Re: stable vs address-derived v6 prefix [Re: v6 deployment in general [Re: tunnel broker deployment [RE: Tunneling scenarios and mechanisms evaluation]]]

[Erik Nordmark <Erik.Nordmark@sun.com>]

> But MIPv4 has assumptions which I do not agree with.  It assumes you 
> have an authenticated association with the Home Agent.  Here, the 
> respective element is the tunnel server.
> 
> I do not want to require such authenticated association -- which is 
> required if you want to have a stable v6 prefix which is independent 
> of v4 address [/port].  I think this is a useful additional mechanism 
> which can be used when authentication is available, but when it isn't 
> -- there is no use requiring it!

You appear to be looking for a free lunch.
Sufficiently secure, operationally robust, direct paths, and no
need to "register".
That is an overconstrained problem IMHO.

I personally prefer "sufficiently secure" over the "no need to register"
given the world we live in today.
And lots of people seem to think it is ok to register to get
a free email account at yahoo, hotmail, etc.
Why do we think asking them to do the same thing to enable the cool
applications running on IPv6 is out of the question?

> I think the critical point here is whether we require this
> registration protocol / user authentication in the mechanism, or
> whether it's an optional step.  IMHO, we must not require that.

I actually think it is a mistake to define mechanisms that are *not
capable* of doing registration with the same type of "tracability" that
is done to sign up for a free email account.
Whether different ISPs want to *use* that mechanism would be up to them.
But without them in the specifications and as mandatory to implement
we can easily end up with IPv6(transition) being perceived as less secure
than IPv4.

  Erik