In your previous mail you wrote:
> => so you'll be very happy when you'll read my draft which relies only
> on *enough* of any kind of network access control (even passive one,
> aka BU/BA snooping which can have the favour of firewall folk).
I did read draft-dupont-ipv6-ingress-filtering-00.txt and it seems to assume
that the architecture only needs to support ingress at one place.
=> this is a constraint: active network access control is usually done
at one place.
I don't see any difference between saying
- we can trust the access network to do ingress filtering
- we can trust the host to not use bogus source addresses
=> it seems you have a very bad feeling of your ISP (:-).
Fundamentally it is an issue about trust boundaries.
=> I fully agree: this is a trust/responsability issue so I am not
surprised when this can be described with AAA terms (for instance
this is about "the authorization to use this home address").
The architecture should not prevent such flexibility.
=> what does prevent flexibility is the only current technical
concrete form of trust/responsability is network access control systems.
I'm answering the serious underlying question/assumption:
You seem to have not read the abstract in the BU3WAY document.
=> IMHO BU3WAY is an attempt to get the faster/cheaper security
scheme for BUs (the opposite of IKE+AH).
I never claimed it was the best approach.
=> so I've put again a smile.
In fact, if CGA was free (no IPR concerns and no performance concerns for
the PK operations) doing CGA (in combination with RR to deal with certain
DoS attacks) would be the obvious answer IMHO.
=> if CGA was free we have a lot of better solutions to many problems
(including the HAO vs ingress filtering one) but it has both IPR and
performance concerns...
If we feel that we (the IETF) can't produce documents that say
how firewalls should behave
=> this is about details of communication between network access controls
and firewalls, not about firewall behavior. BTW my draft is essentially
a firewall behavior specification.
then it would seem foolish for us to produce standards that
assume certain behavior in firewalls.
=> firewall people were not enough (? :-) foolish to wait for us
to specify how network access controls and firewalls should communicate.
More seriously I've looked at what is available:
- it seems a lot of firewalls support this kind of feature for
remote/mobile access (all the commercial firewalls still in the market)
- IPF (well known open source firewall) has the auth/preauth actions
which do exactly what is needed (unfortunately the IPv6 support of IPF
is questionable and has not (*yet*) HAO support.)
Regards
[EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
