabling either 6LoWPAN compression for IPv6 addresses that are derived fromLayer-2 addresses,L2 addresses or temporaryaddresses,addresses that cannot be compressed, e.g., formedpseudo-randomlypseudorandomly and released in relatively short cycles for privacy reasons <xreftarget='RFC8064'/><xref target='RFC8065'/>, that cannot be compressed. </t><t>target="RFC8064" format="default" sectionFormat="of" derivedContent="RFC8064"/><xref target="RFC8065" format="default" sectionFormat="of" derivedContent="RFC8065"/>. </t> <t indent="0" pn="section-7.3-4"> This specification provides added protection for addresses that are obtained following due procedure <xreftarget='RFC8505'/>target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/> but does not constrain the way the addresses are formed or the number of addresses that are used in parallel by a same entity.A rogueAn attacker may still performdenial-of-servicea DoS attack against the registry at the 6LR or6LBR,6LBR or attempt to deplete the pool of available addresses atLayer-2L2 orLayer-3.L3. </t> </section><section><name>Compromised<section numbered="true" removeInRFC="false" toc="include" pn="section-7.4"> <name slugifiedName="name-compromised-6lr">Compromised 6LR</name><t><t indent="0" pn="section-7.4-1"> This specification distributes the challenge and its validation at the edge of the network, between the 6LN and its 6LR. This protects againstDOSDoS attacks targeted at that central 6LBR. This also savesback and forthback-and-forth exchanges across a potentially large and constrained network.</t><t></t> <t indent="0" pn="section-7.4-2"> The downside is that the 6LBR needs to trust the 6LRfor performingto perform the checking adequately, and the communication between the 6LR and the 6LBR must be protected to avoid tampering with the result of thetest. </t><t>validation. </t> <t indent="0" pn="section-7.4-3"> If a 6LR is compromised, and provided that it knows the ROVR field used by the real owner of the address, the 6LR may pretend that the owner has moved, is now attached toitit, and has successfully passed theCrpto-IDCrypto-ID validation. The 6LR may then attract and inject traffic at will on behalf of thataddressaddress, or leta roguean attacker take ownership of the address. </t> </section> <sectionanchor='sec-col'><name>ROVRanchor="sec-col" numbered="true" removeInRFC="false" toc="include" pn="section-7.5"> <name slugifiedName="name-rovr-collisions">ROVR Collisions</name><t><t indent="0" pn="section-7.5-1"> A collision ofRegistration Ownership Verifiers (ROVR)ROVRs (i.e., the Crypto-ID in this specification) is possible, but it is a rare event. Assumingin the calculations/discussion belowthat the hash used for calculating the Crypto-ID is a well-behaved cryptographichash and thus thathash, and, thus, random collisions are the only ones possible,the formula (birthday paradox) for calculating the probability of a collision is 1 - e^{-p^2/(2n)} whereif n = 2<sup>k</sup> is the maximumpopulation size (2^64 here, 1.84E19)number of hash values (i.e., a k-bit hash) and p is theactual population (numbernumber of nodes,assumingthen (assuming one Crypto-ID pernode). </t><t> Ifnode) theCrypto-IDformula 1 - e<sup>-p<sup>2</sup>/(2n)</sup> provides an approximation of the probability that there is64-bitsat least one collision (birthday paradox). </t> <t indent="0" pn="section-7.5-2"> If the Crypto-ID is 64 bits (the least possible size allowed), the chance of a collision is 0.01% for a network of 66 million nodes. Moreover, the collision is only relevant when this happens within one stub network (6LBR). In the case of such a collision,a third partyan honest nodewould be able tomight accidentally claim theregistered addressRegistered Address ofananother legitimatenode, provided that it wishes to usenode (with the sameaddress.Crypto-ID). To preventaddress disclosure and avoid the chances of collision on both the ROVR and the address,such rare events, it isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that nodes do not derive the address being registered from the ROVR. </t> </section><section><name>Implementation<section numbered="true" removeInRFC="false" toc="include" pn="section-7.6"> <name slugifiedName="name-implementation-attacks">Implementation Attacks</name><t><t indent="0" pn="section-7.6-1"> The signature schemes referenced in this specification comply with NIST <xreftarget='FIPS186-4'/>target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/> or Crypto Forum Research Group (CFRG) standards <xreftarget='RFC8032'/>target="RFC8032" format="default" sectionFormat="of" derivedContent="RFC8032"/> and offer strong algorithmic security at roughly a 128-bit security level. These signature schemes use elliptic curves thatwereeither were specifically designed with exception-free and constant-time arithmetic in mind <xreftarget='RFC7748'/>target="RFC7748" format="default" sectionFormat="of" derivedContent="RFC7748"/> orwhere one hashave extensive implementation experience of resistance to timing attacks <xreftarget='FIPS186-4'/>. </t> <t>target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/>. </t> <t indent="0" pn="section-7.6-2"> However, careless implementations of the signing operations could nevertheless leak information on private keys. For example, there are micro-architectural side channel attacks that implementors should be aware of <xreftarget='breaking-ed25519'/>.target="breaking-ed25519" format="default" sectionFormat="of" derivedContent="breaking-ed25519"/>. Implementors should be particularly aware that a secure implementation of Ed25519 requires a protected implementation of the hash function SHA-512, whereas this is not required with implementations of the hash function SHA-256 used with ECDSA256 and ECDSA25519. </t> </section><section><name>Cross-Algorithm<section numbered="true" removeInRFC="false" toc="include" pn="section-7.7"> <name slugifiedName="name-cross-algorithm-and-cross-p">Cross-Algorithm and Cross-Protocol Attacks</name><t><t indent="0" pn="section-7.7-1"> Thekeypairkey pair used in this specification can beself-generatedself-generated, and the public key does not need to be exchanged, e.g., through certificates, with a third party before it is used. </t><t><t indent="0" pn="section-7.7-2"> Newkeypairskey pairs can be formed for newregistration asregistrations if the node desires.On the other hand, it is safer to allocate a keypair that is used only for the address protection and only for one instantiation ofHowever, thesignature scheme (which includes choice of elliptic curve domain parameters, used hash function, and applicable representation conventions). </t> <t> Thesame private keyMUST NOT<bcp14>MUST NOT</bcp14> be reused with more than one instantiation of the signature scheme in this specification.TheAlso, the same private keyMUST NOT<bcp14>MUST NOT</bcp14> be used for anything other than computing NDPSO signatures per this specification. </t><t><t indent="0" pn="section-7.7-3"> ECDSA shall be used strictly as specified in <xreftarget="FIPS186-4"></xref>.target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/>. In particular, each signing operation of ECDSAMUST<bcp14>MUST</bcp14> use randomly generated ephemeral private keys andMUST NOT<bcp14>MUST NOT</bcp14> reusethesethe ephemeral privatekeyskey kaccrossacross signing operations. This precludes the use of deterministic ECDSA without a random input for the determination of k, which is deemed dangerous for the intended applications this document aims to serve.