Pekka Nikander writes:
> Michael Thomas wrote:
>
> > So here's a most-likely crazy idea: why can't we
> > treat the ingress filtering router like a CN which
> > must first be sent a BU which it verifies in
> > whatever manner the CN would? This already has a
> > requirement to not be bound to mythical PKI's,
> > etc. Given FMIP, the access routers are probably
> > going to end up having to process things like BU's
> > anyway.
>
>
> I was drifting into this direction myself. But how?
> Introduce a new ICMP message saying: send me a BU
> if you want to use HAO?
Sounds good to me. This also takes care of the
case where somebody has RPF checks running farther
into the network. I would expect that a MN
would always send the BU to its access router.
Making this a MUST implement for a v6 router
would probably be a good thing too.
> > Also: if we have ingress filtering taken care of
> > directly, is there any reason to preserve the HAO
> > at all? I thought its entire raison d'etre was to
> > provide a means of coexisting with ingress
> > filtering -- which we've already proven is just
> > shifting the problem around instead of providing
> > something useful.
>
> Now THAT sounds like the most reasonable thing that
> I have heard about ingress filtering for a long
> time!
Heavens. Didn't mean to scare anybody :-)
> To me, it seems like combinding RR and CGA, the
> ingress filtering router can fairly easily determine
> that the MN really "owns" the home address, and
> thereafter pass it. As an immediate reaction, the
> only problem seems to be that CGA requires fairly
> heavy CPU load. Could RR be enough in this case,
> since the CoA and HoA are on the different sides
> of the router?
I think that if RR is viable for anything, it's
probably fine for lifting RPF checks.
Mike
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
