Michael Thomas wrote: > So here's a most-likely crazy idea: why can't we > treat the ingress filtering router like a CN which > must first be sent a BU which it verifies in > whatever manner the CN would? This already has a > requirement to not be bound to mythical PKI's, > etc. Given FMIP, the access routers are probably > going to end up having to process things like BU's > anyway.
I was drifting into this direction myself. But how? Introduce a new ICMP message saying: send me a BU if you want to use HAO? > Also: if we have ingress filtering taken care of > directly, is there any reason to preserve the HAO > at all? I thought its entire raison d'etre was to > provide a means of coexisting with ingress > filtering -- which we've already proven is just > shifting the problem around instead of providing > something useful. Now THAT sounds like the most reasonable thing that I have heard about ingress filtering for a long time! To me, it seems like combinding RR and CGA, the ingress filtering router can fairly easily determine that the MN really "owns" the home address, and thereafter pass it. As an immediate reaction, the only problem seems to be that CGA requires fairly heavy CPU load. Could RR be enough in this case, since the CoA and HoA are on the different sides of the router? --Pekka Nikander -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
