> => not exactly, the key term is "rely on". > > I don't think it matters whether the acronym for this > infrastructure was PKI, DNS, or AAA? > > => I agree but it is not forbidden to get advantages of it, only to rely > on it. As we don't rely on ingress filtering for defense against DDoS, > I can't see a problem to propose to use AAA in order to improve ingress > filtering.
Yes, it's no problem to improve something. However, improving ingress filting with AAA is not the *whole* picture of what we are doing. You have to remember that by introducing HAO our first step is punching a mile wide hole to the ingress filtering system. And, in fact, you are not improving things by having a smart treatment of the HAO -- you're basically keeping the status quo that we already have with v4. So, in some areas that have both ingress filtering and aaa, you may keep the current status, if the aaa fix to ingress filtering is deployed fast enough. However, on other areas you are nuking an existing security measure some people are using. In this sense you are relying on AAA all over the place, just to keep things as they were before. Jari -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
