<If I sent this to the wrong MIPaddress could you
please forward it to the _right_ address.>
Hello
I basically like the idea of not tunnelling. Tunnelling doesn't
do anything for you actually. But I have some comments
on the details you mentioned below. I'll send a separate
mail with a similar proposal to yours but with small modifications
and attempt to give some hints for the authorisation problem.
Regards,
Hesham
> > Under this proposal, the Mobile Node will have to re-establish the
> > Security Association between the Home Agent and its Care-Of Address
> > every time it moves to support IPsec requirements for Router
> > Advertisements. How does this fit in with the process of
> > forming the new care-of address and updating bindings? Will
> > this cause additional hand-off delays?
> >
>
> Good question. Where this question leads is, how can the HA trust an MN
> when
> the MN does not have a trustable identity based on a Home network IP
> address? Does it make sense to base security associations on IP addresses
> when the addresses themselves are ephemeral and can't be associated to
> Identity without the involvement of an outside entity?
>
> Clearly this is already a hot topic. Rather than trying to solve it here,
> perhaps I can offer a compromise which allows for the possibility of
> future
> elaboration.
>
=> I'm afraid we can't skip this one. After all this is one of
the seeds for the authorisation discussion. Which
is one of the reasons holding the draft as far as I know.
> Here's the recipe: start with Draft 13. Now remove encapsulation from RSs
> (this is unnecessary and inconsistent). Add the rules for TTL<255 and
> mobility processing, as stated in my previous message. Stir in addressing
> as
> follows:
>
> 1. The RS is sent with a HAddr option. The HAddr contains the MN's Home
> Address (naturally), EXCEPT if the MN has not configured one, in which
> case
> it MAY insert the COA instead.
>
=> Well, we're talking about a start up procedure here. So let's
assume the MN doesn't have a home address yet.
Therefore there is no need to have a HAddress option.
I'll explain in a second email how I thought we could
replace this.
> 2. The HA sends an RA using a routing header, as usual. The RHdr contains
> whatever was in the HAddr option - namely, the Home Address, EXCEPT if the
> COA was in the RS's HAddr option, it goes in the routing header (we could
> just leave the routing header off, alternatively).
>
=> Yeah. I think you can leave off the routing header for sure.
> > How does the home agent determine which mobile node sent the
> > Router Solicitation? Can the Care-of address on a mobile node
> > be relied on for this?
>
> I contend it doesn't matter. You just need to know that it was sent from a
> mobile node.
>
=> But how can the HA verify that based on your proposal ?
Anyone can include a Home address option in their packets.
> >[Mattias Pettersson wrote:]
> >>
> >> Will we open up a security hole or possible denial-of service
> >> attack by let's say flood a HA with RSes (that don't require
> >> authentication), now that we can send them over multiple hops?
> >>
> >
> > Yes, this does look like a problem, but I think its just as
> > serious in draft 13. Any node could repeatedly send router
> > solicits with the mobile node's care-of address (and home
> > address). The home agent would send a complete Router
> > Advertisement to the mobile node for each Router Solicit,
> > possibly eating up expensive wireless bandwidth. Perhaps
> > the Router Solicit should be IPsec protected?
>
> The problem isn't bandwidth here. The security issue is that anyone can
> see
> the prefix information about that potentially private network.
>
=> Is that an issue really ? I mean after all _everyone_
will see that prefix when they do a DNS lookup on the MN.
I don't think this would be a problem. Unless I missed
your point ?
> You are
> thereby exposing the fact that a certain IP address is a router, that it's
> also a home agent, and what some or all of the prefixes on that link are.
> And you're exposing it to anyone along the path to the MN.
>
=> You expose your home link's prefix as soon as you
start communicating with anyone.
> Regarding the bandwidth issue, who cares that the HA will send RAs to the
> mobile? If you want to use the MN's bandwidth, nothing stops you from just
> sending it packets yourself! Anyway, the HA could protect against this by
> limiting the rate at which it sends RAs.
>
=> Agreed.
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
