Charlie wrote:
> > > If the downside is that then > > > there is vulnerability to (single!) packets being reflected back > > > to an unsuspecting home address, then: [] > > > > That is not the only downside. The primary downsides > > have been discussed here ad nauseum. > > I looked at a lot of stuff, but that's the only one I saw, > even though it can be dressed up in different ways. > What else is there? I think you are right Charlie, that is the only downside. (There's a bunch of other downsides related to fixing with AAA the hole HAO leaves in ingress filtering, but that's another issue.) The primary danger of unconstrained HAO is having even a small number of attackers spoof HAOs and use a large number of CNs as reflectors to attack a specific target even if your network has ingress filtering. Basically, it voids ingress filtering. 2-way i-trace would still detect the source of these attacks, at least in some cases. However, my concern is that i-trace isn't ready, isn't deployed and frankly I don't really believe it being deployed anytime soon. A hypothetical "Care of Address Option" for MIPv6 would have the same detection power. The trouble with both of these as opposed to ingress filtering is that they act after the attack is done or over, while ingress filtering prevents attacks. In situations where you have no ingress filtering there's really no difference whether we use HAOs or not. Jari -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
