[Phil suggested I add mobileip back which was
dropped somewhere along the way]
Francis,
I'm not sure we're communicating, so let me be a little
more explicit with what I had in mind:
1) MN arrives on new AR
2) It sends a packet using its home address as the
*source* address -- no HAO at all.
3) AR recognizes that the source address is not one of
the subnets it subtends and sends an ICMP message
to MN which explains the problem
4) MN sends AR a normal CN binding update
5) AR lifts the restriction for that source address
6) MN now sends packets as in (2), but unimpeded
If MN knows that there is likely to be a source
address check on AR, it can delete steps 2 and 3.
ICMP seems like a natural here because the router
really is reporting a network problem back to MN
(or not MN if a host were incorrectly configured,
etc).
If this is a subset of your proposal, fine. It
does seem that what I propose gets rid of the HAO
altogether which you don't seem to agree with.
However, may I suggest that it's the AAA part that
has become the lightning rod? And that maybe it
shouldn't be quite so ambitious? :-)
Mike
Francis Dupont writes:
> In your previous mail you wrote:
>
> No, actually, it was to have the MN send the
> BU's directly to the access router. On a router
> the BU just has an additional effect of removing
> any restrictions on source addresses it will
> let through.
>
> => I believed your proposal was BU snooping. But you can name it
> as you'd like, the purpose is to provide the knowledge of bindings,
> so there is no deep difference with my proposal (i.e. I can say
> you use a non-standard network access control device, as I don't
> specify one (I only give an example with AAA because it is the best
> on the paper) I could argue your proposal is included in mine :-).
>
> Hence Pekka's question about use of ICMP was correct.
>
> => I am reluctant to define new ICMPs for anything. There is already
> a format for BUs, why a new thing?
>
> Another point: HAOs are inside packets, to look at them is legitimate
> for my firewall but not for any router on the path, i.e. I'd like
> to have the check done once and others to trust it (this idea is
> exactly the network access control).
>
> Regards
>
> [EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
