In your previous mail you wrote: > So here's a most-likely crazy idea: why can't we > treat the ingress filtering router like a CN which > must first be sent a BU which it verifies in > whatever manner the CN would? This already has a > requirement to not be bound to mythical PKI's, > etc. Given FMIP, the access routers are probably > going to end up having to process things like BU's > anyway. I was drifting into this direction myself. But how? Introduce a new ICMP message saying: send me a BU if you want to use HAO? => no, Michael's idea is to look at packets going through access routers in order to find BUs (i.e. this is passive). And if you'd like to use an active scheme, why not the network access control?
To me, it seems like combinding RR and CGA, the ingress filtering router can fairly easily determine that the MN really "owns" the home address, and thereafter pass it. => I believe this is overkilling to ask for verification of home addresses. To know bindings is enough to make HAO spoofing not attractive. As an immediate reaction, the only problem seems to be that CGA requires fairly heavy CPU load. => both CPU load and IPR issue: enough to kill any good idea. Could RR be enough in this case, since the CoA and HoA are on the different sides of the router? => I don't know what is RR in this case (not only check that CoA is inside and HoA is outside?). I suggest to look at BAs too, i.e. at least home agents are far better equipped to verify BUs! (note that I still believe this is overkilling) Regards [EMAIL PROTECTED] PS: the main issue is this restricts the use of HAOs to mobility (i.e. to use the network access control is better). -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
