> - As a general rule, I'd like the Internet to use end-to-end > mechanisms more than network assistance. This isn't just > an architectural principle, but it will also ensure that > we can deploy our things without waiting for providers to > catch up.
I agree. But I would personally make a stronger statement since I'm concerned with the direction of piling more and more requirements and dependencies on AAA. Thus I think the AAA approach is the wrong one - if we collectively can make AAA/Diameter do the things needed to make Radius more usable (reliabiliy, security, some extensibility) I think we've collectively have been successful. Keep piling more stuff on the AAA system and it might very well get too heavy to be able to fly... Also, waiting for AAA solutions to be available (specified, implemeted, and deployed) before MIPv6 can be used seems to be counter to our desire to finish up MIPv6 soon. > 1. We will not use the alternative (c), because it is not > an end-to-end mechanism, because multi-hop ingress > filtering could generate delays, and because scalability > of intermediate routers with ingress filtering feature > might become a question mark if there's a lot of state to > hold. As a tradeoff, we have to carry HAOs in our packets. > > 2. We will have a two-phased approach to the MIPv6 spec and > its treatment of reflection attacks: the first phase uses > method (a) and the second phase relaxes the rules to allow > also (b). The first phase will be put to the MIPv6 RFC. > When and if experience shows that we can have AAA-based > filtering in access routers and firewalls, an extension > can be defined to allow the more relaxed use of HAOs. While I have concerns with using the AAA per above I think the phased approach (where the AAA approach continues to be discussed and further understood) makes sense to me. Erik -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
