Mobile%20IP%20version%206%20Route%20Optimization%20Security%20Design%20Background%20draft-ietf-mip6-ro-sec-01%20MIP6%20WG%20Nikander,%20Arkko,%20Aura,%20Montenegro,%20Nordmark

1
Mobile IP version 6 Route Optimization Security
Design Background draft-ietf-mip6-ro-sec-01MIP6
WGNikander, Arkko, Aura, Montenegro, Nordmark

• TUESDAY, August 3, 2004
• 60th IETF, San Diego
• Gabriel Montenegro Sun

2
Status

• Completed WG last call
• draft-ietf-mip6-ro-sec-00
• April 27 May 11, 2004
• Informational
• 7 issues
• 5 closed
• 2 still open

3
Closed Issues (1/2)

• Improvement to spurious BUs for CNs
• minor editorial
• Added more hints to know which CN merits being
  sent a BU (using ND destination cache)
• Passive attack against privacy
• minor editorial
• Added that we don't address this issue
• Presentation of ingress filtering in RO security
• Minor editorial
• added ref to RFC 3704, a BCP on ingress filtering
  to caution against multihoming issues
• Also mention in-prefix spoofing

4
Closed Issues (2/2)

• Issues with IPsec related text in the
  Introduction
• Clarified that issue with IPsec is with vanilla
  Ipsec
• but real reason is scalability
• Caveat about questionable assumption, faulty
  thinking, differing opinions.
• Add caveat about this document not being the
  final word
• More of a snapshot

5
Open Issues

• DNSSEC bashing
• IPsec home test

6
DNSSEC bashing (section 3.5)

• Francis thinks the current text is fud
• Text says how one might go about defining a new
  application of DNSSEC
• Use it to provide PKI for MIPv6
• Current specs do not support this, it would be
  have to be defined
• Is text correct?
• Check with DNSSEC gurus?
• Take out or leave in?

7
IPsec home test (section 5.2)

• Added different text for
• Home Addr check
• Care-of Addr check
• Implications (possibility) of foregoing them if
  there is pre-established trust
• Tweaking still needed?