Glenn,
the concerns you raise I think we have addressed in our draft
(draft-perkins-aaav6-03.txt)
> I would like to again float the idea that perhaps some sort
> of filtering
> on source address should be mandated on the first hop.
If you look at ou AAA for IPv6 we have a mechanism to intercept ND and to
have an access control towards your AAA server. What we then discuss in the
draft are possible ways to update your packet filters (ACL) for that
authenticated IPaddress and authorized services (TCP and UDP port numbers)
autmatically in the access router.
Personally I think that the draft lays out a very nice foundation for access
control and automatically updating you ingress filters in the access.
Please read it and comment it. Do you agree with the basic approach or do
you mean something else?
> My reasoning on
> this is that the existing filtering mechanisms are sort of a
> pariah i.e.
> it might be there or it might be not and we really have no idea where
> that "there" might be throughout the network. Clearly, the
> most scalable
> and effective place to do this filtering is on the first hop. Doing it
> at other points within the network is not guaranteed to be completely
> affective as it may not stop all slaves.
Exactly. The draft shows that.
>
> It seems that two mechanisms for these filters have been proposed. One
> mechanism is a simple ingress check on an interface. The other is an
> exception mechanism that I believe has been coined ACL access control
> lists.
>
> The ACL list appears to allow specific addresses or range of addresses
> to pass through. It seems to me that if the ACL lists are used then
> there might be a glimmer of hope that mobile nodes could use
> their home
> address as source on visited domains and a whole range of solutions
> designed with this assumption will be able to be used with
> less change.
There is no need for that.
You tie it to the AAA infrastructure the mobile node could use its new CoA
after it has been trough the access control on the new network, which means
that the autoconfigured CoA it gets is authenticated (which is done in the
AAA server).
>
> It seems that when a mobile enters a visited subnet, the ACL
> lists could
> be updated to allow them in as part of neighbor discovery and AAA
> operations.
This is what the draft do.
> Although these other ideas will certainly require some significant
> thinking and discussions on scalability etc.., I would really like
> people to seriously consider at a minimum just mandating the simple
> source address filtering on the first hop in IPv6.
As I said see at our draft where we have a discussion about it.
-- thomas eklund
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