</t> </section><section><name>Public<section numbered="true" removeInRFC="false" toc="include" pn="section-7.8"> <name slugifiedName="name-public-key-validation">Public Key Validation</name><t>Public<t indent="0" pn="section-7.8-1">Public keys contained in the CIPO field (which are used for signature verification) shall be verified to be correctly formed, by checking that this public key is indeed a point of the elliptic curve indicated by the Crypto-Type and that this point does have the proper order. </t><t><t indent="0" pn="section-7.8-2"> For points used with the signature scheme Ed25519, oneMUST<bcp14>MUST</bcp14> check that this point is nota pointin the small subgroup (seeAppendix B.1 of<xreftarget='I-D.ietf-lwig-curve-representations'/>);target="I-D.ietf-lwig-curve-representations" sectionFormat="of" section="B.1" format="default" derivedLink="https://tools.ietf.org/html/draft-ietf-lwig-curve-representations-14#appendix-B.1" derivedContent="CURVE-REPR"/>); for points used with the signature scheme ECDSA (i.e., both ECDSA256 and ECDSA25519), oneMUST<bcp14>MUST</bcp14> check that the point has the same order as the base point of the curve in question. This is commonly calledfull"full public keyvalidationvalidation" (again, seeAppendix B.1 of<xreftarget='I-D.ietf-lwig-curve-representations'/>).target="I-D.ietf-lwig-curve-representations" sectionFormat="of" section="B.1" format="default" derivedLink="https://tools.ietf.org/html/draft-ietf-lwig-curve-representations-14#appendix-B.1" derivedContent="CURVE-REPR"/>). </t> </section><section><name>Correlating<section numbered="true" removeInRFC="false" toc="include" pn="section-7.9"> <name slugifiedName="name-correlating-registrations">Correlating Registrations</name><t><t indent="0" pn="section-7.9-1"> The ROVR field in the EARO introduced in <xreftarget='RFC8505'/>target="RFC8505" format="default" sectionFormat="of" derivedContent="RFC8505"/> extends the EUI-64 field of the ARO defined in <xreftarget='RFC6775'/>.target="RFC6775" format="default" sectionFormat="of" derivedContent="RFC6775"/>. One of the drawbacks of using an EUI-64 as ROVR is that an attacker that is aware of the registrations can correlate traffic forathe same 6LN across multiple addresses.Section 3 of<xreftarget='RFC8505'/>target="RFC8505" sectionFormat="of" section="3" format="default" derivedLink="https://rfc-editor.org/rfc/rfc8505#section-3" derivedContent="RFC8505"/> indicates that the ROVR and the address being registered are decoupled. A 6LN may useathe same ROVR for multiple registrations or a different ROVR per registration, and the IID must notderivebe derived from the ROVR. Intheorytheory, different 6LNs could useathe same ROVR as long as they do not attempt to register the same address. </t><t><t indent="0" pn="section-7.9-2"> TheModifiermodifier used in the computation of the Crypto-ID enables a 6LN to build different Crypto-IDs for different addresses withathe samekeypair.key pair. Using that facility improves the privacy of the 6LNasat the expense of storage in the 6LR, which will need to store multiple CIPOs that contain the same public key. Note that ifthean attackerisgains access to the 6LR, then theModifiermodifier alone does not provideaprotection, and the 6LN would need tousegenerate differentkeyskey pairs andMAClink-layer addresses in an attempt to obfuscate its multiple ownership. </t> </section> </section><section><name>IANA considerations</name><sectionanchor='cgam'><name>CGAnumbered="true" removeInRFC="false" toc="include" pn="section-8"> <name slugifiedName="name-iana-considerations">IANA Considerations</name> <section anchor="cgam" numbered="true" removeInRFC="false" toc="include" pn="section-8.1"> <name slugifiedName="name-cga-message-type">CGA Message Type</name><t><t indent="0" pn="section-8.1-1"> This document defines a new 128-bitvalue of a MessageCGA Extension TypetagTag under theCGA"CGA Extension Type Tags" subregistry of the Cryptographically Generated Addresses (CGA) Message Type Name Space created by <xreftarget='RFC3972'/> name space:target="RFC3972" format="default" sectionFormat="of" derivedContent="RFC3972"/>. </t> <t indent="0" pn="section-8.1-2"> Tag: 0x8701 55c8 0cca dd32 6ab7 e415 f148 84d0. </t> </section> <sectionanchor='cryptotypereg'><name>Crypto-Typeanchor="cryptotypereg" numbered="true" removeInRFC="false" toc="include" pn="section-8.2"> <name slugifiedName="name-crypto-type-subregistry">Crypto-Type Subregistry</name><t><t indent="0" pn="section-8.2-1"> IANAis requested to create a newhas created the "Crypto-Types" subregistry"Crypto-Type Subregistry"in the "Internet Control Message Protocol version 6 (ICMPv6)Parameters".Parameters" registry. The registry is indexed by an integer in the interval 0..255 and contains anElliptic Curve,elliptic curve, aHash Function,hash function, aSignature Algorithm, Representation Conventions, Publicsignature algorithm, representation conventions, public key size, andSignaturesignature size, as shown in <xreftarget='cryptotypetable'/>,target="cryptotypetable" format="default" sectionFormat="of" derivedContent="Table 1"/>, which together specify a signaturescheme (and whichscheme. Detailed explanations arefully specifiedprovided in <xreftarget="reprconv"></xref>). </t> <t>Thetarget="reprconv" format="default" sectionFormat="of" derivedContent="Appendix B"/>. </t> <t indent="0" pn="section-8.2-2">The following Crypto-Type values are defined in this document: </t> <tableanchor="cryptotypetable"><name>Crypto-Types</name>anchor="cryptotypetable" align="center" pn="table-1"> <name slugifiedName="name-crypto-types">Crypto-Types</name> <thead> <tr><th>Crypto-Type value</th><thalign='center'>align="left" colspan="1" rowspan="1">Crypto-Type Value</th> <th align="center" colspan="1" rowspan="1"> 0 (ECDSA256) </th> <thalign='center'>align="center" colspan="1" rowspan="1"> 1 (Ed25519) </th> <thalign='center'>align="center" colspan="1" rowspan="1"> 2 (ECDSA25519) </th> </tr></thead><tbody> <tr><td>Elliptic curve</td></thead> <tbody> <tr> <tdalign='center'>align="left" colspan="1" rowspan="1">Elliptic Curve</td> <td align="center" colspan="1" rowspan="1"> NIST P-256 <xreftarget='FIPS186-4'/></td>target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/></td> <tdalign='center'>align="center" colspan="1" rowspan="1"> Curve25519 <xreftarget='RFC7748'/></td>target="RFC7748" format="default" sectionFormat="of" derivedContent="RFC7748"/></td> <tdalign='center'>align="center" colspan="1" rowspan="1"> Curve25519 <xreftarget='RFC7748'/></td>target="RFC7748" format="default" sectionFormat="of" derivedContent="RFC7748"/></td> </tr><tr><td>Hash function</td><tr> <tdalign='center'>align="left" colspan="1" rowspan="1">Hash Function</td> <td align="center" colspan="1" rowspan="1"> SHA-256 <xreftarget='RFC6234'/></td>target="RFC6234" format="default" sectionFormat="of" derivedContent="RFC6234"/></td> <tdalign='center'>align="center" colspan="1" rowspan="1"> SHA-512 <xreftarget='RFC6234'/></td>target="RFC6234" format="default" sectionFormat="of" derivedContent="RFC6234"/></td> <tdalign='center'>align="center" colspan="1" rowspan="1"> SHA-256 <xreftarget='RFC6234'/></td>target="RFC6234" format="default" sectionFormat="of" derivedContent="RFC6234"/></td> </tr><tr><td>Signature algorithm</td><tr> <tdalign='center'>align="left" colspan="1" rowspan="1">Signature Algorithm</td> <td align="center" colspan="1" rowspan="1"> ECDSA <xreftarget='FIPS186-4'/></td>target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/></td> <tdalign='center'>align="center" colspan="1" rowspan="1"> Ed25519 <xreftarget='RFC8032'/></td>target="RFC8032" format="default" sectionFormat="of" derivedContent="RFC8032"/></td> <tdalign='center'>align="center" colspan="1" rowspan="1"> ECDSA <xreftarget='FIPS186-4'/></td>target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/></td> </tr><tr><td>Representation conventions</td><tr> <tdalign='center'>align="left" colspan="1" rowspan="1">Representation Conventions</td> <td align="center" colspan="1" rowspan="1"> Weierstrass, (un)compressed,MSB/msb first,MSB/msb-order, <xreftarget='RFC7518'/>target="SEC1" format="default" sectionFormat="of" derivedContent="SEC1"/> </td> <tdalign='center'>align="center" colspan="1" rowspan="1"> Edwards, compressed,LSB/lsb first,LSB/lsb-order, <xreftarget='RFC8037'/></td>target="RFC8032" format="default" sectionFormat="of" derivedContent="RFC8032"/></td> <tdalign='center'>align="center" colspan="1" rowspan="1"> Weierstrass, (un)compressed,MSB/msb first,MSB/msb-order, <xreftarget='I-D.ietf-lwig-curve-representations'/></td></tr> <tr><td>Public key size</td>target="I-D.ietf-lwig-curve-representations" format="default" sectionFormat="of" derivedContent="CURVE-REPR"/></td> </tr> <tr> <td align="left" colspan="1" rowspan="1">Public Key Size</td> <tdalign='center'>align="center" colspan="1" rowspan="1"> 33/65 bytes (compressed/uncompressed)</td> <tdalign='center'>align="center" colspan="1" rowspan="1"> 32 bytes (compressed)</td> <tdalign='center'>align="center" colspan="1" rowspan="1"> 33/65 bytes (compressed/uncompressed)</td></tr> <tr><td>Signature size</td></td> </tr> <tr> <tdalign='center'>align="left" colspan="1" rowspan="1">Signature Size</td> <td align="center" colspan="1" rowspan="1"> 64 bytes </td> <tdalign='center'>align="center" colspan="1" rowspan="1"> 64 bytes </td> <tdalign='center'>align="center" colspan="1" rowspan="1"> 64 bytes</td></tr> <tr><td>Defining specification</td></td> </tr> <tr> <tdalign='center'>This_RFC</td>align="left" colspan="1" rowspan="1">Reference</td> <tdalign='center'>This_RFC</td>align="center" colspan="1" rowspan="1">RFC 8928</td> <tdalign='center'>This_RFC</td>align="center" colspan="1" rowspan="1">RFC 8928</td> <td align="center" colspan="1" rowspan="1">RFC 8928</td> </tr> </tbody> </table><t><t indent="0" pn="section-8.2-4"> New Crypto-Type values providing similar or better security may be defined in the future. </t><t><t indent="0" pn="section-8.2-5"> Assignment ofnewvalues for new Crypto-TypeMUST<bcp14>MUST</bcp14> be done through IANA with