Re: PI/metro/geo [Re: The state of IPv6 multihoming development]

[Iljitsch van Beijnum <iljitsch@muada.com>]

On Tue, 5 Nov 2002, RJ Atkinson wrote:

> > By closely associating the identifier with the locator, forgery that
> > actually results in a usable connection is traceable and
> > compartmentalized with natural trust boundaries.

> This is also not true today.   Forged IP addresses are not
> compartmentalised today.

Forging IP addresses is easy in one direction. But 1. receiving the
packets that are sent back and 2. shutting up the real destination
aren't as easy, but those are also necessary to successfully engage in
non-trivial communication.

> Forged domain names are quite common in spam email.

Just because you label your C4 "shaving cream" and the label doesn't
fall off doesn't mean you'll fool the airport scanners.

> We don't authenticate DNS names today when using them to look up
> the IPv6 address of the target.  We *should* in a perfect world,

Actually we shouldn't have to in a perfect world.  ;-)

> but no one does because DNSsec is not deployed (and there are questions
> of how deployable it is).

If you use SSL there is no need for the DNS replies to be 100% reliable
anyway as forging DNS information just becomes a very elaborate DoS
attack.