In your previous mail you wrote: > - to do better ingress filtering based on AAA for sites where there are > some mobile nodes (aka visited sites). Why do you assume that AAA would be used everywhere where there are mobile nodes?
=> this (to use AAA everywhere where there are mobile nodes) is the price to pay to have an alternative to bidirectional tunnels with home agents, i.e. to make mobile IPv6 better than mobile IPv4 with reverse tunneling (i.e. real world mobile IPv4). For example, if I am visiting with my friends at their place, why couldn't I just use their private WLAN to connect my wireless PDA to the Internet? => this is a problem of responsibility and trust between you, your friends and their ISP(s). You already have it for network access, with my proposal you only have a new "mobile node" option... If I could not use their private WLAN, I would consider that as a flaw in the design if the Internet. => there is a flaw in the laws of Economics: not everything is free for ever. Similarily, our local university campus provides open WLAN for anyone, for anyone to connect to the Internet. => same answer. It is so much simpler to run these kinds of networks without any kinds of authentication that they will continue to exist, even though many current open WLAN networks may turn into requiring some kind of authentication. => yes, there are still some bad guys in the world... But even when they start to require authentication and/or authorization, that authentication or authorization is more likely to be based on 802.1x or PANA than AAA, => I don't understand your argument: 802.1x or PANA are parts of an AAA system. and even if RADIUS/DIAMETER is used, the non-ISP connectivity providers are unlikely to be part of the AAA infrastruture. => I believe your argument is that all AAA systems are not instances of the AAA architecture. This is an AAA issue which is not in the scope of IPv6 and mobile WGs. For example, I run an open WLAN at my home, and even though I may require some kind of authentication in the future, it is very unlikely that I would run RADIUS or DIAMETER. => again this is a problem of trust and responsability. If your neighbors want to harm you, IMHO the wild Internet access provided by open WLAN is enough. So one day you'll secure it (or your ISP will ask you to secure it), this day the possibility to accommodate mobile nodes shall become an option. Thus, making your system to help at all, it would require that EVERYBODY ELSE FORBIDS Home Address Option altogether. => everybody else is better than everybody (:-). It is not only a mobile host that can send HAO, any host can send it. => this argument is mainly against BCE checks in CNs solution. If an intruder can break into 10 million poorly protected home PCs, they can be converted into MN looking devices that send fake HAOs. => our job is to make "they can be converted into MN looking devices" a detail, i.e. this adds no new major security threat. Sure the ISP can drop all packets containing HAO sent from their home customer sites, but that would break the ability to use your PDA/other device through your friend's WLAN while visiting at their place. => again the same answer. Do you see my point now? => BTW I have a friend with a private WLAN (not an open one, he uses WEP and a MAC address filter, i.e. common private WLAN security tools). When I visit him I use my laptop with a secure bidir tunnel to my office (I use SSH, in the best open WLAN example I know (IETF meetings) most of us use SSH or IPsec (or both)). I don't use real mobility because I don't know how to roam between private WLANs, i.e. this is a nomadic situation where I use two identities, a remote one using a secure bidir tunnel and a local one for short and/or local interactions like web browsing or printing. So if I understand the constraints with my proposal on private WLANs, they are not a good example. > - to do better anti-spoofing filtering for sites from where some mobile > nodes are (aka home sites). I do not argue with that part. You draft may well have some value protecting the home sites of MNs. => my concern is more sites that are not home sites (their anti-spoofing filtering must be enhanced, fortunately this is very easy). > There is no constraint on sites where are the regular correspondent nodes > (aka correspondent domains) which should be the vast majority of sites. As I said above, either you must assume that any site can host MNs (in addition to CNs), ---or--- you must forbid sending HAO containing packets from those sites that are assumed not tho host MNs. => I can't see a problem: they don't take the responsability, I don't trust them... I stress this idea and its relationship with network access control because the ingress filtering is not a reply to DDoS but a reply to source address spoofing: DDoS is still possible but sources can be traced back, i.e. know who has given the network access to attacker nodes. RFC 2827 summary finishes by this statement: It is the responsibility of all network administrators to ensure they do not become the unwitting source of an attack of this nature. My main point is that forbidding HAOs to be sent from the majority of the Internet would largely foil the purpose of Mobile IPv6. => I don't believe that because I don't assume the same things about mobile IPv6 applicability. My point is that almost every home will, in the future, be a potential site hosting MNs. => this is a point where we obviously disagree. > => this is very unrealistic because this forgets the third letter of AAA. > And of course this doesn't go well with the responsible use of the network > principle. Most homes do not even know about responsible use of network principle. => if they read the contract between them and their ISPs they should know. It is just that since you can buy an Apple Airport (or whatever) from your local shop, and set it up within minutes, that will happen. Actually, it is already happening in many places in the US and scandinavia. => I've already answered about private WLANs. Remember me setting up an WLAN access point at IPCN'2001 in Paris? => this was like IETF meetings: a typical nomadic environment, no need of real mobility because there was no other network to move to keeping connections. I believe the issue in in the *local* area, but with a public WWAN associated ISPs should manage a proper network access control, at least in order to implement the third A of AAA (:-). > Now, the point is that those are also exactly the organizations > that are most _unlikely_ to use advanced ingress filtering methods, > > => the solution in this case is just to filter out HAO, i.e. to refuse > mobile nodes. ... and what I am saying, such a practise is unreasonable and would severly restrict our possibility to use the future Internet. In other words, madating that ingress filtering MUST refuse HAO (unless special means is used to ensure that the Home Address is valid), besides being expensive and unrealistic, would result in MIPv6 being used only be the telecom vendors, not by the rest of us. => the only scenario where this can harm is a roaming from a public WWAN to a visited private LAN, do you agree? Regards [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