either "Specification Required" or "IESG Approval" as defined inBCP 26<xreftarget='RFC8126'/>.target="RFC8126" format="default" sectionFormat="of" derivedContent="RFC8126">BCP 26</xref>. </t> </section> <sectionanchor='ndopt'><name>IPv6anchor="ndopt" numbered="true" removeInRFC="false" toc="include" pn="section-8.3"> <name slugifiedName="name-ipv6-nd-option-types">IPv6 NDoption types </name> <t>Option Types</name> <t indent="0" pn="section-8.3-1"> This document registers two new ND option types under the subregistry "IPv6 Neighbor Discovery Option Formats": </t> <tableanchor="nexndopt"><name>Newanchor="nexndopt" align="center" pn="table-2"> <name slugifiedName="name-new-nd-options">New NDoptions</name>Options</name> <thead> <tr> <thalign='center'>Option Name</th>align="left" colspan="1" rowspan="1">Description</th> <thalign='center'>Suggested Value</th>align="center" colspan="1" rowspan="1">Type</th> <thalign='left'>Reference</th>align="left" colspan="1" rowspan="1">Reference</th> </tr></thead><tbody></thead> <tbody> <tr> <tdalign='center'>NDP Signaturealign="left" colspan="1" rowspan="1">Crypto-ID Parameters Option(NDPSO)</td>(CIPO)</td> <tdalign='center'>38</td>align="center" colspan="1" rowspan="1">39</td> <tdalign='left'>This document</td>align="left" colspan="1" rowspan="1">RFC 8928</td> </tr> <tr> <tdalign='center'>Crypto-ID Parametersalign="left" colspan="1" rowspan="1">NDP Signature Option(CIPO)</td>(NDPSO)</td> <tdalign='center'>39</td>align="center" colspan="1" rowspan="1">40</td> <tdalign='left'>This document</td>align="left" colspan="1" rowspan="1">RFC 8928</td> </tr> </tbody> </table> </section> <sectiontitle="Newnumbered="true" removeInRFC="false" toc="include" pn="section-8.4"> <name slugifiedName="name-new-6lowpan-capability-bit">New 6LoWPAN CapabilityBit"> <t>Bit</name> <t indent="0" pn="section-8.4-1"> IANAis requested to make additionshas made an addition to theSubregistrysubregistry for "6LoWPAN Capability Bits" created for <xreftarget='RFC7400'/>target="RFC7400" format="default" sectionFormat="of" derivedContent="RFC7400"/> as follows: </t> <tableanchor="CIOdat"><name>Newanchor="CIOdat" align="center" pn="table-3"> <name slugifiedName="name-new-6lowpan-capability-bit-2">New 6LoWPAN Capability Bit</name> <thead> <tr> <thalign='center'>Capability Bit</th>align="center" colspan="1" rowspan="1">Bit</th> <thalign='left'>Descriptionalign="left" colspan="1" rowspan="1">Description </th> <thalign='left'>Document</th>align="left" colspan="1" rowspan="1">Reference</th> </tr></thead><tbody></thead> <tbody> <tr> <tdalign='center'>09</td>align="center" colspan="1" rowspan="1">9</td> <tdalign='left'>AP-NDalign="left" colspan="1" rowspan="1">AP-ND Enabled (1 bit)</td> <tdalign='left'>This_RFC</td>align="left" colspan="1" rowspan="1">RFC 8928</td> </tr> </tbody> </table> </section><!-- end section "New 6LoWPAN Capability Bits" --> </section> <section><name>Acknowledgments</name> <t> Many thanks to Charlie Perkins for his in-depth review and constructive suggestions. The authors are also especially grateful to Robert Moskowitz and Benjamin Kaduk for their comments and discussions that led to many improvements. The authors wish to also thank Shwetha Bhandari for actively shepherding this document and Roman Danyliw, Alissa Cooper, Mirja Kuhlewind, Eric Vyncke, Vijay Gurbani, Al Morton, and Adam Montville for their constructive reviews during the IESG process. Finally Many thanks to our INT area ADs, Suresh Krishnan and then Erik Kline, who supported us along the whole process. </t></section> </middle> <back> <displayreferencetarget="I-D.ietf-6lo-backbone-router" to="BACKBONE-ROUTER"/> <displayreferencetarget="I-D.ietf-lwig-curve-representations" to="CURVE-REPR"/> <displayreference target="RFC7696"to="BCP 201"/>to="BCP201"/> <displayreference target="RFC4086"to="BCP 106"/> <references><name>Normativeto="BCP106"/> <references pn="section-9"> <name slugifiedName="name-references">References</name> <references pn="section-9.1"> <name slugifiedName="name-normative-references">Normative References</name><xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3971.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6234.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6775.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7400.xml'/> <!--xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7515.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7517.xml'/--> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7748.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8032.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8505.xml'/><referenceanchor='FIPS186-4'>anchor="FIPS186-4" target="https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.186-4.pdf" quoteTitle="true" derivedAnchor="FIPS186-4"> <front><title> Digital<title>Digital Signature Standard(DSS), Federal Information Processing Standards Publication 186-4 </title>(DSS)</title> <author><organization> FIPS 186-4 </organization><organization showOnFrontPage="true">National Institute of Standards and Technology</organization> </author> <datemonth='July' year='2013'/>month="July" year="2013"/> </front> <seriesInfoname='US Department of Commerce/National Institute of Standardsname="FIPS" value="186-4"/> <seriesInfo name="DOI" value="10.6028/NIST.FIPS.186-4"/> </reference> <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119" quoteTitle="true" derivedAnchor="RFC2119"> <front> <title>Key words for use in RFCs to Indicate Requirement Levels</title> <author initials="S." surname="Bradner" fullname="S. Bradner"> <organization showOnFrontPage="true"/> </author> <date year="1997" month="March"/> <abstract> <t indent="0">In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion andTechnology' value=''/>suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="2119"/> <seriesInfo name="DOI" value="10.17487/RFC2119"/> </reference> <referenceanchor='SEC1'>anchor="RFC3971" target="https://www.rfc-editor.org/info/rfc3971" quoteTitle="true" derivedAnchor="RFC3971"> <front><title>SEC 1: Elliptic Curve Cryptography, Version 2.0 </title> <author> <organization> SEC1 </organization><title>SEcure Neighbor Discovery (SEND)</title> <author initials="J." surname="Arkko" fullname="J. Arkko" role="editor"> <organization showOnFrontPage="true"/> </author> <author initials="J." surname="Kempf" fullname="J. Kempf"> <organization showOnFrontPage="true"/> </author> <author initials="B." surname="Zill" fullname="B. Zill"> <organization showOnFrontPage="true"/> </author> <author initials="P." surname="Nikander" fullname="P. Nikander"> <organization showOnFrontPage="true"/> </author> <date year="2005" month="March"/> <abstract> <t indent="0">IPv6 nodes use the Neighbor Discovery Protocol (NDP) to discover other nodes on the link, to determine their link-layer addresses to find routers, and to maintain reachability information about the paths to active neighbors. If not secured, NDP is vulnerable to various attacks. This document specifies security mechanisms for NDP. Unlike those in the original NDP specifications, these mechanisms do not use IPsec. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="3971"/> <seriesInfo name="DOI" value="10.17487/RFC3971"/> </reference> <reference anchor="RFC6234" target="https://www.rfc-editor.org/info/rfc6234" quoteTitle="true" derivedAnchor="RFC6234"> <front> <title>US Secure Hash Algorithms (SHA and SHA-based HMAC and HKDF)</title> <author initials="D." surname="Eastlake 3rd" fullname="D. Eastlake 3rd"> <organization showOnFrontPage="true"/> </author> <author initials="T." surname="Hansen" fullname="T. Hansen"> <organization showOnFrontPage="true"/> </author> <datemonth='June' year='2009'/>year="2011" month="May"/> <abstract> <t indent="0">Federal Information Processing Standard, FIPS</t> </abstract> </front> <seriesInfoname='Standards for Efficient Cryptography' value=''/>name="RFC" value="6234"/> <seriesInfo name="DOI" value="10.17487/RFC6234"/> </reference> <reference anchor="RFC6775" target="https://www.rfc-editor.org/info/rfc6775" quoteTitle="true" derivedAnchor="RFC6775"> <front> <title>Neighbor Discovery Optimization for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs)</title> <author initials="Z." surname="Shelby" fullname="Z. Shelby" role="editor"> <organization showOnFrontPage="true"/> </author> <author initials="S." surname="Chakrabarti" fullname="S. Chakrabarti"> <organization showOnFrontPage="true"/> </author> <author initials="E." surname="Nordmark" fullname="E. Nordmark"> <organization showOnFrontPage="true"/> </author> <author initials="C." surname="Bormann" fullname="C. Bormann"> <organization showOnFrontPage="true"/> </author> <date year="2012" month="November"/> <abstract> <t indent="0">The IETF work in IPv6 over Low-power Wireless Personal Area Network (6LoWPAN) defines 6LoWPANs such as IEEE 802.15.4. This and other similar link technologies have limited or no usage of multicast signaling due to energy conservation. In addition, the wireless network may not strictly follow the traditional concept of IP subnets and IP links. IPv6 Neighbor Discovery was not designed for non- transitive wireless links, as its reliance on the traditional IPv6 link concept and its heavy use of multicast make it inefficient and sometimes impractical in a low-power and lossy network. This document describes simple optimizations to IPv6 Neighbor Discovery, its addressing mechanisms, and duplicate address detection for Low- power Wireless Personal Area Networks and similar networks. The document thus updates RFC 4944 to specify the use of the optimizations defined here. