> ftp://ftp.ipv6.rennes.enst-bretagne.fr/pub/draft-dupont-ipv6-ingress-filtering-00.txt
Nice draft, thanks for taking the time to write down the problems and their alternative solutions. Hope you still had time for Christmas ;-) I have a few comments. First, it seems that the main alternatives we have is (a) restrict MIPv6 functionality by removing intermediate alternatives between bidirectional tunneling and route optimisation, or (b) deploy AAA to help visited networks figure out what are legal home addresses. It is interesting to note the different actors in these two alternatives. In the first alternative, it is the CN who is taking the responsibility, and requiring no help whatsoever from the firewalls in between. In the second alternative, we put all the trust on the firewalls/routers of sites, and none of the CNs do any worrying over this anymore. Both solutions work if applied allover, and the second solution allows the current MIPv6 flexibility, being therefore the preferred solution if seen feasible. However, I'm concerned about the "applied allover" part. Specifically - while I'm very much fond of the AAA solutions - I'm concerned whether we can expect all parts of the Internet to have an infrastructure that really can figure out the home addresses. What if there's a coin-operated (or Visa-) airport WLAN? With no connection to a global roaming association of who owns what addresses. What kind of filtering should that do? Prohibit everything else expect bidirectional tunneling, or allow home addresses to be used? If latter, then the trusting CNs don't have a clue that they could be used as reflectors... Finally, I seem to remember there was a discussion a long time ago whether we could somehow provide automatic, mandatory, ingress filtering in IPv6. If such a feature were possible, it would really make setting up networks easier and denial of service attacks easier to trace. Do you think this would be feasible? If yes, perhaps it should also be discussed in the draft. Currently, we are headed towards the same situation as in IPv4 where ingress filtering is only partially applied, and we keep coming up with "patch" solutions such as I-trace to help the situation. Interestingly, these solutions typically need changes to a large fraction of the routers in the Internet which we already are doing anyway to move to IPv6... Jari -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
