Hello folks,
I'm pretty far behind on reading these voluminous e-mails, but I would at least like to express again my belief that we could go forward with the HAO as it is. If the downside is that then there is vulnerability to (single!) packets being reflected back to an unsuspecting home address, then: - This is not a completely horrible problem - It is amenable to solutions that can be deployed later, as IPv6 itself becomes more widely deployed - Solutions involving use of security associations between mobile and correspondent will be developed more rapidly if there is motivation for use with Proposed Standard Mobile IPv6 - We can be done almost immediately, and begin to productively tackle the issues more effectively with experience. I think there is a very real possibility that we are getting stalled in worrying over a problem that is not going to happen. A couple of other points: Francis Dupont wrote: > => we don't need to wait because mobile IPv6 is not yet fully specified. That is purely a matter of opinion. People have built it and tested it and it works. I think it would be far more proper to say that Mobile IPv6 is in fact fully specified, but we have identified more things to do. Those things should be in new specifications. I would compare your statement to be the same as saying "IP was not fully specified until we had CIDR". That is manifestly absurd, unless you are willing to also contend that IP and IPv6 both are not even yet fully specified. In my opinion, we are not moving forward because we are being required to boil the ocean before even being allowed to take a drink. Erik Nordmark wrote: > If not, what do you propose to do in the interim until network > access control for HAO is available? I'd say let's try it. The likely access controls are not going to affect the handling at the correspondent node anyway. The downside isn't very bad anyway. If I were a malicious hacker, why would I mess with that when there are so many other low-hanging fruits to spear? > Seems like this requires a two-phase approach: phase 1 before it is > available and phase 2 when/if it become available. > > => you are acking what will happen after some kilometers in a deep fog: > today only IPv6 raw protocol is available, not mobile IPv6, IPv6 ingress > filtering, IPv6 firewalls, ... Phase one is basically requiring reverse tunneling for virtually all mobility, killing route optimization, and probably along with it any hope of QoS for many years. It means that nodes will typically not receive packets containing the Home Address option, and thus the feature will rust. > => mobile IPv6 is not yet in last call, in fact we don't know if it will be > this year. Well, technically speaking, it was already in Last Call last year (and the year before). But I guess that is really a moot point. Regards, Charlie P. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
