> Actually, I will have to let on to a little secret. I have been > looking at an option for anycast that looks strikingly similar to the > Home Address option in MIPv6. The idea is that a server responding to > an anycast query will put the anycast address in this option and its > own unicast address in the source address field. The option can be > protected with an AH header, thus allowing the sender to authenticate > that the response is coming from a member of the anycast group.
This approach to security assumes a globally deployed PKI. So you seem to be on a path that't been tried before without success. I think in order to avoid this dependency one should think about basing the security on the routing system functioning. Thus if there is a response saying that Unicast X is a member of Anycast A, then there would be a return routability check to both X and A, and only a node which would receive both the packet sent to A and X would be able to respond with the needed "cookies". This sounds like about 2 roundtrips to securely find the mapping from A to X. We could chat more off-line if you'd like. Erik -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
