Folks,
We've had a very long discussion on what to do with MIPv6 Home
Address Options and Ingress Filtering, basically centering around
(a) solutions restricting HAOs to nodes that employ Route Optimization,
(b) solutions employing AAA in firewalls, and (c) solutions that
discard HAOs altogether and use BU authentication procedures (e.g. RR)
from the access router to the MN.
I'm not sure we are near consensus yet -- though we could be,
it's hard to say on the list because just a handful of people
have participated the discussion.
In any case, I'm thinking about how to go forward in a practical manner.
We need a solution. And we don't have much time to redesign MIPv6, so I'd
really like to see a solution that doesn't need too much new work. But
how do we decide between a-c?
I have a proposal. But first, let me make some observations:
- Most people do seem to agree that HAO reflection is an
issue that needs to be dealt with somehow.
- A restriction can be relaxed easier than tightened. User
groups with better technology can run relaxed versions, or
future standard versions can have relaxed rules if we see
that the infrastructure around us allows it.
- As a general rule, I'd like the Internet to use end-to-end
mechanisms more than network assistance. This isn't just
an architectural principle, but it will also ensure that
we can deploy our things without waiting for providers to
catch up.
- The different solutions have different impacts on
various use cases of MIPv6. Some benefit regular MNs,
some those that use RO with a CN, for instance.
So, my proposal is as follows:
1. We will not use the alternative (c), because it is not
an end-to-end mechanism, because multi-hop ingress
filtering could generate delays, and because scalability
of intermediate routers with ingress filtering feature
might become a question mark if there's a lot of state to
hold. As a tradeoff, we have to carry HAOs in our packets.
2. We will have a two-phased approach to the MIPv6 spec and
its treatment of reflection attacks: the first phase uses
method (a) and the second phase relaxes the rules to allow
also (b). The first phase will be put to the MIPv6 RFC.
When and if experience shows that we can have AAA-based
filtering in access routers and firewalls, an extension
can be defined to allow the more relaxed use of HAOs.
Comments or other proposals are welcome.
Jari
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
