In your previous mail you wrote: The draft is quite nice, thanks for writing it. There are a few problems, though, that I see. Firstly, I really do find it unrealistic to assume that each and every site in the world would understand AAA, and change their ingress filtering rules based on AAA information.
=> this is not exactly I propose, my idea is: - to do better ingress filtering based on AAA for sites where there are some mobile nodes (aka visited sites). - to do better anti-spoofing filtering for sites from where some mobile nodes are (aka home sites). There is no constraint on sites where are the regular correspondent nodes (aka correspondent domains) which should be the vast majority of sites. I don't know how this is done everywhere but in many sites I can see a special network for nomadic nodes with special network access control and small priviledges just because by definition local network managers have not the control of them, so IMHO this is not unrealistic to ask to sites which welcome mobile nodes to have a responsible attitude towards security. Thus, that leaves changing the Binding Cache into hard state (instead of being cache) the only option, i.e. requiring that the CNs check the HAO against the Binding information. => this is exactly what we don't like... Secondly, such a the proposed practice would basically foil all of the designed zero-configuration nature of IPv6. That is, the reason for IPv6 stateless autoconfiguration is to allow hosts to be plugged in to a IPv6 network without any prior configuration. IMHO, such a practice would be very good in many environments, even in public access WLANs. (I know that some people disagree with me.) => this is very unrealistic because this forgets the third letter of AAA. And of course this doesn't go well with the responsible use of the network principle. Thirdly, if we consider most current DDoS attacks, the majority of hosts used to launch those attacks seem to be badly administered PCs that belong to home users, careless university labs, etc. When we move to IPv6, there will continue to be organizations with little administrative knowledge (e.g. home users) or little money (e.g. some universities). It is exactly those kinds of organizations that are likely to continue having hosts that can be broken in and used in DDoS attacks. => note that the use of reflectors (i.e. iDDoS) makes the number of primary attackers less important. Now, the point is that those are also exactly the organizations that are most _unlikely_ to use advanced ingress filtering methods, => the solution in this case is just to filter out HAO, i.e. to refuse mobile nodes. or AAA at all. => in the case of home users AAA is used by ISPs. Thus, relying on AAA and advanced ingress filtering will most probably secure those parts of IPv6 internet that already have relatively secure hosts (e.g. mobile handsets or PDAs), and not those parts of the IPv6 internet that have insecure hosts. => this is more a DDoS vs ingress filtering topics... Don't forget that my idea is not to fill the hole but to get back the previous situation, i.e. to make ingress filtering a reply to the DDoS threat again. Regards [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------