In your previous mail you wrote: While such a check is reasonable for a host, a firewall can't actually check this since it doesn't know the relationship between Care of Addresses and Home Addresses.
=> I disagree: the firewall doesn't know only if nobody sends the information to it. If mobile nodes inside the domain the firewall manages send (using the network access control for instance) this kind of information to the firewall it should be able to do smart ingress filtering for packets with home address option (i.e. solve the ingress filtering fouled by home address options by a better ingress filtering) and (symmetrically) be able to filter out rogue source routing. Regards [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
