> As said, a nice idea. However, the case of ignoring HAO > is not true; before PKI was not considered globally scalable > it was possible to say we can always use IPsec to protect > even the HAO, which is an immutable dst.opt.
Jari, No version of draft-ietf-mobileip-ipv6-nn.txt has required that the HAOpt be protected in all cases - the requirement has only been to protect it (automatically) when the packet also containts a BU option. Thus this issue has nothing to global PKI or not - IMHO it was a poor understanding, partly by myself as a WG co-chair at the time, of the type of attacks that have since become more common and how the HAOpt could be used to facilitate such attacks. Erik > Hence, once a "weak authentication" method is chosen it > is again possible to always protect HAO (as well as even a > nicer tunneling header). We still need a MAC field for that and > for this there is an easy way. To conclude, dst.hdr is in RFC, > the new proposal an individual draft so I'd say it could be > something to consider for a second generation of Mobile IPv6, > perhaps. > > > Mike > > BR, > > -Jari > > -------------------------------------------------------------------- > IETF IPng Working Group Mailing List > IPng Home Page: http://playground.sun.com/ipng > FTP archive: ftp://playground.sun.com/pub/ipng > Direct all administrative requests to [EMAIL PROTECTED] > -------------------------------------------------------------------- -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
