In your previous mail you wrote: unless you bind the IPsec security association to the home address, an attacker could send a Binding Update message with a spoofed home address using its own IPsec SA. The correspondent node's IPsec instance would accept that message and hand it on to the Mobile IPv6 instance. The Mobile IPv6 instance would rely on the message being authenticated and update the binding cache entry for the spoofed home address. => I agree but I can't see an issue with this: if I remove the word "home" and all allusions to mobility your statement still applies so as I've already explained the home address is not special and this kind of spoofing is not specific to mobility.
You can eliminate this issue with one or two additional, clarifying sentences in your draft. => IMHO it is not reasonable to forbid dynamic addressing in IPsec so it is not reasonable to forbid dynamic or pseudo-anonymous home addresses (pseudo-anonymous: which has no particular property attached to it). And please note the initial IPsec establishment has to be done before IPsec can protect the mobility signaling so without asking anything to IPsec for this IPsec is already at least as good as a return routability check. To finish I've also already stated I am not against a SHOULD for a protection in the case of statically assigned home addresses: - it is easy to do in this case - it improves the security - as this protection is required in the MN-HA context and in this case the simplest way is to encode it in the certificate it should be got for free. To summary if a spoofed home address is accepted it is because the IPsec configuration was setup to accept it. The only thing we have to do is to enforce it was not by accident. Regards [EMAIL PROTECTED] _______________________________________________ Gen-art mailing list [email protected] https://www1.ietf.org/mailman/listinfo/gen-art
