> > Since a spoofer can construct any packet they like, and NOT include any > > authentication data, a bit in the source address seems to be the only > > way for a receiver who cares, to know whether to drop it (because auth > > data is missing) or accept it (because it's a legacy insecure address). > > What about the receiver having two IP-addresses, one for legacy and one > for "secure-only" source addresses?
If the receiver indeed enforced that "secure-only" source address can only be used with the "secure-only" destination this might work as far as the security aspects at the IP layer. (But I haven't thought long and hard about this to tell for sure if this is sufficient - it is required as far as I can tell.) But, that would imply that the receiver somehow being able to control who uses which of its IP addresses i.e. be able to ensure that the peers that want more secure operation get the secure-only address and vice-versa. Thus somehow the distinction between secure and non-secure destination addresses need to be encoded in what is stored in the DNS (and other places that translates "names" to IP addresses). That seems like a fair amount of change to other parts of the system. Do you have good ideas of how this can be done? Erik -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
