In your previous mail you wrote: You're making assumptions here: - every packet filter in the internet can
=> every firewall 1) recognize HAO 2) parse it, and 3) match against the address in it This does not hold *at all*. => this holds for every decent firewalls: they do URL filtering and you are trying to say they don't know how to dig into a packet? I doubt very much even a half of IPv6 packet filters, router access-lists etc. would do this in a few years' time => I assume we'll get at least the same level of technology which is used today near everywhere for IPv4. The easiest method, which *might* be deployable soonish would be a check whether HAO exists or not (1) above), and drop all packets with it. However, this would kill all the use for HAO too; not good enough. => I agree that today situation for HAO is "ignore all" and the next step is "drop all". I expect a third step (I am optimistic (:-) and this is a problem of balance between mobility industry and firewall industry). Iff 3) above holds, every site which does not have mobile nodes of its own can be protected. => yes, to know there is no binding at all is a perfect knowledge of current bindings (:-). (If it has MN's, state/AAA or more lax security for the addresses is required.) => please use "network access control" in place of AAA because some FUD is based on the confusion between network access control and AAA infrastructure. In my opinion, this is an unrealistic requirement. => what is unrealistic is to believe firewalls are not commonly used... > anti-spoofing stuff... See above. => anti-spoofing is different because the simple case is "no HA" which should be far more common than "no MN". The way to use firewalls is more usual too and gives more freedom. > => if your packet filter doesn't already do that, change it ASAP. I don't know of any alternative. => I know at least one but it is not yet commercially available (I can privately give some pointers). I believe there are others (ready but not available). Instead, I was advocating stronger checks in the end-nodes, thus eliminating the need for firewall security checks except for those 1% who really want to go and build the AAA system to get the extra control and => a network access control please, no the AAA system security. => this doesn't work: if we kill the triangular routing following your suggestion there will be no exception at all. > so I believe there are at least two firewall expert teams which already > managed how to deal with HAOs... Wrong assumption. => please let Charly Perkins (or these persons) answer. Regards [EMAIL PROTECTED] -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------