In your previous mail you wrote: => I reply here because there is a common misconception in this comment.
I have been selected as the General Area Review Team (Gen-ART) An important requirement for IPsec-based protection of Mobile IPv6 route optimization is that the IPsec security associations are bound to the mobile node's home address. A malicious mobile node could otherwise misuse its own security association for impersonating the home address of a different mobile node. The draft ensures this requirement in section 3 by saying that... > - the Traffic Selectors MUST match exclusively the Home Address of > the Mobile Node and an address of the Correspondent Node (the > address used for communication between peers). Yet the importance of this requirement, as well as its reason and effect, is unlikely to become clear to the non-expert reader. I would recommend adding a section in the Security Considerations sections elaborating on this. => in fact the home address impersonation attack exists only in the mobile node - home agent case, not in the mobile node - correspondent case. If a node can use the address of another node to communicate with the correspondent, establish some security association, etc, this is an IPsec issue if the address gives some specific authorizations. The mobility does not change this, in fact it makes just this a bit harder for a rogue mobile node in visit because of the home agent control. So in fact the requirement is not for security but only for safety. BTW I believe the MUST is good and should not be replaced by a SHOULD, and there will be some new text explaining the requirement. Thanks [EMAIL PROTECTED] _______________________________________________ Gen-art mailing list Gen-art@ietf.org https://www1.ietf.org/mailman/listinfo/gen-art
