RE: Source addresses, DDoS prevention and ingress filtering

[Thomas Eklund]

Hi Mike,

   Right, but when the MR's upstream router does an
   RPF check... it will drop the SN's packets.

--> I assume you mean the reverse path forwading check in multicasting. If
so, it is the same way as for v4, you must join a multicast group in your
access network with your local/topological correct IP adress, which in case
would be the CoA (not HA). If you would like to do it with security then you
talking about secure multicast which is very pre mature but then I assume
you would like to have done it with your HA (unless you did not use the AAA
v6 draft of course then you could have used the CoA )and tunnel he traffic
from your home subnet..:-) 

 > Either way (tunneling or subnet translation), the topological
correctness is
 > still maintained.

   Well, that's sort of the problem. The SN doesn't
   know that it's putting topologically incorrect
   source address in the IP header.

Agreed, but IF the enterprise or service provider would haver used something
like the AAAv6 draft then they would have known that the src address would
be the same as the link identifier....

-- Thomas
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page:                      http://playground.sun.com/ipng
FTP archive:                      ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------