In your previous mail you wrote: > I have a proposal. But first, let me make some observations: > > - Most people do seem to agree that HAO reflection is an > issue that needs to be dealt with somehow. > > => we have to deal with it but we don't need a stronger solution > than today ingress filtering which is a BCP, i.e. something like > a SHOULD. => But how can that be true ??
=> the answer is both bad and good news: ingress filtering is effective against random source address snooping, but not against DDoS itself or source address snooping using a small variation on the last bits (i.e. staying in the same prefix). Of course the last point is very worrying for IPv6 (maximal prefix length is 64 bits, i.e. 64 bits at least are free for this kind of attacks). But this is more a threat against RFC 3041 than HAO... Today's ingress filtering is clearly insufficient for HAO issues. => do you mean we have to do more about HAO than about standard source address snooping? Or perhaps you mean we need a solution that doesn't have to be mandated (SHOULD instead of MUST) ? => exactly, we don't need something stronger than a BCP (a loose SHOULD). If so, this is too early to discuss, we don't have an agreement on a solution yet. => my concern is we have no agreement on the problem too. (I don't put a smile because this is no more funny) I haven't heard anyone answering my question as to why reverse tunnelling by the MN thru the HA is so much worse than triangular routing, => d(bidir tunnel) = 2 * d(MN,HA) + 2 * d(HA,CN) d(triangular) = d(MN,HA) + d(HA,CN) + d(MN,CN) d(optimization) = 2 * d(MN,CN) and we always have d(MN,CN) <= d(MN,HA) + d(HA,CN) so d(optimization) <= d(triangular) <= d(bidir tunnel) and even stronger 2 * d(triangular) = d(optimization) + d(bidir tunnel) i.e. in my poor English the cost/performance of triangular routing is at the middle of bidirectional tunneling and routing optimization. that we need to develop something new to fix the HAO problem 'only sometimes'. => my argument is that ingress filtering is an 'only sometimes' reply to the (random) source address spoofing problem. If your question is "why not drop the draft 15 and restart from the beginning with a bidirectional tunneling (only in the first phase) solution", this is another (interesting) question (I suggest to restrict it to the mobile IP WG list). Regards [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------