Hi Richard: Verifying that an address exists ih is certainly something; at least it prevents from using an address that's not even topologically correct. But little more: the existence on of a registration does not mean the address is not stolen. For first hop security, we'd want to prevent a node from impersonating another one even locally. In mesh under the Edge Router could do that. In route over, it' a bit far.
Pascal >-----Original Message----- >From: Richard Kelsey [mailto:[email protected]] >Sent: vendredi 29 mai 2009 18:29 >To: Pascal Thubert (pthubert) >Cc: [email protected] >Subject: Re: [6lowpan] source address validation in ND 03 > > Date: Fri, 29 May 2009 17:34:21 +0200 > From: "Pascal Thubert (pthubert)" <[email protected]> > > >From: Richard Kelsey [mailto:[email protected]] > >To: Pascal Thubert (pthubert) > > > > Date: Fri, 29 May 2009 11:55:10 +0200 > > From: "Pascal Thubert (pthubert)" <[email protected]> > > > > The current draft inherits source address validation text from the > > backbone router draft that's meant to prevent nodes in the LoWPAN from > > using any address as source. > > > > section 7.5. about forwarding by Edge Routers has: > > > > " > > Upon receiving packets on one of its LoWPAN interfaces, the Edge > > Router checks whether it has a binding for the source address. If > > it does, then the Edge Router can forward the packet; otherwise, > > the Edge Router MUST discard the packet. > > " > > > > That was fine for a backbone router in a mesh under > > situation but that seems to falls short for route over, > > because in that case the Edge Router is not necessarily > > the first hop: > > > >The check described in the passage above seems to be > >guarding against the use of a source address that is not > >bound within the LoWPAN. It doesn't appear to be concerned > >with a LoWPAN node using a source address that is bound to > >some other node in the same LoWPAN. For the former, > >guarding against the use of an unbound source address, I > >don't think it matters whether the Edge Router is the first > >hop or not. > > Agreed but in extended the whiteboard is distributed so > if your packet get out the wrong edge router it would > filter them out... > >Pascal, > >Doesn't the Extended LoWPAN backbone take care of that? >From 7.3: > > Addresses that are not found in the Whiteboard are queried > over the backbone using the ND operation in place for that > type of link, ... > >Either you have a Simple LoWPAN, in which case there is only >one Edge Router, or you have an extended LoWPAN, in which >case the Edge Routers can query each other over the backbone >if they see a source address that is not in their local >whiteboard. > >I think that this works for the Simple and Extended LoWPANs >as described in the draft. It would be nice if there were a >way of having additional Edge Routers that were not on a >high-speed backbone. An Edge Router whose other IP network >was another LoWPAN, for example. If that were permitted, a >node would have to route packets via an edge router with >which it was registered, as you described. > > -Richard Kelsey >---------------- >This message and the information it contains are the proprietary >and confidential property of Ember Corporation and may be privileged. >If you are not the intended recipient, please do not read, copy, >disclose or distribute its contents to any party, and notify the >sender immediately. _______________________________________________ 6lowpan mailing list [email protected] https://www.ietf.org/mailman/listinfo/6lowpan
