On Sat, 1 Dec 2001, Jari Arkko wrote: > > The requirement that Home Address Option MUST be processed is nothing new; > > it's a requirement for every IPv6 node as currently being specified. > > Right, and this was what we've stated in earlier versions of the draft. A > note was, however, added to the latest version of our draft to indicate > that the Mobile IP WG is presently discussing what to do with the Home > Address Option and whether there are security issues in that as well > (as there were other security issues in the Binding Update Option). > > But frankly - as someone who wants to deploy zillions of these > devices soon - we are somewhat unsure how to proceed regarding > this issue. Since I know you Pekka were involved in the Home Address > Option discussion, perhaps you could comment on where do you think > the WG goes? Will it disallow the option unless accompanied by a > Binding Cache Entry established securely earlier? Will it throw away > the option and start to use tunneling? Or decide that there is no > security issue? Or perhaps we can't yet say for sure?
It's too early to say how this will be tackled, but I think the risk of completely unauthenticated Home Address options will be too high; it seems probable it will have to restricted in some form or the other. But it's rather early yet. Next revision of secreqs draft will add Home Address option and Routing Header issues for consideration. It seems likely the wording will be "harsher" on the issue than before. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