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6775"/> <seriesInfo name="DOI" value="10.17487/RFC6775"/> </reference> <reference anchor="RFC7400" target="https://www.rfc-editor.org/info/rfc7400" quoteTitle="true" derivedAnchor="RFC7400"> <front> <title>6LoWPAN-GHC: Generic Header Compression for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs)</title> <author initials="C." surname="Bormann" fullname="C. Bormann"> <organization showOnFrontPage="true"/> </author> <date year="2014" month="November"/> <abstract> <t indent="0">RFC 6282 defines header compression in 6LoWPAN packets (where "6LoWPAN" refers to "IPv6 over Low-Power Wireless Personal Area Network"). The present document specifies a simple addition that enables the compression of generic headers and header-like payloads, without a need to define a new header compression scheme for each such new header or header-like payload.</t> </abstract> </front> <seriesInfo name="RFC" value="7400"/> <seriesInfo name="DOI" value="10.17487/RFC7400"/> </reference> <reference anchor="RFC7748" target="https://www.rfc-editor.org/info/rfc7748" quoteTitle="true" derivedAnchor="RFC7748"> <front> <title>Elliptic Curves for Security</title> <author initials="A." surname="Langley" fullname="A. Langley"> <organization showOnFrontPage="true"/> </author> <author initials="M." surname="Hamburg" fullname="M. Hamburg"> <organization showOnFrontPage="true"/> </author> <author initials="S." surname="Turner" fullname="S. Turner"> <organization showOnFrontPage="true"/> </author> <date year="2016" month="January"/> <abstract> <t indent="0">This memo specifies two elliptic curves over prime fields that offer a high level of practical security in cryptographic applications, including Transport Layer Security (TLS). These curves are intended to operate at the ~128-bit and ~224-bit security level, respectively, and are generated deterministically based on a list of required properties.</t> </abstract> </front> <seriesInfo name="RFC" value="7748"/> <seriesInfo name="DOI" value="10.17487/RFC7748"/> </reference> <reference anchor="RFC8032" target="https://www.rfc-editor.org/info/rfc8032" quoteTitle="true" derivedAnchor="RFC8032"> <front> <title>Edwards-Curve Digital Signature Algorithm (EdDSA)</title> <author initials="S." surname="Josefsson" fullname="S. Josefsson"> <organization showOnFrontPage="true"/> </author> <author initials="I." surname="Liusvaara" fullname="I. Liusvaara"> <organization showOnFrontPage="true"/> </author> <date year="2017" month="January"/> <abstract> <t indent="0">This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided.</t> </abstract> </front> <seriesInfo name="RFC" value="8032"/> <seriesInfo name="DOI" value="10.17487/RFC8032"/> </reference> <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174" quoteTitle="true" derivedAnchor="RFC8174"> <front> <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title> <author initials="B." surname="Leiba" fullname="B. Leiba"> <organization showOnFrontPage="true"/> </author> <date year="2017" month="May"/> <abstract> <t indent="0">RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t> </abstract> </front> <seriesInfo name="BCP" value="14"/> <seriesInfo name="RFC" value="8174"/> <seriesInfo name="DOI" value="10.17487/RFC8174"/> </reference> <reference anchor="RFC8505" target="https://www.rfc-editor.org/info/rfc8505" quoteTitle="true" derivedAnchor="RFC8505"> <front> <title>Registration Extensions for IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery</title> <author initials="P." surname="Thubert" fullname="P. Thubert" role="editor"> <organization showOnFrontPage="true"/> </author> <author initials="E." surname="Nordmark" fullname="E. Nordmark"> <organization showOnFrontPage="true"/> </author> <author initials="S." surname="Chakrabarti" fullname="S. Chakrabarti"> <organization showOnFrontPage="true"/> </author> <author initials="C." surname="Perkins" fullname="C. Perkins"> <organization showOnFrontPage="true"/> </author> <date year="2018" month="November"/> <abstract> <t indent="0">This specification updates RFC 6775 -- the Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery specification -- to clarify the role of the protocol as a registration technique and simplify the registration operation in 6LoWPAN routers, as well as to provide enhancements to the registration capabilities and mobility detection for different network topologies, including the Routing Registrars performing routing for host routes and/or proxy Neighbor Discovery in a low-power network.</t> </abstract> </front> <seriesInfo name="RFC" value="8505"/> <seriesInfo name="DOI" value="10.17487/RFC8505"/> </reference> <reference anchor="SEC1" target="https://www.secg.org/sec1-v2.pdf" quoteTitle="true" derivedAnchor="SEC1"> <front> <title>SEC 1: Elliptic Curve Cryptography</title> <author> <organization showOnFrontPage="true">Standards for Efficient Cryptography</organization> </author> <date month="May" year="2009"/> </front> <refcontent>Version 2</refcontent> </reference> </references> <references pn="section-9.2"> <name slugifiedName="name-informative-references">Informative References</name> <reference anchor="RFC4086" target="https://www.rfc-editor.org/info/rfc4086" quoteTitle="true" derivedAnchor="BCP106"> <front> <title>Randomness Requirements for Security</title> <author initials="D." surname="Eastlake 3rd" fullname="D. Eastlake 3rd"> <organization showOnFrontPage="true"/> </author> <author initials="J." surname="Schiller" fullname="J. Schiller"> <organization showOnFrontPage="true"/> </author> <author initials="S." surname="Crocker" fullname="S. Crocker"> <organization showOnFrontPage="true"/> </author> <date year="2005" month="June"/> <abstract> <t indent="0">Security systems are built on strong cryptographic algorithms that foil pattern analysis attempts. However, the security of these systems is dependent on generating secret quantities for passwords, cryptographic keys, and similar quantities. The use of pseudo-random processes to generate secret quantities can result in pseudo-security. A sophisticated attacker may find it easier to reproduce the environment that produced the secret quantities and to search the resulting small set of possibilities than to locate the quantities in the whole of the potential number space.</t> <t indent="0">Choosing random quantities to foil a resourceful and motivated adversary is surprisingly difficult. This document points out many pitfalls in using poor entropy sources or traditional pseudo-random number generation techniques for generating such quantities. It recommends the use of truly random hardware techniques and shows that the existing hardware on many systems can be used for this purpose. It provides suggestions to ameliorate the problem when a hardware solution is not available, and it gives examples of how large such quantities need to be for some applications. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t> </abstract> </front> <seriesInfo name="BCP" value="106"/> <seriesInfo name="RFC" value="4086"/> <seriesInfo name="DOI" value="10.17487/RFC4086"/> </reference> <reference anchor="RFC7696" target="https://www.rfc-editor.org/info/rfc7696" quoteTitle="true" derivedAnchor="BCP201"> <front> <title>Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms</title> <author initials="R." surname="Housley" fullname="R. Housley"> <organization showOnFrontPage="true"/> </author> <date year="2015" month="November"/> <abstract> <t indent="0">Many IETF protocols use cryptographic algorithms to provide confidentiality, integrity, authentication, or digital signature. Communicating peers must support a common set of cryptographic algorithms for these mechanisms to work properly. This memo provides guidelines to ensure that protocols have the ability to migrate from one mandatory-to-implement algorithm suite to another over time.