In your previous mail you wrote: So here's a most-likely crazy idea: why can't we treat the ingress filtering router like a CN which must first be sent a BU which it verifies in whatever manner the CN would? This already has a requirement to not be bound to mythical PKI's, etc. Given FMIP, the access routers are probably going to end up having to process things like BU's anyway. => I suggest this in the smart anti-spoofing section (because this is what we used and the alternative is based on remote network access control or HA collaboration, i.e. something which needs a protocol) but this has many drawbacks: - if there is more than one path, some coordination is needed between routers on these paths - this works if HAOs are not used before BUs (with standard mobility, this is true because of home registrations but this is a restriction) - this puts constraints on how BUs/BAs are protected (no ESP hiding some parameters like the home address) - as a special case of the previous point, it is fine to be able to check the status in BAs of home registrations - this is complex and expensive (this is not bound to the number of MNs inside the site, this argument doesn't apply for the anti-spoofing because HAs are in general statically configured and in case of a flood of home registrations HAs should be overloaded before firewalls). So I believe this is a good complement but not a good candidate for smart ingress filtering.
Also: if we have ingress filtering taken care of directly, is there any reason to preserve the HAO at all? I thought its entire raison d'etre was to provide a means of coexisting with ingress filtering -- which we've already proven is just shifting the problem around instead of providing something useful. => if I understand well your idea, you propose to disable traditional ingress filtering (so HAOs are no more useful). I believe this depends on the fraction of packets with HAOs, if it is high then I agree with you, if it is low then I believe ingress filtering remains useful... Regards [EMAIL PROTECTED] PS: I take advantage of this discussion to argue in favor of better network access control. It seems that today DDoS bad guys no more use random source address (i.e. ingress filtering is more efficient than one can believe), they try source addresses in the same prefix (change last bits in IPv4) in order to vary them (more harm for the target, counter measure more difficult). Of course this is easier for IPv6 but with a good network access control (even passive, i.e. the maximum number of boxes in a side is known) this can be detected and in many cases be fixed. (Thanks to Stanislav Shalunov who brought this point to my attention. Even if the purpose is to save the HAO by a reply on the paper to the traceback threat, it is fine to provide more applicable weapons against DDoSs) (Of course, a good network access control doesn't fit well with RFC 3041 but we already know there are some tradeoffs between privacy and access control :-) -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
