Keith, > if yahoo.com thinks there's any value at all in the client's IP address, > they're deluded. > > the only way to reliably know a client is if the client presents you with > cryptographic proof that they sent that message, and you trust the keying > material on which that proof is based.
I completely agree with you if the goal is to know *who* the client is, for any reasonable meaning of *who*. But that is *NOT* the goal. For MIPv6, the *final* goal is to learn if the client is *authorized* to create bindings, i.e. source routes, for the _home address_ that it is using. The process to learn whether it is authorized or not is basically a two step process: Step 1. Detect if the client wants to use the default authorization mechanism, i.e. RR, or something stronger. Step 2. Use the authorization mechanism to detect if the client is really authorized. It was an _explicit_ IESG requirement that the authorization mechanism MUST NOT rely on trusted third parties, i.e. on a security infrastructure. Hence the "infrastructureless" methods. If we want to take the security-infrastructureless route, we have little to build up but the routing infrastructure and the addresses. (The secure ND case does not apply for an arbitrary client for contacting yahoo.com. I'm too tired to try to think generally right now, and to work out more generic examples.) --Pekka Nikander -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------