> Solution
> --------
> The solution to this problem involves two steps: relaxing a Neighbor
> Discovery rule on the HA and MN, and creating a mobility processing rule
> on the HA and MN. Now RS/RA can be sent without any special Mobile IP
> headers, and look very similar to normal RS/RA, except that they are
> routed unicast packets. This solution is very general, and uses the COA
> and HA addr only, so it does not matter whether the MN does, or does
> not, have an HAddr.
Are you proposing using these rules solely for the initial configuration
of the home addresses or do you see these as new rules as something that
would apply to all information carried in RAs and RSs between the HA
and the mobile away from home?
If it is the latter it might be cleaner to make this been different
ICMP types (e.g. Home Agent Solicitation and Home Agent Advertisement) that
would carry the ND options like the prefixes.
> RELAXING TTL:
> 1. An unicast Router Solicitation arriving at an Home Agent is NOT
> discarded if the TTL < 255 (off-link, from MN).
> 2. An unicast Router Advertisement arriving at a Mobile Node is NOT
> discarded if the TTL < 255 (off-link, from HA)
>
> MOBILITY PROCESSING:
> 1. The Home Agent receiving a Router Solicitation with TTL<255 (from off
> link) knows that this is a request from a MN, and will include extra
> Prefix Information as per the draft.
This is were having a different ICMP type would make things cleaner.
> 2. The Mobile Node receiving a Router Advertisement with TTL<255 knows
> that this was sent from a HA and contains HA prefix info and it should
> be processed differently by Mobile IP code to create HAddr(s).
> SECURITY:
> The Router Solicitation must be protected by an Authentication Header.
> This is already a requirement.
> The Router Advertisement should/may be encrypted. If it is not, note
> that prefix information about the home network will be available for
> inspection along the path the RA travels. This security issue is the
> same as what exists in the current version.
Encrypting the RA doesn't seem to be useful unless you restrict the COAs
that can be used to talk to the HA.
If somebody wants to discover the RA content they can just
1. set up an ESP security association between their address (COA) and the HA.
2. send a RS to the HA.
3. The HA will send the encrypted RA back to them and they decrypt it.
Thus I think it is a fundamental aspect of the problem (trying to allocate
a home address before doing a secured BU with the HA) that anybody can
discover whatever you send to a claimed COA for a mobile node.
Erik
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
