> > Also, waiting for AAA solutions to be available > (specified, implemeted, > > and deployed) before MIPv6 can be used seems to be > counter to our desire > > to finish up MIPv6 soon. > > > > => I never proposed to wait for AAA solutions (as I > ask only for network > > access control, not everywhere but enough to make HAO > spoofing unattractive). > > Are you proposing to wait until network access control > is available? > (specified, implemented, and deployed) > > => we don't need to wait because mobile IPv6 is not yet > fully specified. > IMHO the only thing we need is to be ready and the first step should > be to get (traditional) ingress filtering and firewalls > with IPv6 support > (or do you suggest to stop IPv6 until they are implemented > and deployed?)
=> Ah, now I now what you meant before by not needing a solution. But this is really scarey, are you saying we wait until last call ( or worse, proposed standard) and then bring this up again ? Some people don't like that Francis :-) How can we be sure that the 'paper solution' you refer to will be deployed by the time MIPv6 is, if ever ... Hesham > > If not, what do you propose to do in the interim until network > access control for HAO is available? > > => decide if we keep or kill the triangular routing. In > parallel (because > even if the triangular routing is killed there are still > similar mechanisms > based on tunnels with the same security issue) give this idea to > network access control people (both RADIUS/DIAMETER and firewall) in > order to know what concrete proposal we can/should do (for > instance a > new RADIUS attribute for IPv6 inner source address > declaration). IMHO > this second part is mainly not technical (i.e. out of the > scope of IETF). > > Seems like this requires a two-phase approach: phase 1 > before it is > available and phase 2 when/if it become available. > > => you are acking what will happen after some kilometers in > a deep fog: > today only IPv6 raw protocol is available, not mobile IPv6, > IPv6 ingress > filtering, IPv6 firewalls, ... > > What am I missing? > > => mobile IPv6 is not yet in last call, in fact we don't > know if it will be > this year. So we only need a paper solution against the future and > potential minor security threat of HAO with ingress filtering. > But I agree we have to know where we are going or we could lose more > than our time in this kind of discussions (i.e. > implementers don't like > to follow random moving specs). > > Regards > > [EMAIL PROTECTED] > -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