</t> </abstract> </front> <seriesInfo name="BCP" value="201"/> <seriesInfo name="RFC" value="7696"/> <seriesInfo name="DOI" value="10.17487/RFC7696"/> </reference> <reference anchor="breaking-ed25519" target="https://link.springer.com/chapter/10.1007/978-3-319-76953-0_1" quoteTitle="true" derivedAnchor="breaking-ed25519"> <front> <title>Breaking Ed25519 in WolfSSL</title> <author initials="N." surname="Samwel" fullname="Niels Samwel"> </author> <author initials="L." surname="Batina" fullname="Leija Batina"> </author> <author initials="G." surname="Bertoni" fullname="Guido Bertoni"> </author> <author initials="J." surname="Daemen" fullname="Joan Daemen"> </author> <author initials="R." surname="Susella" fullname="Ruggero Susella"> </author> <date month="March" year="2018"/> </front> <refcontent>Topics in Cryptology - CT-RSA, pp. 1-20</refcontent> </reference> <reference anchor="I-D.ietf-lwig-curve-representations" quoteTitle="true" target="https://tools.ietf.org/html/draft-ietf-lwig-curve-representations-14" derivedAnchor="CURVE-REPR"> <front> <title>Alternative Elliptic Curve Representations</title> <author fullname="Rene Struik"> <organization showOnFrontPage="true">Struik Security Consultancy</organization> </author> <date month="November" day="15" year="2020"/> <abstract> <t indent="0"> This document specifies how to represent Montgomery curves and (twisted) Edwards curves as curves in short-Weierstrass form and illustrates how this can be used to carry out elliptic curve computations using existing implementations of, e.g., ECDSA and ECDH using NIST prime curves. We also provide extensive background material that may be useful for implementers of elliptic curve cryptography. </t> </abstract> </front> <seriesInfo name="Internet-Draft" value="draft-ietf-lwig-curve-representations-14"/> <format type="TXT" target="https://www.ietf.org/internet-drafts/draft-ietf-lwig-curve-representations-14.txt"/> <refcontent>Work in Progress</refcontent> </reference> <reference anchor="RFC3972" target="https://www.rfc-editor.org/info/rfc3972" quoteTitle="true" derivedAnchor="RFC3972"> <front> <title>Cryptographically Generated Addresses (CGA)</title> <author initials="T." surname="Aura" fullname="T. Aura"> <organization showOnFrontPage="true"/> </author> <date year="2005" month="March"/> <abstract> <t indent="0">This document describes a method for binding a public signature key to an IPv6 address in the Secure Neighbor Discovery (SEND) protocol. Cryptographically Generated Addresses (CGA) are IPv6 addresses for which the interface identifier is generated by computing a cryptographic one-way hash function from a public key and auxiliary parameters. The binding between the public key and the address can be verified by re-computing the hash value and by comparing the hash with the interface identifier. Messages sent from an IPv6 address can be protected by attaching the public key and auxiliary parameters and by signing the message with the corresponding private key. The protection works without a certification authority or any security infrastructure. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="3972"/> <seriesInfo name="DOI" value="10.17487/RFC3972"/> </reference> <reference anchor="RFC4861" target="https://www.rfc-editor.org/info/rfc4861" quoteTitle="true" derivedAnchor="RFC4861"> <front> <title>Neighbor Discovery for IP version 6 (IPv6)</title> <author initials="T." surname="Narten" fullname="T. Narten"> <organization showOnFrontPage="true"/> </author> <author initials="E." surname="Nordmark" fullname="E. Nordmark"> <organization showOnFrontPage="true"/> </author> <author initials="W." surname="Simpson" fullname="W. Simpson"> <organization showOnFrontPage="true"/> </author> <author initials="H." surname="Soliman" fullname="H. Soliman"> <organization showOnFrontPage="true"/> </author> <date year="2007" month="September"/> <abstract> <t indent="0">This document specifies the Neighbor Discovery protocol for IP Version 6. IPv6 nodes on the same link use Neighbor Discovery to discover each other's presence, to determine each other's link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4861"/> <seriesInfo name="DOI" value="10.17487/RFC4861"/> </reference> <reference anchor="RFC4862" target="https://www.rfc-editor.org/info/rfc4862" quoteTitle="true" derivedAnchor="RFC4862"> <front> <title>IPv6 Stateless Address Autoconfiguration</title> <author initials="S." surname="Thomson" fullname="S. Thomson"> <organization showOnFrontPage="true"/> </author> <author initials="T." surname="Narten" fullname="T. Narten"> <organization showOnFrontPage="true"/> </author> <author initials="T." surname="Jinmei" fullname="T. Jinmei"> <organization showOnFrontPage="true"/> </author> <date year="2007" month="September"/> <abstract> <t indent="0">This document specifies the steps a host takes in deciding how to autoconfigure its interfaces in IP version 6. The autoconfiguration process includes generating a link-local address, generating global addresses via stateless address autoconfiguration, and the Duplicate Address Detection procedure to verify the uniqueness of the addresses on a link. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4862"/> <seriesInfo name="DOI" value="10.17487/RFC4862"/> </reference> <reference anchor="RFC4919" target="https://www.rfc-editor.org/info/rfc4919" quoteTitle="true" derivedAnchor="RFC4919"> <front> <title>IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs): Overview, Assumptions, Problem Statement, and Goals</title> <author initials="N." surname="Kushalnagar" fullname="N. Kushalnagar"> <organization showOnFrontPage="true"/> </author> <author initials="G." surname="Montenegro" fullname="G. Montenegro"> <organization showOnFrontPage="true"/> </author> <author initials="C." surname="Schumacher" fullname="C. Schumacher"> <organization showOnFrontPage="true"/> </author> <date year="2007" month="August"/> <abstract> <t indent="0">This document describes the assumptions, problem statement, and goals for transmitting IP over IEEE 802.15.4 networks. The set of goals enumerated in this document form an initial set only. This memo provides information for the Internet community.</t> </abstract> </front> <seriesInfo name="RFC" value="4919"/> <seriesInfo name="DOI" value="10.17487/RFC4919"/> </reference> <reference anchor="RFC4944" target="https://www.rfc-editor.org/info/rfc4944" quoteTitle="true" derivedAnchor="RFC4944"> <front> <title>Transmission of IPv6 Packets over IEEE 802.15.4 Networks</title> <author initials="G." surname="Montenegro" fullname="G. Montenegro"> <organization showOnFrontPage="true"/> </author> <author initials="N." surname="Kushalnagar" fullname="N. Kushalnagar"> <organization showOnFrontPage="true"/> </author> <author initials="J." surname="Hui" fullname="J. Hui"> <organization showOnFrontPage="true"/> </author> <author initials="D." surname="Culler" fullname="D. Culler"> <organization showOnFrontPage="true"/> </author> <date year="2007" month="September"/> <abstract> <t indent="0">This document describes the frame format for transmission of IPv6 packets and the method of forming IPv6 link-local addresses and statelessly autoconfigured addresses on IEEE 802.15.4 networks. Additional specifications include a simple header compression scheme using shared context and provisions for packet delivery in IEEE 802.15.4 meshes. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="4944"/> <seriesInfo name="DOI" value="10.17487/RFC4944"/> </reference> <reference anchor="RFC6282" target="https://www.rfc-editor.org/info/rfc6282" quoteTitle="true" derivedAnchor="RFC6282"> <front> <title>Compression Format for IPv6 Datagrams over IEEE 802.15.4-Based Networks</title> <author initials="J." surname="Hui" fullname="J. Hui" role="editor"> <organization showOnFrontPage="true"/> </author> <author initials="P." surname="Thubert" fullname="P. Thubert"> <organization showOnFrontPage="true"/> </author> <date year="2011" month="September"/> <abstract> <t indent="0">This document updates RFC 4944, "Transmission of IPv6 Packets over IEEE 802.15.4 Networks". This document specifies an IPv6 header compression format for IPv6 packet delivery in Low Power Wireless Personal Area Networks (6LoWPANs). The compression format relies on shared context to allow compression of arbitrary prefixes. How the information is maintained in that shared context is out of scope. This document specifies compression of multicast addresses and a framework for compressing next headers. UDP header compression is specified within this framework. [STANDARDS-TRACK]</t> </abstract> </front> <seriesInfo name="RFC" value="6282"/> <seriesInfo name="DOI" value="10.17487/RFC6282"/> </reference> <reference anchor="RFC7039" target="https://www.rfc-editor.org/info/rfc7039" quoteTitle="true" derivedAnchor="RFC7039"> <front> <title>Source Address Validation Improvement (SAVI) Framework</title> <author initials="J." surname="Wu" fullname="J. Wu"> <organization showOnFrontPage="true"/> </author> <author initials="J." surname="Bi" fullname="J. Bi"> <organization showOnFrontPage="true"/> </author> <author initials="M." surname="Bagnulo" fullname="M. Bagnulo"> <organization showOnFrontPage="true"/> </author> <author initials="F." surname="Baker" fullname="F. Baker"> <organization showOnFrontPage="true"/> </author> <author initials="C." surname="Vogt" fullname="C. Vogt" role="editor"> <organization showOnFrontPage="true"/> </author> <date year="2013" month="October"/> <abstract> <t indent="0">Source Address Validation Improvement (SAVI) methods were developed to prevent nodes attached to the same IP link from spoofing each other's IP addresses, so as to complement ingress filtering with finer-grained, standardized IP source address validation. This document is a framework document that describes and motivates the design of the SAVI methods. Particular SAVI methods are described in other documents.