RE: I-D ACTION:draft-coene-multi6-sctp-00.txt

[Coene Lode <Lode.Coene@siemens.com>]

>-----Original Message-----
>From: marcelo bagnulo [mailto:mbagnulo@ing.uc3m.es] 
>Sent: dinsdag 3 februari 2004 11:12
>To: lode.coene@siemens.com; john.loughney@nokia.com
>Cc: multi6@ops.ietf.org
>Subject: RE: I-D ACTION:draft-coene-multi6-sctp-00.txt
>
>
>Hi,
>
>Just a couple of comments, IMHO one of the important benefits of using a
>transport layer mechanism to preserve established communications is that
the
>security is simpler than the mechanisms at 3.5 layer. The reason for this
is
>that only a connection is at stake, and not the complete identity of the
>host.  This allows to build simple return routability checks which may be
>acceptable, while they are probably not acceptable for lower layer
>solutions. Perhaps a comment about this would fit in section 2.3.2 or in
the
>section 3?
>
We'll try to come up with something....
>
>Another comment is about how does an sctp solution deals with ingress
>filtering?
>
A section in the draft on SCTP multihoming issues deals with that:
- if the host is able to fill in the IP address of the interface on which
the msg is send out, then the return msg will arrive back on that same
interface, not on the others. That mean that for the initial outgoing
message, the source address will belong to the network to which the host is
sending it, thus any ingress filtering within that network should let it
pass(it is after all the address given out by that network(via DHCP,
fixed...))
- if the host allows to fill in the IP address of ANY interface as the
source addres of the msg(example : source = IP1, addres of interface on
which msg was actually send out was IP3) then ingress filter should drop the
message(as should be expected)
This is  basically implementation dependant in the host.

>
>thanks, marcelo
>

Hopes this answers the questions...

Yours sincerely,
Lode