Re: Source addresses, DDoS prevention and ingress filtering

Thu, 19 Apr 2001 01:58:55 -0700 

Hi all,

About this issue regarding nodes behind a MR, I would like to tell
interested people that we (MOTOROLA Labs and INRIA) have started to
tackle the problems associated with this issue in my draft  "Mobile
Networks Support in Mobile IPv6" that I presented to the Mobile IP
working group last year
(http://www.inrialpes.fr/planete/people/ernst/Documents/draft-ernst-mobileip-v6-network.txt)

The draft needs revisions following the recent discussions in the Mobile
IP and Seamoby WG.  I  will submit a revision prior to next IETF
meeting.   The current version only addresses some of the issues.  In
fact, there are many issues to address, and I think the right place to
discuss it is the Mobile IP WG.

In my draft, I propose that mobility of the mobile network be hidden to
nodes behind the MR (the MR operates Mobile IPv6).  in this case the
source address will always be an address topologically correct with
respect of the MR's network prefix on its home link, but not with
respect to the point of attachment of the MR.   In face of ingress
filtering, the solution is to tunnel the packet from the MR.

Thierry.


> Oh, I see what you were concerned about. It seems to me that an MR
> will have to tunnel or subnet translate unless it is on it's home
> subnet.
> 
> -----Original Message-----
> From: Michael Thomas [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, April 18, 2001 9:49 AM
> To: Morrow, Glenn [RICH2:C330:EXCH]
> Cc: Michael Thomas; Thomas Eklund; '[EMAIL PROTECTED]';
> '[EMAIL PROTECTED]'
> Subject: RE: Source addresses, DDoS prevention and ingress filtering
> 
> Glenn Morrow writes:
>  > If the node behind the MR obtained its home address from the  the
> mobile
>  > router's subnet, then the MN will use this as the source i.e. the
> MN's home
>  > subnet is the MR's subnet.
> 
>    Right, but when the MR's upstream router does an
>    RPF check... it will drop the SN's packets.
> 
>  > Either way (tunneling or subnet translation), the topological
> correctness is
>  > still maintained.
> 
>    Well, that's sort of the problem. The SN doesn't
>    know that it's putting topologically incorrect
>    source address in the IP header.
> 
>                   Mike

--
* mailto:[EMAIL PROTECTED]  Tel +33 (0) 4 76 61 52 69 
* INRIA Rhone-Alpes Projet PLANETE       (fax 52 52) 
* and MOTOROLA Labs Paris
* http://www.inrialpes.fr/planete/people/ernst/Welcome.html
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------

Reply via email to