In your previous mail you wrote:
You're making assumptions here:
- every packet filter in the internet can
=> every firewall
1) recognize HAO
2) parse it, and
3) match against the address in it
This does not hold *at all*.
=> this holds for every decent firewalls: they do URL filtering and you
are trying to say they don't know how to dig into a packet?
I doubt very much even a half of IPv6 packet filters, router
access-lists etc. would do this in a few years' time
=> I assume we'll get at least the same level of technology which is
used today near everywhere for IPv4.
The easiest method, which *might* be deployable soonish would be a check
whether HAO exists or not (1) above), and drop all packets with it.
However, this would kill all the use for HAO too; not good enough.
=> I agree that today situation for HAO is "ignore all" and the next step
is "drop all". I expect a third step (I am optimistic (:-) and this
is a problem of balance between mobility industry and firewall industry).
Iff 3) above holds, every site which does not have mobile nodes of its own
can be protected.
=> yes, to know there is no binding at all is a perfect knowledge of
current bindings (:-).
(If it has MN's, state/AAA or more lax security for the
addresses is required.)
=> please use "network access control" in place of AAA because some FUD
is based on the confusion between network access control and AAA
infrastructure.
In my opinion, this is an unrealistic requirement.
=> what is unrealistic is to believe firewalls are not commonly used...
> anti-spoofing stuff...
See above.
=> anti-spoofing is different because the simple case is "no HA" which
should be far more common than "no MN". The way to use firewalls is
more usual too and gives more freedom.
> => if your packet filter doesn't already do that, change it ASAP.
I don't know of any alternative.
=> I know at least one but it is not yet commercially available
(I can privately give some pointers). I believe there are others
(ready but not available).
Instead, I was advocating stronger checks in the end-nodes, thus
eliminating the need for firewall security checks except for those 1% who
really want to go and build the AAA system to get the extra control and
=> a network access control please, no the AAA system
security.
=> this doesn't work: if we kill the triangular routing following your
suggestion there will be no exception at all.
> so I believe there are at least two firewall expert teams which already
> managed how to deal with HAOs...
Wrong assumption.
=> please let Charly Perkins (or these persons) answer.
Regards
[EMAIL PROTECTED]
--------------------------------------------------------------------
IETF IPng Working Group Mailing List
IPng Home Page: http://playground.sun.com/ipng
FTP archive: ftp://playground.sun.com/pub/ipng
Direct all administrative requests to [EMAIL PROTECTED]
--------------------------------------------------------------------
