> > Yes, if you make all hosts and routers inside the firewall have that check > > you'd be fine. > > The same care is going to be required for routing headers as would be > for more general encapsulation in this regard. > > For routing headers, all that is required is to check that the home address > is the next intermediate routing point after the care-of address. If these > addresses were inserted into a longer sequence of intermediate routing > points, the same check would be sufficient _for the purposes of Mobile IPv6_! > The other parts of the routing path in the routing header would have to be > checked according to the rules of whatever policy was used to build up the > other parts of the routing path.
I missing something: My assumed use case is that folks want to use routing headers so that nodes can express a routing header with R1, R2, R3, Dest while limiting certain traffic to only express "MIPv6 routing headers" i.e. where there is a single hop on the final destination. In such a case which filter rules would apply on the various nodes. > The exact same careful checking would be required if encapsulation > were used instead. In the abstract I agree. But those checks will not disable some other general facility like routing headers. Having a decapsulating node have a mechanism for various protocols that use tunneling to specify what is acceptable to decapsulate (so that MIPv6, configured IPv6-in-IPv6 tunnels, etc can all specify what is acceptable) would make a lot of sense. > In this way, no crippling of the utility of the routing header would result. > On the other hand, I hope that my point can be understood that all such I missing the point. Erik -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