</t> </abstract> </front> <seriesInfo name="RFC" value="7039"/> <seriesInfo name="DOI" value="10.17487/RFC7039"/> </reference> <reference anchor="RFC7217" target="https://www.rfc-editor.org/info/rfc7217" quoteTitle="true" derivedAnchor="RFC7217"> <front> <title>A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC)</title> <author initials="F." surname="Gont" fullname="F. Gont"> <organization showOnFrontPage="true"/> </author> <date year="2014" month="April"/> <abstract> <t indent="0">This document specifies a method for generating IPv6 Interface Identifiers to be used with IPv6 Stateless Address Autoconfiguration (SLAAC), such that an IPv6 address configured using this method is stable within each subnet, but the corresponding Interface Identifier changes when the host moves from one network to another. This method is meant to be an alternative to generating Interface Identifiers based on hardware addresses (e.g., IEEE LAN Media Access Control (MAC) addresses), such that the benefits of stable addresses can be achieved without sacrificing the security and privacy of users. The method specified in this document applies to all prefixes a host may be employing, including link-local, global, and unique-local prefixes (and their corresponding addresses).</t> </abstract> </front> <seriesInfo name="RFC" value="7217"/> <seriesInfo name="DOI" value="10.17487/RFC7217"/> </reference> <reference anchor="RFC8064" target="https://www.rfc-editor.org/info/rfc8064" quoteTitle="true" derivedAnchor="RFC8064"> <front> <title>Recommendation on Stable IPv6 Interface Identifiers</title> <author initials="F." surname="Gont" fullname="F. Gont"> <organization showOnFrontPage="true"/> </author> <author initials="A." surname="Cooper" fullname="A. Cooper"> <organization showOnFrontPage="true"/> </author> <author initials="D." surname="Thaler" fullname="D. Thaler"> <organization showOnFrontPage="true"/> </author> <author initials="W." surname="Liu" fullname="W. Liu"> <organization showOnFrontPage="true"/> </author> <date year="2017" month="February"/> <abstract> <t indent="0">This document changes the recommended default Interface Identifier (IID) generation scheme for cases where Stateless Address Autoconfiguration (SLAAC) is used to generate a stable IPv6 address. It recommends using the mechanism specified in RFC 7217 in such cases, and recommends against embedding stable link-layer addresses in IPv6 IIDs. It formally updates RFC 2464, RFC 2467, RFC 2470, RFC 2491, RFC 2492, RFC 2497, RFC 2590, RFC 3146, RFC 3572, RFC 4291, RFC 4338, RFC 4391, RFC 5072, and RFC 5121. This document does not change any existing recommendations concerning the use of temporary addresses as specified in RFC 4941.</t> </abstract> </front> <seriesInfo name="RFC" value="8064"/> <seriesInfo name="DOI" value="10.17487/RFC8064"/> </reference></references> <references><name>Informative references</name> <!--reference anchor="IANA.JOSE.Algorithms"><reference anchor="RFC8065" target="https://www.rfc-editor.org/info/rfc8065" quoteTitle="true" derivedAnchor="RFC8065"> <front><title> JSON Web Signature and Encryption Algorithms </title> <author> <organization> IANA </organization><title>Privacy Considerations for IPv6 Adaptation-Layer Mechanisms</title> <author initials="D." surname="Thaler" fullname="D. Thaler"> <organization showOnFrontPage="true"/> </author> <dateyear=""></date>year="2017" month="February"/> <abstract> <t indent="0">This document discusses how a number of privacy threats apply to technologies designed for IPv6 over various link-layer protocols, and it provides advice to protocol designers on how to address such threats in adaptation-layer specifications for IPv6 over such links.</t> </abstract> </front> <seriesInfoname="IANA," value="https://www.iana.org/assignments/jose/jose.xhtml#web-signature-encryption-algorithms"></seriesInfo>name="RFC" value="8065"/> <seriesInfo name="DOI" value="10.17487/RFC8065"/> </reference> <referenceanchor="IANA.JOSE.Curves">anchor="RFC8126" target="https://www.rfc-editor.org/info/rfc8126" quoteTitle="true" derivedAnchor="RFC8126"> <front><title> JSON Web Key Elliptic Curve </title> <author> <organization><title>Guidelines for Writing an IANA</organization>Considerations Section in RFCs</title> <author initials="M." surname="Cotton" fullname="M. Cotton"> <organization showOnFrontPage="true"/> </author> <author initials="B." surname="Leiba" fullname="B. Leiba"> <organization showOnFrontPage="true"/> </author> <author initials="T." surname="Narten" fullname="T. Narten"> <organization showOnFrontPage="true"/> </author> <dateyear=""></date>year="2017" month="June"/> <abstract> <t indent="0">Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t> <t indent="0">To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t> <t indent="0">This is the third edition of this document; it obsoletes RFC 5226.</t> </abstract> </front> <seriesInfoname="IANA," value="https://www.iana.org/assignments/jose/jose.xhtml#web-key-elliptic-curve"></seriesInfo> </reference--> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.3972.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4086.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4861.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4862.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4919.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.4944.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.6282.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7039.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7217.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7518.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.7696.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8037.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8064.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8065.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8126.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-6lo-backbone-router.xml'/> <xi:include href='https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-lwig-curve-representations.xml'/>name="BCP" value="26"/> <seriesInfo name="RFC" value="8126"/> <seriesInfo name="DOI" value="10.17487/RFC8126"/> </reference> <referenceanchor='breaking-ed25519' target='https://link.springer.com/chapter/10.1007/978-3-319-76953-0_1'>anchor="RFC8929" target="https://www.rfc-editor.org/info/rfc8929" quoteTitle="true" derivedAnchor="RFC8929"> <front><title>Breaking Ed25519 in WolfSSL</title> <author initials='N.' surname='Samwel' fullname='Niels Samwel'> </author> <author initials='L.' surname='Batina' fullname='Leija Batina'> </author><title>IPv6 Backbone Router</title> <authorinitials='G.' surname='Bertoni' fullname='Guido Bertoni'>initials="P" surname="Thubert" fullname="Pascal Thubert" role="editor"> <organization showOnFrontPage="true"/> </author> <authorinitials='J.' surname='Daemen' fullname='Joan Daemen'>initials="C.E." surname="Perkins" fullname="Charles Perkins"> <organization showOnFrontPage="true"/> </author> <authorinitials='R.' surname='Susella' fullname='Ruggero Susella'>initials="E" surname="Levy-Abegnoli" fullname="Eric Levy-Abegnoli"> <organization showOnFrontPage="true"/> </author> <dateyear='2018'/>month="November" year="2020"/> </front> <seriesInfoname='Cryptographers’ Track at the RSA Conference' value=''/>name="RFC" value="8929"/> <seriesInfo name="DOI" value="10.17487/RFC8929"/> </reference> </references> </references> <sectionanchor='ps'><name>Requirementsanchor="ps" numbered="true" removeInRFC="false" toc="include" pn="section-appendix.a"> <name slugifiedName="name-requirements-addressed-in-t">Requirements Addressed inthisThis Document</name><t><t indent="0" pn="section-appendix.a-1"> In thissection we statesection, the requirements of a secureneighbor discoveryNeighbor