In your previous mail you wrote: > Also, waiting for AAA solutions to be available (specified, implemeted, > and deployed) before MIPv6 can be used seems to be counter to our desire > to finish up MIPv6 soon. > > => I never proposed to wait for AAA solutions (as I ask only for network > access control, not everywhere but enough to make HAO spoofing unattractive). Are you proposing to wait until network access control is available? (specified, implemented, and deployed) => we don't need to wait because mobile IPv6 is not yet fully specified. IMHO the only thing we need is to be ready and the first step should be to get (traditional) ingress filtering and firewalls with IPv6 support (or do you suggest to stop IPv6 until they are implemented and deployed?)
If not, what do you propose to do in the interim until network access control for HAO is available? => decide if we keep or kill the triangular routing. In parallel (because even if the triangular routing is killed there are still similar mechanisms based on tunnels with the same security issue) give this idea to network access control people (both RADIUS/DIAMETER and firewall) in order to know what concrete proposal we can/should do (for instance a new RADIUS attribute for IPv6 inner source address declaration). IMHO this second part is mainly not technical (i.e. out of the scope of IETF). Seems like this requires a two-phase approach: phase 1 before it is available and phase 2 when/if it become available. => you are acking what will happen after some kilometers in a deep fog: today only IPv6 raw protocol is available, not mobile IPv6, IPv6 ingress filtering, IPv6 firewalls, ... What am I missing? => mobile IPv6 is not yet in last call, in fact we don't know if it will be this year. So we only need a paper solution against the future and potential minor security threat of HAO with ingress filtering. But I agree we have to know where we are going or we could lose more than our time in this kind of discussions (i.e. implementers don't like to follow random moving specs). Regards [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
