On Fri, 4 Jan 2002, Francis Dupont wrote: > About section 2 on Correspondent Nodes; could you elaborate in the > document why exactly solution is too drastic? > > => because this gives no choice between bidirectional tunnel and > route optimization, so in some cases mobile IPv6 becomes far less > attractive. The real impact depends on how mobile IPv6 is used, > in fact one can argue that bidirectional tunnels are enough, but > I don't believe that mobile-ip list members will agree...
Nothing prevents from applying some kind of RR tests to HAO (without BU) use too. The HAO implementation would just be a .. little .. more complicated.. but then again it hasn't been defined in the spec anyway. > Note that BCE check is not > the only way to ensure legitimity of HAO: if it's secured by AH, it's ok; > if some SUCV/.. weak authentication method is used, it's probably also ok; > the same might even apply to return routability. It's too early to crush > CN solutions. > > => these CN solutions have the same cost than full routing optimization, > so I consider them as BCE check variants. See above. > (I think the solution for HAO should most likely consist of two separate, > "strong-enough" layers, one mandated at CN, one possible at firewalls, but > that's not the topic of this draft). > > => one mandated at CN == no third choice. One must be available for CN, because CN cannot trust the source if it isn't authenticated or in some form authorized. [snip rest] I won't get into this more here, because I must say I agree almost 100% with comments from Pekka Nikander, Jari Arkko et al. (You should be very, very afraid if you ever venture in Finland, Francis ;-). One point I've made before: perhaps the check is trivial, but IMO _the most important thing_ is that *every* site could easily check from incoming packets with HAO, whether the HAO is is spoofed to belong to *destination site in question* or some other site the destination site trust at some level. This form of spoofing can be protected against now. -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
