I sure hope that nobody's making the assumption
that you need to be a mobile node to send BU's
and/or HAO's. My provider doesn't care diddly
squat about any of this, nor is it likely that if
I tunnel to the 6bone they're going to care much
either. If this is your only line of defense of
protecting CN's from senders of malicious HAO's,
I'm pretty skeptical. RPF checks "work" mainly
because they are so painless for ISP's to
implement. Anything beyond that is likely to
be a complete non-starter.
Mike
Francis Dupont writes:
> In your previous mail you wrote:
>
> However, I'm concerned about the "applied allover"
> part. Specifically - while I'm very much fond of the AAA solutions -
> I'm concerned whether we can expect all parts of the Internet to have
> an infrastructure that really can figure out the home addresses. What
> if there's a coin-operated (or Visa-) airport WLAN?
>
> => this is a problem of trust in the local/visited domain *and* in the
> remote/home domain. In your example if I understand the issue is the lack
> of trust in the local/visited domain, so one may reject traffic with
> home address options from it.
>
> Finally, I seem to remember there was a discussion a long time ago whether
> we could somehow provide automatic, mandatory, ingress filtering in IPv6.
>
> => my concern is that the "mandatory" term in a RFC is not enough to
> enforce it in the real world.
>
> Currently, we are headed towards the same situation as in IPv4
> where ingress filtering is only partially applied, and we keep coming
> up with "patch" solutions such as I-trace to help the situation.
>
> => ingress filtering has more problems with IPv4, mainly because it was
> not considered from the beginning. But it is already a BCP and it seems
> that most ISPs use it (feedback from ISPs please).
>
> Interestingly, these solutions typically need changes to a large
> fraction of the routers in the Internet which we already are doing
> anyway to move to IPv6...
>
> => we can expect to avoid the same errors with IPv6. Unfortunately
> ingress filtering (like network management) is something where IPv6
> is not yet at the same level than for IPv4 today. We hope this situation
> will be improved very fast.
>
> Regards
>
> [EMAIL PROTECTED]
> --------------------------------------------------------------------
> IETF IPng Working Group Mailing List
> IPng Home Page: http://playground.sun.com/ipng
> FTP archive: ftp://playground.sun.com/pub/ipng
> Direct all administrative requests to [EMAIL PROTECTED]
> --------------------------------------------------------------------
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
