In your previous mail you wrote:
AAA for IPv6 is, indeed, quite another problem domain, and
one for which we've hardly started considering the issues.
=> Jari meant network access control, not full AAA with AAA infrastructure.
Furthermore, I am quite reluctant to get
embroiled in a design discussion about building ingress filtering
routers (notwithstanding (*) below), when what I really want to
do is to move the Mobile IPv6 specification forward.
=> I agree, the ingress filtering stuff should be dealt with in parallel.
In an effort to be constructive, here are some further ideas about
how to limit the damage from the packet reflection which can be
caused by malicious use of unrestricted HAOs.
1) The correspondent node can strictly limit the number of
care-of addresses available to any one home address (to,
say, one or two). It _could_ even do so for the number
of care-of addresses assignable to home addresses on a
particular subnet, if we wanted to go to the trouble of
putting the prefix length back into the Binding Update.
=> I don't believe in defense at CNs with triangular routing,
I am afraid this will catch only buggy attacks.
2) The ingress filtering router can strictly limit the number
of HAOs transmitted from any particular subnet prefix
per unit time (*).
=> this can be useful in order to detect abnormal situations
(i.e. attacks) but not to fix them (it is too hard to distinguish
between legitimate and fake HAOs so the system can be itself
the target of a DoS attack).
The best passive protection is BU/BA snooping (all interesting
parameters are in the exchange and BAs are easy to check) but
if it is effective when possible (no too much ciphered fields,
snooping devices in the path), I personnaly prefer more active
schemes (mainly because they give far better proofs in the legal
meaning... but I believe firewall people prefer snooping which is
more common in their context).
BTW I've interpreted your statement as the number of *different* HAOs
transmitted...
These are the first things that come to mind, and I believe
they are quite simple to implement. (1) certainly is.
Plus, I believe that, for the purposes of handling HAOs,
we should begin to distinguish between home addresses that
have security associations established with the correspondent
node, and home addresses that do not. It is the latter
variety that need to have the strict numerical limitations.
=> with current specs a MN must have a home registration with is
always acknowledged so BU/BA snooping is the next step of your idea.
Regards
[EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
