Fred Baker wrote:
The mobility model that Joe and I discussed requires a security association to be set up with the anycast address (IPSEC management protocols reply with the anycast address as a source), supply a COA, and then TCP is set up to the COA.
FWIW if you believe that routing is trustworthy, i.e. that packets only get delivered to the hosts that are somehow authorized to receive for that anycast address, then it would suffice to use the return rout ability property for securing things, just as in MIPv6.
The only downside to this is that today the only way we have to authorize anycast receivers is by manual configuration in the routers that inject the routes for the anycast addresses.
Applying IPsec doesn't help solve the authorization issue of who should be allowed to receive packets sent to a particular anycast address.
Erik
-------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www1.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
