Mike, > > One issue on the table in mobileip is the scalability of key distribution in > > infrastructureless case. Changing tunneling format is an orthogonal > > issue to this and I have not understood what so far unsolvable > > would such a change achieve. Proposals by people working in security > > providing "weak authentication" e.g. based on return routability, > > have appeared and been under scrutiny. > > Jari, > > I agree that the tunnel format is orthogonal to > the security question. I think that what Pekka and > others have been pointing out is that the HAO is, > in fact, another form of bits-on-the-wire > optimized tunnel, much like the routing header. > While the actual way you encode these tunnels is > orthogonal as you point out, I think that what has > been neglected is the security considerations of > the HAO qua tunnel, until Pekka brought this up. > It's still a good observation.
I am not sure we understand orthogonality the same way, what I meant was that the only real issue with HAO is how to protect it end-to-end always. There is no improvement in this respect if we change HAO to a new extension header. The security issue is not HAO-specific, we need to protect any header carrying the HAddr against cases brought up by Pekka. > What I gather that Steve is bringing up is that > maybe we wouldn't have been lulled about the > possible dangers of the HAO for so long if it had > been more obvious that the HAO was a tunnel, and > that maybe this would be better to solve once and > for all. I think that idea has some merit, because > creating any-any tunnels may well have other uses > beyond mobile IP. As said, a nice idea. However, the case of ignoring HAO is not true; before PKI was not considered globally scalable it was possible to say we can always use IPsec to protect even the HAO, which is an immutable dst.opt. Hence, once a "weak authentication" method is chosen it is again possible to always protect HAO (as well as even a nicer tunneling header). We still need a MAC field for that and for this there is an easy way. To conclude, dst.hdr is in RFC, the new proposal an individual draft so I'd say it could be something to consider for a second generation of Mobile IPv6, perhaps. > Mike BR, -Jari -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
