Mike, > > Hence, once a "weak authentication" method is chosen it > > is again possible to always protect HAO (as well as even a > > nicer tunneling header). We still need a MAC field for that and > > for this there is an easy way. To conclude, dst.hdr is in RFC, > > the new proposal an individual draft so I'd say it could be > > something to consider for a second generation of Mobile IPv6, > > perhaps.
> I'm afraid that there's more to this than that. > One of the implications of Pekka's observation is > that the binding cache is no longer a cache. That > is, you cannot evict the cache entry and still > function properly. The reason is not the CoA and > RH which will clearly still work, but the HAO. If > you drop the cache entry, the CN will see a HAO > which it doesn't know whether to believe and thus > would have to drop (or send a binding solicit, > etc). This bothers me quite a bit as going from > soft state to hard state should never be taken > lightly. Hmm, if there is a way to set up weak authentication state in an initialization, it can also be done again, even after expiration. However, this concerns the properties of weak authentication where you may not have a proof of identity the way of strong authentication (e.g., you may need to "believe" the first HAO). A point here was that once weak authentication was considered required, that became the issue, not the format. > Mike BR, -Jari -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
