I wrote: >> The draft is quite nice, thanks for writing it. There are a few problems,
>> though, that I see. Firstly, I really do find it unrealistic to assume >> that each and every site in the world would understand AAA, and change their >> ingress filtering rules based on AAA information. Francis Dupont wrote: > => this is not exactly I propose, my idea is: > - to do better ingress filtering based on AAA for sites where there are > some mobile nodes (aka visited sites). Why do you assume that AAA would be used everywhere where there are mobile nodes? For example, if I am visiting with my friends at their place, why couldn't I just use their private WLAN to connect my wireless PDA to the Internet? If I could not use their private WLAN, I would consider that as a flaw in the design if the Internet. Similarily, our local university campus provides open WLAN for anyone, for anyone to connect to the Internet. It is so much simpler to run these kinds of networks without any kinds of authentication that they will continue to exist, even though many current open WLAN networks may turn into requiring some kind of authentication. But even when they start to require authentication and/or authorization, that authentication or authorization is more likely to be based on 802.1x or PANA than AAA, and even if RADIUS/DIAMETER is used, the non-ISP connectivity providers are unlikely to be part of the AAA infrastruture. For example, I run an open WLAN at my home, and even though I may require some kind of authentication in the future, it is very unlikely that I would run RADIUS or DIAMETER. Thus, making your system to help at all, it would require that EVERYBODY ELSE FORBIDS Home Address Option altogether. It is not only a mobile host that can send HAO, any host can send it. If an intruder can break into 10 million poorly protected home PCs, they can be converted into MN looking devices that send fake HAOs. Sure the ISP can drop all packets containing HAO sent from their home customer sites, but that would break the ability to use your PDA/other device through your friend's WLAN while visiting at their place. Do you see my point now? > - to do better anti-spoofing filtering for sites from where some mobile > nodes are (aka home sites). I do not argue with that part. You draft may well have some value protecting the home sites of MNs. > There is no constraint on sites where are the regular correspondent nodes > (aka correspondent domains) which should be the vast majority of sites. As I said above, either you must assume that any site can host MNs (in addition to CNs), ---or--- you must forbid sending HAO containing packets from those sites that are assumed not tho host MNs. My main point is that forbidding HAOs to be sent from the majority of the Internet would largely foil the purpose of Mobile IPv6. > I don't know how this is done everywhere but in many sites I can see > a special network for nomadic nodes with special network access control > and small priviledges just because by definition local network managers > have not the control of them, so IMHO this is not unrealistic to ask > to sites which welcome mobile nodes to have a responsible attitude towards > security. My point is that almost every home will, in the future, be a potential site hosting MNs. -------------------------------- > Secondly, such a the proposed practice would basically foil all of the > designed zero-configuration nature of IPv6. That is, the reason for IPv6 > stateless autoconfiguration is to allow hosts to be plugged in to a IPv6 > network without any prior configuration. IMHO, such a practice would be > very good in many environments, even in public access WLANs. (I know that > some people disagree with me.) > > => this is very unrealistic because this forgets the third letter of AAA. > And of course this doesn't go well with the responsible use of the network > principle. Most homes do not even know about responsible use of network principle. It is just that since you can buy an Apple Airport (or whatever) from your local shop, and set it up within minutes, that will happen. Actually, it is already happening in many places in the US and scandinavia. Remember me setting up an WLAN access point at IPCN'2001 in Paris? --------------------------------- > Now, the point is that those are also exactly the organizations > that are most _unlikely_ to use advanced ingress filtering methods, > > => the solution in this case is just to filter out HAO, i.e. to refuse > mobile nodes. ... and what I am saying, such a practise is unreasonable and would severly restrict our possibility to use the future Internet. In other words, madating that ingress filtering MUST refuse HAO (unless special means is used to ensure that the Home Address is valid), besides being expensive and unrealistic, would result in MIPv6 being used only be the telecom vendors, not by the rest of us. --Pekka Nikander -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------