In your previous mail you wrote: > I have written a draft about IPv6 ingress filtering (with home address > option considerations). It is not finished... => note the draft was finished and published. The draft is quite nice, thanks for writing it.
=> thanks for reading it. There are a few problems, though, that I see. Firstly, I really do find it unrealistic to assume that each and every site in the world would understand AAA, and change their ingress filtering rules based on AAA information. => I assume you use AAA in its traditional meaning, i.e. network access control with something like RADIUS. Please don't make the confusion between network addresse control and full AAA with infrastructure, etc. Thus, that leaves changing the Binding Cache into hard state (instead of being cache) the only option, i.e. requiring that the CNs check the HAO against the Binding information. => there are other options (look at the mobile-ip list) but it seems the two detailed proposals are ingress filtering using some kind/level of network access control and binding cache entry check. Secondly, such a the proposed practice would basically foil all of the designed zero-configuration nature of IPv6. That is, the reason for IPv6 stateless autoconfiguration is to allow hosts to be plugged in to a IPv6 network without any prior configuration. IMHO, such a practice would be very good in many environments, even in public access WLANs. (I know that some people disagree with me.) => I agree the zero-configuration is very fine and I don't believe into DHCPv6, i.e. something which tries to impose its idea of your address to you. But I make a distinction between to allow hosts to be plugged in and to allow hosts to freely access to the Internet. The device which provides the step between is the network access control. I don't want to enter into details about how to do it, the important notion is the trust/responsability, i.e. if you give some access to a node and something is going wrong, you accept to take the responsability to take care of the problem. IMHO this is more important than ingress filtering itself: without trust/responsability, the bad guy has no need to do source address spoofing. So, as I am perhaps (:-) in the people who disagree with you, what you propose if you get the role of a public access WLAN manager? Thirdly, if we consider most current DDoS attacks, the majority of hosts used to launch those attacks seem to be badly administered PCs that belong to home users, careless university labs, etc. => this proves ingress filtering reachs its limits when an action is required... When we move to IPv6, there will continue to be organizations with little administrative knowledge (e.g. home users) or little money (e.g. some universities). It is exactly those kinds of organizations that are likely to continue having hosts that can be broken in and used in DDoS attacks. => I agree: network access control doesn't imply good administration but usually it is simply part of a at least minimal administration (always better than nothing). For instance location of compromised hosts can be possible. Now, the point is that those are also exactly the organizations that are most _unlikely_ to use advanced ingress filtering methods, or AAA at all. Thus, relying on AAA and advanced ingress filtering will most probably secure those parts of IPv6 internet that already have relatively secure hosts (e.g. mobile handsets or PDAs), and not those parts of the IPv6 internet that have insecure hosts. => the issue is in the target: you'd like to secure the Internet, this is an admirable idea but, for some reasons you have just explained, not really feasible. My purpose is to get back to the previous situation, i.e. current IPv4 ingress filtering, so I prefer to stress the trust/ responsability stuff (what I called the "responsible usage of the network") because in fact the places where advanced ingress filtering won't work are the places where ingress filtering itself won't work. I have a lot of other arguments but they are already in the zillion of previous messages about the HAO security... BTW the design team proposed a recommendation based on the FUD against mobile IPv6 and selected the BCE check solution. I am very pessimist about the future of mobile IPv6 because the improvements over mobile IPv4 fully rely on the routing optimization: as someone explained, there are only two kinds of common correspondent nodes: web servers, but to deal with routing optimization with its security, hard state binding cache, etc, is too expensive so shan't be done, and mobile terminals (handsets, PDAs, (robust) laptops), the problem is the design team didn't consider this special case (aka mobile to mobile)... We are trying to save something but most of the marvellous promises of mobile IPv6 can already be considered as hype. Regards [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
