> -----Original Message-----
> From: T.J. Kniveton [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, February 14, 2001 6:10 PM
> To: [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Cc: Powell, Ken
> Subject: New idea for Router Sol/Adv and Mobility
<snip>
> Solution
> --------
> The solution to this problem involves two steps: relaxing a Neighbor
> Discovery rule on the HA and MN, and creating a mobility
> processing rule
> on the HA and MN. Now RS/RA can be sent without any special Mobile IP
> headers, and look very similar to normal RS/RA, except that they are
> routed unicast packets. This solution is very general, and
> uses the COA
> and HA addr only, so it does not matter whether the MN does, or does
> not, have an HAddr.
>
> RELAXING TTL:
> 1. An unicast Router Solicitation arriving at an Home Agent is NOT
> discarded if the TTL < 255 (off-link, from MN).
> 2. An unicast Router Advertisement arriving at a Mobile Node is NOT
> discarded if the TTL < 255 (off-link, from HA)
>
> MOBILITY PROCESSING:
> 1. The Home Agent receiving a Router Solicitation with
> TTL<255 (from off
> link) knows that this is a request from a MN, and will include extra
> Prefix Information as per the draft.
> 2. The Mobile Node receiving a Router Advertisement with TTL<255 knows
> that this was sent from a HA and contains HA prefix info and it should
> be processed differently by Mobile IP code to create HAddr(s).
>
> Recap Of Changes From Current Draft
> -----------------------------------
> We are removing
> - encapsulation on RS
> - routing header on RA
>
> We are adding
> - a rule that TTL<255 is allowed and specifies mobility signaling
> - RS and RA come into/out of COA on MN. HAddr is not used for this
> info.
>
> This buys us
> - mobile nodes without an HAddr are now routable
> - simplification and shortening of messages
> -
Under this proposal, the Mobile Node will have to re-establish the
Security Association between the Home Agent and its Care-Of Address
every time it moves to support IPsec requirements for Router
Advertisements. How does this fit in with the process of
forming the new care-of address and updating bindings? Will
this cause additional hand-off delays?
How does the home agent determine which mobile node sent the
Router Solicitation? Can the Care-of address on a mobile node
be relied on for this?
> -----Original Message-----
> From: Mattias Pettersson [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, February 15, 2001 4:01 AM
> To: T.J. Kniveton
> Cc: [EMAIL PROTECTED];
> [EMAIL PROTECTED];
> Powell, Ken
> Subject: Re: New idea for Router Sol/Adv and Mobility
>
>
> Hi,
>
> "T.J. Kniveton" wrote:
>
> > Open Issues
> > -----------
> > SECURITY:
> > The Router Solicitation must be protected by an Authentication
> > Header. This is already a requirement.
>
> Is it? Where do you find that requirement? The RA needs authentication
> though.
>
<snip>
>
> Will we open up a security hole or possible denial-of service
> attack by let's say flood a HA with RSes (that don't require
> authentication), now that we can send them over multiple hops?
>
Yes, this does look like a problem, but I think its just as
serious in draft 13. Any node could repeatedly send router
solicits with the mobile node's care-of address (and home
address). The home agent would send a complete Router
Advertisement to the mobile node for each Router Solicit,
possibly eating up expensive wireless bandwidth. Perhaps
the Router Solicit should be IPsec protected?
Ken
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
