Hello again,
There is a number of problems that need to be solved
I think to get the right proposal.
- ND does not allow you to send an RS outside your
subnet.
- MNs need to get the Home network prefix to configure
themselves with a Home address.
- To be able to send an RS with TTL <255 you need to be
authorised to do so.
So based on this list, I don't think that tunnelling the
RS from the MN to the HA will buy us anything.
Strictly speaking the HA can drop the packet anyway
if he MN is not authorised to send an RS across
subnets.
So I think one way to solve this is to send the RS
as follows:
Src_addr : MN CoA
Dst_addr : HA address
TTL < 255
Obviously secured by AH or ESP.
Now we're faced with difficult task of authorising this
user to send this message.
There are two options that I can think of:
1. PKI
If the MN has a PK and the HA is aware of all PKs for
all MNs that it serves, then all the HA needs to do
is be able to verify the identity of the sender. Ie. verify
that the sender is actually _one_of its MNs. This verification
is obviously based on using the PK as an identifier for
the MN. Associated with that Key is the level of authorisation.
2. AAA
The MN already has a secret key with AAAH. AAAH can be used
to generate a temporary SA between the MN and the HA
so that the MN can authenticate itself o the HA. The MN
can identify itself to the AAAH based on the NAI and
NOT the Home address, as it clearly doesn't know that yet.
When the AAAH establishes this temporary SA, it can
provide the HA with the MN's NAI, authorisation level ...etc
so that the HA can be sure it is one of it's nodes.
This proposal (for AAAH to establish SAs) was already
prsented in San Diego.
http://search.ietf.org/internet-drafts/draft-soliman-mobileip-routeopt-mipv6
-00.txt
Comments ?
Regards,
Hesham
PS: After writing this mail I saw Erik's mail !
I should have read it first and saved myself some typing :)
I think the model is very similar but I'm sending this
anyway for the authorisation part.
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------