On Sun, 2 Dec 2001, Jim Bound wrote: > I completely disagree with you. The entire notion of worrying about the > home agent address is overrated. The reason is what most people will be > doing is not needed to be secure anymore than when you call a friend on > the telephone and tell them your bringing some beer over for the tele > show. This is what I believe 90% of the devices will be used for and on > private cell networks not on the Big Internet.
The issue is about Home Address Option, not Home Agent address. Damn the abbreviations :-). Or did you still mean Home Address? If so, I recommend you read, at least cursorily: http://www.ietf.org/internet-drafts/draft-savola-ipv6-rh-ha-security-01.txt Thanks. > On Sat, 1 Dec 2001, Pekka Savola wrote: > > > On Sat, 1 Dec 2001, Jari Arkko wrote: > > > > The requirement that Home Address Option MUST be processed is nothing new; > > > > it's a requirement for every IPv6 node as currently being specified. > > > > > > Right, and this was what we've stated in earlier versions of the draft. A > > > note was, however, added to the latest version of our draft to indicate > > > that the Mobile IP WG is presently discussing what to do with the Home > > > Address Option and whether there are security issues in that as well > > > (as there were other security issues in the Binding Update Option). > > > > > > But frankly - as someone who wants to deploy zillions of these > > > devices soon - we are somewhat unsure how to proceed regarding > > > this issue. Since I know you Pekka were involved in the Home Address > > > Option discussion, perhaps you could comment on where do you think > > > the WG goes? Will it disallow the option unless accompanied by a > > > Binding Cache Entry established securely earlier? Will it throw away > > > the option and start to use tunneling? Or decide that there is no > > > security issue? Or perhaps we can't yet say for sure? > > > > It's too early to say how this will be tackled, but I think the risk of > > completely unauthenticated Home Address options will be too high; it seems > > probable it will have to restricted in some form or the other. But it's > > rather early yet. Next revision of secreqs draft will add Home Address > > option and Routing Header issues for consideration. It seems likely the > > wording will be "harsher" on the issue than before. > > > > -- > > Pekka Savola "Tell me of difficulties surmounted, > > Netcore Oy not those you stumble over and fall" > > Systems. Networks. Security. -- Robert Jordan: A Crown of Swords > > > > -------------------------------------------------------------------- > > IETF IPng Working Group Mailing List > > IPng Home Page: http://playground.sun.com/ipng > > FTP archive: ftp://playground.sun.com/pub/ipng > > Direct all administrative requests to [EMAIL PROTECTED] > > -------------------------------------------------------------------- > > > > -------------------------------------------------------------------- > IETF IPng Working Group Mailing List > IPng Home Page: http://playground.sun.com/ipng > FTP archive: ftp://playground.sun.com/pub/ipng > Direct all administrative requests to [EMAIL PROTECTED] > -------------------------------------------------------------------- > -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
