Pekka, > On Sun, 2 Dec 2001, Jim Bound wrote: > > I completely disagree with you. The entire notion of worrying about the > > home agent address is overrated. The reason is what most people will be > > doing is not needed to be secure anymore than when you call a friend on > > the telephone and tell them your bringing some beer over for the tele > > show. This is what I believe 90% of the devices will be used for and on > > private cell networks not on the Big Internet. > > The issue is about Home Address Option, not Home Agent address. Damn the > abbreviations :-). Or did you still mean Home Address? If so, I > recommend you read, at least cursorily: > > http://www.ietf.org/internet-drafts/draft-savola-ipv6-rh-ha-security-01.txt
Actually I mean't both the Home Address Option and the BU ---> and referencing them as MN BU Processing. Sorry. But yes I read the above and draft-arkko-mipv6-bu-security-01.txt I understand what your concerns are but as you say in your introduction "under some circumtances and the Big I" this can be a problem. I believe we need to develop security mechanisms for many parts of IPv6. But I believe enhanced security extensions must be done out-of-band not integral to the base protocol spec. MIPv6 and other specs have specified IPsec and IPsec will be on all implementations for IPv6 this coming year from vendors that are shipping real IPv6 products. As far as PKI as Jari states in his draft its not realistic to think we can build a global PKI infrastructure. IPv4 is dying now quickly and a huge fog is developing around the Internet and affecting private enterprise. Private enterprise will not put up with the IPv4 band-aids much longer. Its affecting business and the evolution of their networks and applications development. End-2-End is required for private enterprise because now everything runs over the network or IP stack however you want to view it. IPv4 is completely broken. It is unacceptable because of the lack of address space and the bandaids like translation, VPNs, etc... I hinted at the solution for out of band and that is AAA. What that means is we have to now use AAA to secure a MN to its location of communications. Will this have a performance hit. Yes of course. But its better than waiting for all of us in the standards arena to discuss and analyze this for the next three years. THere is profit, jobs, and lots of good enconomic proliferation that can happen worldwide because of wireless computing. That is not going to happen with IPv4 it can't and its impossible without a huge green non E2E fog. We must continue to work on finding the best security we can for MIPv6 parts and I support that and will add that to my products as we develop solutions. Your points are all good. I think a new RT HDR may be fine, thats why we put the extensibility of headers for IPv6 in the first place. Also IPsec will work for say a specific network bandwidth locale. Simply because PKI on that scale will work. AAA will work too. What I advocate and always have is move the protocol specs forward with base mechanisms to support the most aggressive attacks. MIPv6 has done that with IPsec and IPsec in general does that too. If the packet is IPsec'd at each hop it gives some general security. Thats enough to move the protocol specs at least to PS. MIPv6 should have been PS at draft 13. THen we use spiral engineering to continue to improve upon the protocol and additional security mechanisms. This permits us to deliver timely specs to the market and our biggest customer which is private enterprise. Most vendors in this community make their profit from private enterprise not the Internet. And those that are classified as Internet usually are running private enterprise network services for a fee (telcos and ISPs). As far as securing my MN from bad guys I believe in caveat-emptor in the first place. If you transfer your money without being secure your stupid and should loose your money. As far as nerd criminals attacking CNs via BUs well AAA fixes that and if IPsec is used. Plus we will begin to see soon law enforcement mechanisms for private enterprise to catch these people and implementing very strong penalities for such acts at least in the U.S. thanks, /jim -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
