In your previous mail you wrote:
> => the problem is not node or host, it is with a requirement you can find
> and I can't find.
Not nearly all cases of the IPv6 specification use "must" clauses, even
though they are clearly required.
=> no, nothing without a MUST is clearly required. If I apply your
argument to RFC 791 IPv4 source route processing an forwarding is
mandatory for IPv4 hosts. RFC 2460 defines the processing rule,
it says *nothing* about any requirement for a node to forward a
source routed packet. As I said, RFC 2460 is not a IPv6 node
requirement document.
> Only problem with this is that I fail to see how you _really_ could
> identify mobile nodes?
>
> => I've suggested three different ways.
Do you have more specific ideas how these could work?
- Home address option: check if it exists (could be added by anyone, isn't
enough)
=> I disagree, if you see an outgoing packet from C without home address H
you can decide to accept incoming packet to C with a source route to H.
- Binding updates (requires state)
=> I can't see a problem with state!
- Explicit negotiation (requires state to be exported from AAA to
firewall)
=> same.
> Requiring state in the firewall for this is probably unacceptable.
>
> => yes, you need a statefull firewall but a stateless firewall is *not*
> a real one, at least you may not say it is a good one (:-).
Stateful firewall usually creates a SPOF, which may not be acceptable for
multihoming solutions at least.
=> I am afraid that you have to accept a single-point-of-failure
if you'd like to get a high level of security. Note that for AAA
the state is not in the firewall, it is in the AAA system.
> => no, the job of a router is to route <dot>
There are different kinds of routers. I agree with you when "core"
routers are concerned, but "access routers" e.g. of a small-midsize
company (not necessaily even classical "router hardware router") must be
able to perform these checks.
=> I believe a router is a bad firewall (and a firewall a bad router).
I don't like the idea that everyone should get a big, expensive stateful
firewall
=> you are not required to pay a lot of money to get a good software (:-).
if all you want is basic security and stateless access-lists.
=> you can't both ask for good security and propose in order to archieve
it basic security and known to be not enough tools.
Regards
[EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
