Glenn, [I am redirecting this to ipng, in addition to mobile-ip, since the address ownership problems are a larger issue than just a Mobile IPv6 security thing.]
Glenn Morrow writes: > What prevents a node from obtaining and using any number of free or > not free (i.e. in use by another legitimate node) IP addresses such > that they can spoof addresses albeit only on the same subnet IF INGRESS > FILTERING is used on the first hop. Use of IPSEC is not mandated. Use of > INGRESS FILTERING is not mandated, either. What is the interaction with > control lists, etc.. etc.. etc.. Are there any provisions for > anti-mac-spoofing, etc.. etc.. etc.. Pekka's draft which detailed most > of the holes has expired, perhaps he is listening and will republish it. The old address-ownership draft is available at http://www.tml.hut.fi/~pnr/publications/draft-nikander-ipng-address-ownership-00.txt If there is demand I'd be happy to revise it. Would it be useful to revise it and publish it as an informational RFC? Please note that many of the issues discussed in that draft are also discussed in my Cambridge Security Protocols Workshop paper, which will eventually be published in the LNCS series. A pre-publication version of that is available at http://www.tml.hut.fi/~pnr/publications/cam2001.pdf BTW, while you consider ingress filtering etc, you may find it entertaining to read our recent half-serious half-joking paper titled "IPv6 Source Addresses Considered Harmful", available at http://www.tml.hut.fi/~pnr/publications/nordsec2001.pdf --Pekka Nikander -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
