In your previous mail you wrote: Nothing prevents from applying some kind of RR tests to HAO (without BU) use too. The HAO implementation would just be a .. little .. more complicated.. but then again it hasn't been defined in the spec anyway. => I believe the ".. little .. more complicated.." is a joke, isn't it?
> (I think the solution for HAO should most likely consist of two > separate, "strong-enough" layers, one mandated at CN, one possible > at firewalls, but that's not the topic of this draft). > > => one mandated at CN == no third choice. One must be available for CN, because CN cannot trust the source if it isn't authenticated or in some form authorized. => again, if you rely on routing optimization (RO) or something equivalent then you close the door to the third choice (aka triangular routing). IMHO HAO has nothing to do with RO: if for sanity HAOs can be checked against the BCE (i.e. if they don't match something is wrong), the only way to reply to the iDDoS threat by this way is to mandate the check and to forbid HAOs without RO. [snip rest] I won't get into this more here, because I must say I agree almost 100% with comments from Pekka Nikander, Jari Arkko et al. (You should be very, very afraid if you ever venture in Finland, Francis ;-). => so you agree to kill triangular routing? One point I've made before: perhaps the check is trivial, but IMO _the most important thing_ is that *every* site could easily check from incoming packets with HAO, whether the HAO is is spoofed to belong to *destination site in question* or some other site the destination site trust at some level. => so the easiest solution for someone which doesn't want to implement or enable RO is just to drop HAOs. In France we have an expression for that: "la politique du pire". Regards [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
