Re: [Mip4] Comments on draft-ietf-mip4-dsmipv4-07.txt

[Vijay Devarapalli <vijay at wichorus.com>]

George Tsirtsis wrote:
> On Wed, Nov 5, 2008 at 1:39 AM, Vijay Devarapalli <vijay at wichorus.com> 
> wrote:
>  > Hi George,
>  >
>  > Section 4.3.2 of draft-ietf-mip4-dsmipv4-07.txt has the following text
>  >
>  >   The home agent SHOULD check that all inner IPv6 packets received from
>  >   the mobile node over a tunnel with outer source address the home
>  >   address or the care-of address, include a source address that falls
>  >   under the registered IPv6 prefix(es) for that mobile node.  If the
>  >   source address of the outer header of a tunneled packet is not the
>  >   registered IPv4 care-of address or the registered IPv4 home
>  >   addresses, the packet SHOULD be dropped.  If the source address of
>  >   the inner header of an tunneled packet does not match any of the
>  >   registered prefixes the packet SHOULD be dropped.
>  >
>  > Why does this say "the packet SHOULD be dropped"? It should say "MUST",
>  > right? IMO, the home agent should strictly enforce ingress filtering on
>  > the source address that the mobile node can use for the inner IPv6
>  > packets.
>  >
>
> GT> SHOULD is the right language here IMO since this is not an
> interoperability issue. SHOULD always means that one should do this
> unless they have a very good reason not to.

Folks in the past have argued that it is a big concern if the home agent 
does not perform ingress filtering on packets coming through the tunnel 
with the mobile node. Because of this, we had to add text to RFC 3963 
that says the home agent must verify that the source address on the 
inner packet belongs to the prefixes allocated to the mobile router.

But if folks in the MIP4 WG and the IESG are fine with not requiring the 
home agent to perform ingress filtering on the packets coming out of the 
tunnel, its fine with me too.

>  > Finally we might need to explain in more detail what happens when the
>  > foreign agent is a VPN gateway as described in RFC 5265. I believe Yaron
>  > raised this issue. In case you set the code in the IPv6 Prefix Reply
>  > Extension to "1" in foreign agent care-of address mode, then the IPv6
>  > packets for the mobile node would actually be encapsulated in an IPsec
>  > tunnel between the MN and the VPN GW, instead of being sent as native
>  > IPv6 packets. So we might need a short paragraph describing this.
>  >
>
> GT> We already discussed with Yaron and agreed to add language wrt
> security devices in general being aware of the new encapsulations
> defined in this spec.

Can you forward that text, please?

Vijay
--
Mip4 mailing list: Mip4 at ietf.org
   Web interface: https://www.ietf.org/mailman/listinfo/mip4
    Charter page: http://www.ietf.org/html.charters/mip4-charter.html
Supplemental site: http://www.mip4.org/