Discovery protocol forlow-power and lossy networks. </t><ul spacing='compact'> <li>LLNs are stated. </t> <ul spacing="normal" bare="false" empty="false" indent="3" pn="section-appendix.a-2"> <li pn="section-appendix.a-2.1"> The protocolMUST<bcp14>MUST</bcp14> be based on the Neighbor Discovery Optimization forLow-power and Lossy Networksthe LLN protocol defined in <xreftarget='RFC6775'/>. RFC6775target="RFC6775" format="default" sectionFormat="of" derivedContent="RFC6775"/>. RFC 6775 utilizes optimizations such as host-initiated interactions for sleeping resource-constrained hosts and the elimination of multicast address resolution. </li><li><li pn="section-appendix.a-2.2"> New options to be added to Neighbor Solicitation messagesMUST<bcp14>MUST</bcp14> lead to small packet sizes, especially compared with existing protocols such asSEcure Neighbor Discovery (SEND).SEND. Smaller packet sizes facilitate low-power transmission by resource-constrained nodes on lossy links. </li><li><li pn="section-appendix.a-2.3"> Thesupport for thisregistration mechanismSHOULD<bcp14>SHOULD</bcp14> be extensible tomoreother LLN linksthanand not be limited to IEEE 802.15.4 only.Support for at least theLLN links for which a 6lo "IPv6 over foo" specificationexists,exist, as well asLow-Power Wi-Fi SHOULDlow-power Wi-Fi, <bcp14>SHOULD</bcp14> bepossible.supported. </li><li><li pn="section-appendix.a-2.4"> As part of thisextension,protocol, a mechanism to compute a uniqueIdentifieridentifier should be provided with the capability to form a Link Local Address thatSHOULD<bcp14>SHOULD</bcp14> be unique at least within the LLN connected to a 6LBR. </li><li><li pn="section-appendix.a-2.5"> The Address Registration Option used in the ND registrationSHOULD<bcp14>SHOULD</bcp14> be extended to carry the relevant forms ofUnique Interface Identifier.the unique identifier. </li><li><li pn="section-appendix.a-2.6"> The Neighbor Discovery should specify the formation of a site-local address that follows the security recommendations from <xreftarget='RFC7217'/>.target="RFC7217" format="default" sectionFormat="of" derivedContent="RFC7217"/>. </li></ul><t> </t></ul> </section> <sectionanchor='reprconv'><name>Representationanchor="reprconv" numbered="true" removeInRFC="false" toc="include" pn="section-appendix.b"> <name slugifiedName="name-representation-conventions">Representation Conventions</name><section><name>Signature<section numbered="true" removeInRFC="false" toc="include" pn="section-b.1"> <name slugifiedName="name-signature-schemes">Signature Schemes</name><t><t indent="0" pn="section-b.1-1"> The signature scheme ECDSA256 corresponding to Crypto-Type 0 is ECDSA, as specified in <xreftarget='FIPS186-4'/>,target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/>, instantiated with the NIST prime curve P-256, as specified in AppendixBD.1.2 of <xreftarget='FIPS186-4'/>,target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/>, and the hash function SHA-256, as specified in <xreftarget='RFC6234'/>,target="RFC6234" format="default" sectionFormat="of" derivedContent="RFC6234"/>, where points of this NIST curve are represented as points of a short-Weierstrass curve (see <xreftarget='FIPS186-4'/>)target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/>) and are encoded as octet strings in most-significant-bit first (msb) and most-significant-byte first (MSB) order. The signature itself consists of two integers (r and s), which are each encoded as fixed-size octet strings inmost-significant-bit firstMSB andmost-significant-byte firstmsb order. Fordetails onfurther details, see <xref target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/> for ECDSA, see <xreftarget='FIPS186-4'/>;target="weirepr" format="default" sectionFormat="of" derivedContent="Appendix B.3"/> fordetails onthe encoding of public keys, and see <xreftarget="weirepr"></xref>;target="bitrepr" format="default" sectionFormat="of" derivedContent="Appendix B.2"/> fordetails on the signature encoding, see <xref target='bitrepr'/>.</t> <t>signature encoding.</t> <t indent="0" pn="section-b.1-2"> The signature scheme Ed25519 corresponding to Crypto-Type 1 is EdDSA, as specified in <xreftarget='RFC8032'/>,target="RFC8032" format="default" sectionFormat="of" derivedContent="RFC8032"/>, instantiated with the Montgomery curve Curve25519, as specified in <xreftarget='RFC7748'/>,target="RFC7748" format="default" sectionFormat="of" derivedContent="RFC7748"/>, and the hash function SHA-512, as specified in <xreftarget='RFC6234'/>,target="RFC6234" format="default" sectionFormat="of" derivedContent="RFC6234"/>, where points of this Montgomery curve are represented as points of the corresponding twisted Edwards curve Edwards25519 (see <xreftarget='curves'/>)target="curves" format="default" sectionFormat="of" derivedContent="Appendix B.4"/>) and are encoded as octet strings in least-significant-bit first (lsb) and least-significant-byte first (LSB) order. The signature itself consists of a bit string that encodes a point of this twisted Edwards curve, in compressed format, and an integer encoded inleast-significant-bit firstLSB andleast-significant-byte firstlsb order. For details onEdDSA,EdDSA and the encoding of public keys andthat ofsignatures, see the specification of pure Ed25519 in <xreftarget='RFC8032'></xref>.</t> <t>target="RFC8032" format="default" sectionFormat="of" derivedContent="RFC8032"/>.</t> <t indent="0" pn="section-b.1-3"> The signature scheme ECDSA25519 corresponding to Crypto-Type 2 is ECDSA, as specified in <xreftarget='FIPS186-4'/>,target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/>, instantiated with the Montgomery curve Curve25519, as specified in <xreftarget='RFC7748'/>,target="RFC7748" format="default" sectionFormat="of" derivedContent="RFC7748"/>, and the hash function SHA-256, as specified in <xreftarget='RFC6234'/>,target="RFC6234" format="default" sectionFormat="of" derivedContent="RFC6234"/>, where points of this Montgomery curve are represented as points of the corresponding short-Weierstrass curve Wei25519 (see <xreftarget='curves'/>)target="curves" format="default" sectionFormat="of" derivedContent="Appendix B.4"/>) and are encoded as octet strings inmost-significant-bit firstMSB andmost-significant-byte firstmsb order. The signature itself consists of a bit string that encodes twointegers,integers (r and s), which are each encoded as fixed-size octet strings inmost-significant-bit firstMSB andmost-significant-byte firstmsb order. Fordetails onfurther details, see <xref target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/> for ECDSA, see <xreftarget='FIPS186-4'/>;target="weirepr" format="default" sectionFormat="of" derivedContent="Appendix B.3"/> fordetails onthe encoding of public keys, and see <xreftarget="weirepr"></xref>;target="bitrepr" format="default" sectionFormat="of" derivedContent="Appendix B.2"/> fordetails on thesignatureencoding, see <xref target='bitrepr'/></t>encoding.</t> </section> <sectionanchor='bitrepr'><name>Representationanchor="bitrepr" numbered="true" removeInRFC="false" toc="include" pn="section-b.2"> <name slugifiedName="name-representation-of-ecdsa-sig">Representation of ECDSA Signatures</name><t><t indent="0" pn="section-b.2-1"> With ECDSA, each signature is an ordered pair (r, s) of integers <xreftarget='FIPS186-4'/>,target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/>, where each integer is represented as a 32-octet string according to theField Element to Octet StringFieldElement-to-OctetString conversion rules in <xreftarget='SEC1'/>target="SEC1" format="default" sectionFormat="of" derivedContent="SEC1"/> and where the ordered pair of integers is represented as therightconcatenationright concatenation of these representation values (thereby resulting in a 64-octet string). The inverse operation checks that the signature is a 64-octet string and represents the left-side and right-side halves of this string (each a 32-octet string) as the integers r and s, respectively, using theOctet String to Field ElementOctetString-to-FieldElement conversion rules in <xref target="SEC1" format="default" sectionFormat="of" derivedContent="SEC1"/>. In both cases, the field with these conversion rules is the set of integers modulo n, where n is the (prime) order of the base point of the curve in question. (For elliptic curve nomenclature, see <xreftarget='SEC1'/>. </t></section>target="I-D.ietf-lwig-curve-representations" sectionFormat="of" section="B.1" format="default" derivedLink="https://tools.ietf.org/html/draft-ietf-lwig-curve-representations-14#appendix-B.1" derivedContent="CURVE-REPR"/>.) </t> </section> <sectionanchor='weirepr'><name>Representationanchor="weirepr" numbered="true" removeInRFC="false" toc="include" pn="section-b.3"> <name