In your previous mail you wrote: On Mon, 14 Jan 2002, Francis Dupont wrote: [snip] > 2. We will have a two-phased approach to the MIPv6 spec and > > => no, a two phase approach won't work because we'll stay at > the first phase. [snip] If we'd stay at the first phase, that'd probably mean that the stateful network access control mechanism wasn't attractive and wide-spread enough? -- Which is one of the points here. => no, you haven't understood. The problem is not technical, it is psychological: you can't have this kind of two phase approach for a security device, you won't be able to relax something, in fact it will be hard to get the first phase not be hardened. For instance RFC 2401 explains that in tunnel mode the outer source address should not be checked, most implementers do the check just because it seems a bit more secure...
If one would want to differentiate between "network access controlled (no checks in end-nodes)" and "in god we trust, others must be checked", perhaps Home Address Option sub-options could be used? (or identically defined another HAO.) => I have no concern about "in god we trust"... This is already the case for ingress filtering and this is effective, i.e. random source address spoofing is no more heavily used in DDoS attacks. This follows the same mechanism than vaccination against an epidemic. > And you put the burden on the wrong people: > this is an ingress filtering problem, not a MIPv6 one, so > the solution should be in an ingress filtering improvement, > not in a new restriction for MIPv6. (a bit tongue-in-cheek) If QWERTY working group would define a new mechanism for storing effective source address in a varying location of IP header chain, under some destination option's freshly defined fourth option's third sub-option (padded to 2n+x), would digging that out and just coping with it be "ingress filtering problem" too? => I think so (this is why I prefer the firewall based part of ingress filtering because firewalls have to be prepared to dig into packets anyway). If AZERTY working group would make new requirements (caused by said working group's new proposal) for ingress filtering, so that it could not be done in practice, would finding new ways to do ingress filtering befall ingress filtering people too? => this depends on who gets the benefits: if there are mainly global benefits (as for home address declarations in order to limit HAOs), I believe this is a topic for ingress filtering people, if there are mainly benefits for a particular population (as for HAO filtering using remote network access control, i.e. certified/verified home addresses), I believe this is not a topic for ingress filtering people (in my example this is a topic for AAA people). We can consider where are the difficulties too but in a well engineered system both should be equivalent (this is a practical problem too, if you get the difficulties and not the benefits nothing will happen, this is my concern about correspondent node based features). Regards [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
