In your previous mail you wrote:
> I have a proposal. But first, let me make some observations:
>
> - Most people do seem to agree that HAO reflection is an
> issue that needs to be dealt with somehow.
>
> => we have to deal with it but we don't need a stronger solution
> than today ingress filtering which is a BCP, i.e. something like
> a SHOULD.
=> But how can that be true ??
=> the answer is both bad and good news: ingress filtering is effective
against random source address snooping, but not against DDoS itself
or source address snooping using a small variation on the last bits
(i.e. staying in the same prefix). Of course the last point is very
worrying for IPv6 (maximal prefix length is 64 bits, i.e. 64 bits at
least are free for this kind of attacks). But this is more a threat
against RFC 3041 than HAO...
Today's ingress filtering is clearly insufficient for HAO issues.
=> do you mean we have to do more about HAO than about standard
source address snooping?
Or perhaps you mean we need a solution that doesn't have to be mandated
(SHOULD instead of MUST) ?
=> exactly, we don't need something stronger than a BCP (a loose SHOULD).
If so, this is too early to discuss,
we don't have an agreement on a solution yet.
=> my concern is we have no agreement on the problem too.
(I don't put a smile because this is no more funny)
I haven't heard anyone answering my question as to why
reverse tunnelling by the MN thru the HA is so much
worse than triangular routing,
=> d(bidir tunnel) = 2 * d(MN,HA) + 2 * d(HA,CN)
d(triangular) = d(MN,HA) + d(HA,CN) + d(MN,CN)
d(optimization) = 2 * d(MN,CN)
and we always have d(MN,CN) <= d(MN,HA) + d(HA,CN)
so d(optimization) <= d(triangular) <= d(bidir tunnel)
and even stronger 2 * d(triangular) = d(optimization) + d(bidir tunnel)
i.e. in my poor English the cost/performance of triangular routing
is at the middle of bidirectional tunneling and routing optimization.
that we need to develop
something new to fix the HAO problem 'only sometimes'.
=> my argument is that ingress filtering is an 'only sometimes' reply
to the (random) source address spoofing problem.
If your question is "why not drop the draft 15 and restart from the
beginning with a bidirectional tunneling (only in the first phase) solution",
this is another (interesting) question (I suggest to restrict it to the
mobile IP WG list).
Regards
[EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