slugifiedName="name-representation-of-public-ke">Representation of Public Keys Used with ECDSA</name><t><t indent="0" pn="section-b.3-1"> ECDSA is specified to be used with elliptic curves in short-Weierstrass form. Each point of such a curve is represented as an octet string using theElliptic Curve Point to Octet StringElliptic-Curve-Point-to-Octet-String conversion rules in <xreftarget='SEC1'/>,target="SEC1" format="default" sectionFormat="of" derivedContent="SEC1"/>, where point compression may be enabled (which is indicated by the leftmost octet of this representation). The inverse operation converts an octet string to a point of this curve using theOctet String to Elliptic Curve PointOctet-String-to-Elliptic-Curve-Point conversion rules in <xreftarget='SEC1'/>,target="SEC1" format="default" sectionFormat="of" derivedContent="SEC1"/>, whereby the point is rejected if this is the so-called point at infinity. (This is the case if the input to this inverse operation is an octet string of length 1.) </t> </section> <sectionanchor='curves'><name>Alternativeanchor="curves" numbered="true" removeInRFC="false" toc="include" pn="section-b.4"> <name slugifiedName="name-alternative-representations">Alternative Representations of Curve25519</name><t><t indent="0" pn="section-b.4-1"> The elliptic curve Curve25519, as specified in <xreftarget='RFC7748'/>,target="RFC7748" format="default" sectionFormat="of" derivedContent="RFC7748"/>, is a so-called Montgomery curve. Each point of this curve can also be represented as a point of a twisted Edwards curve or as a point of an elliptic curve in short-Weierstrass form, via a coordinate transformation (a so-called isomorphic mapping). The parameters of the Montgomery curve and the corresponding isomorphic curves in twisted Edwards curve and short-Weierstrass form are as indicated below. Here, the domain parameters of the Montgomery curve Curve25519 and of the twisted Edwards curve Edwards25519 are as specified in <xreftarget='RFC7748'/>;target="RFC7748" format="default" sectionFormat="of" derivedContent="RFC7748"/>; the domain parameters of the elliptic curve Wei25519 in short-Weierstrasscurveform comply with Section 6.1.1 of <xreftarget='FIPS186-4'/>.target="FIPS186-4" format="default" sectionFormat="of" derivedContent="FIPS186-4"/>. For further details on these curves and on the coordinate transformations referenced above, see <xreftarget='I-D.ietf-lwig-curve-representations'/>. </t> <t>target="I-D.ietf-lwig-curve-representations" format="default" sectionFormat="of" derivedContent="CURVE-REPR"/>. </t> <t indent="0" pn="section-b.4-2"> General parameters (for all curvemodels): </t><dl spacing='compact'> <dt>p</dt><dd>models):</t> <sourcecode markers="false" pn="section-b.4-3"> p 2^{255}-19</dd> <dt></dt><dd>(=0x7fffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffed)</dd> <dt>h</dt><dd>h 8</dd> <dt>n</dt><dd> 7237005577332262213973186563042994240857116359379907606001950938285454250989 </dd> <dt></dt><dd>n 723700557733226221397318656304299424085711635937990760600195093828 5454250989 (=2^{252} + 0x14def9de a2f79cd6 5812631a 5cf5d3ed)</dd> </dl><t> </t> <t></sourcecode> <t indent="0" pn="section-b.4-4"> Montgomery curve-specific parameters (forCurve25519): </t><dl spacing='compact'> <dt>A</dt><dd>Curve25519):</t> <sourcecode markers="false" pn="section-b.4-5"> A 486662</dd> <dt>B</dt><dd>B 1</dd> <dt>Gu</dt><dd>Gu 9 (=0x9)</dd> <dt>Gv</dt><dd> 14781619447589544791020593568409986887264606134616475288964881837755586237401 </dd> <dt></dt><dd>Gv 147816194475895447910205935684099868872646061346164752889648818377 55586237401 (=0x20ae19a1 b8a086b4 e01edd2c 7748d14c 923d4d7e 6d7c61b2 29e9c5a2 7eced3d9)</dd> </dl><t> </t> <t></sourcecode> <t indent="0" pn="section-b.4-6"> Twisted Edwards curve-specific parameters (forEdwards25519): </t><dl spacing='compact'> <dt>a</dt><dd>Edwards25519):</t> <sourcecode markers="false" pn="section-b.4-7"> a -1 (-0x01)</dd> <dt>d</dt><dd>d -121665/121666</dd> <dt></dt><dd> (=37095705934669439343138083508754565189542113879843219016388785533085940283555) </dd> <dt></dt><dd>(=3709570593466943934313808350875456518954211387984321901638878553 3085940283555) (=0x52036cee 2b6ffe73 8cc74079 7779e898 00700a4d 4141d8ab 75eb4dca 135978a3)</dd> <dt>Gx</dt><dd> 15112221349535400772501151409588531511454012693041857206046113283949847762202 </dd> <dt></dt><dd>Gx 151122213495354007725011514095885315114540126930418572060461132839 49847762202 (=0x216936d3 cd6e53fe c0a4e231 fdd6dc5c 692cc760 9525a7b2 c9562d60 8f25d51a)</dd> <dt>Gy</dt><dd>Gy 4/5</dd> <dt></dt><dd> (=46316835694926478169428394003475163141307993866256225615783033603165251855960) </dd> <dt></dt><dd>(=0x66666666(=4631683569492647816942839400347516314130799386625622561578303360 3165251855960) (=0x66666666 66666666 66666666 66666666 66666666 66666666 66666666 66666658)</dd> </dl><t> </t> <t></sourcecode> <t indent="0" pn="section-b.4-8"> Weierstrass curve-specific parameters (forWei25519): </t><dl spacing='compact'> <dt>a</dt><dd> 19298681539552699237261830834781317975544997444273427339909597334573241639236 </dd> <dt></dt><dd>Wei25519):</t> <sourcecode markers="false" pn="section-b.4-9"> a 192986815395526992372618308347813179755449974442734273399095973345 73241639236 (=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaa98 4914a144)</dd> <dt>b</dt><dd> 55751746669818908907645289078257140818241103727901012315294400837956729358436 </dd> <dt></dt><dd>b 557517466698189089076452890782571408182411037279010123152944008379 56729358436 (=0x7b425ed0 97b425ed 097b425e d097b425 ed097b42 5ed097b4 260b5e9c 7710c864)</dd> <dt>GX</dt><dd> 19298681539552699237261830834781317975544997444273427339909597334652188435546 </dd> <dt></dt><dd>GX 192986815395526992372618308347813179755449974442734273399095973346 52188435546 (=0x2aaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaaaaaaa aaad245a)</dd> <dt>GY</dt><dd> 14781619447589544791020593568409986887264606134616475288964881837755586237401 </dd> <dt></dt><dd>GY 147816194475895447910205935684099868872646061346164752889648818377 55586237401 (=0x20ae19a1 b8a086b4 e01edd2c 7748d14c 923d4d7e 6d7c61b2 29e9c5a2 7eced3d9)</dd> </dl><t></sourcecode> </section> <section numbered="false" removeInRFC="false" toc="include" pn="section-b.5"> <name slugifiedName="name-acknowledgments">Acknowledgments</name> <t indent="0" pn="section-b.5-1"> Many thanks to <contact fullname="Charlie Perkins"/> for his in-depth review and constructive suggestions. The authors are also especially grateful to <contact fullname="Robert Moskowitz"/> and <contact fullname="Benjamin Kaduk"/> for their comments and discussions that led to many improvements. The authors wish to also thank <contact fullname="Shwetha Bhandari"/> for actively shepherding this document and <contact fullname="Roman Danyliw"/>, <contact fullname="Alissa Cooper"/>, <contact fullname="Mirja Kühlewind"/>, <contact fullname="Éric Vyncke"/>, <contact fullname="Vijay Gurbani"/>, <contact fullname="Al Morton"/>, and <contact fullname="Adam Montville"/> for their constructive reviews during the IESG process. Finally, many thanks to our INT area ADs, <contact fullname="Suresh Krishnan"/> and <contact fullname="Erik Kline"/>, who supported us along the whole process. </t> </section> </section> <section anchor="authors-addresses" numbered="false" removeInRFC="false" toc="include" pn="section-appendix.c"> <name slugifiedName="name-authors-addresses">Authors' Addresses</name> <author initials="P." surname="Thubert" fullname="Pascal Thubert" role="editor"> <organization abbrev="Cisco" showOnFrontPage="true">Cisco Systems, Inc.</organization> <address> <postal> <street>Building D</street> <street>45 Allee des Ormes - BP1200</street> <city>MOUGINS - Sophia Antipolis</city> <code>06254</code> <country>France</country> </postal> <phone>+33 497 23 26 34</phone> <email>pthubert@cisco.com</email> </address> </author> <author initials="B." surname="Sarikaya" fullname="Behcet Sarikaya"> <organization showOnFrontPage="true"/> <address> <postal> <street/> <street/> <city/> <region/> <code/> <country/> </postal> <email>sarikaya@ieee.org</email> </address> </author> <author initials="M." surname="Sethi" fullname="Mohit Sethi"> <organization showOnFrontPage="true">Ericsson</organization> <address> <postal> <street/> <city>Jorvas</city> <region/> <code>02420</code> <country>Finland</country> </postal> <email>mohit@piuha.net</email> </address> </author> <author initials="R." surname="Struik" fullname="Rene Struik"> <organization showOnFrontPage="true">Struik Security Consultancy</organization> <address> <postal> <street/> <city/> <region/> <code/> <country/> </postal> <email>rstruik.ext@gmail.com</email> </address> </author> </section> </back> </rfc><!-- CONVERT WARNING: wide character found at character 52617 of the output -->