Greg O'Shea writes: "The destination address to which the procedure should be initiated to in response to receiving a packet meeting all of the above tests is the Source Address in the original (inner) IPv6 header of the packet. If a Home Address destination option is present in the packet (inner IPv6 header), the source address MUST be the home address in the home address option." [11.7.2] I think this is trying to say that if a MN (abroad) receives a packet containing a HAO then the address in the HAO had better be the same as the source address of the packet containing the HAO. But this strikes me as wrong. If MN receives a packet containing HAO from some CN then CN is itself mobile and in the first instance is probably sending a BU to MN. Call the two nodes MN1 and MN2 respectively. The BU message look like this: MN1 receives: IP(HAMN1,CoAH1), ESP, IP(CoAH2, HoAH1), HAO(HoAH2), MH(BU) In other words a Home addresss option is present in the (inner) IPv6 packet but the source address (of the inner packet) is NOT the same as the home address in the home address option (in the inner packet). Note that because this is not a home binding there is not (necessarily) an alt CoA opt with the BU, so where else is MN1 going to discover MN2's CoA appart from the source addr of the packet containing the BU? ----------------------- Jari Arkko responds to Greg O'Shea: Hi Greg and thanks again for your in-depth comments. Inline: > "The destination address to which the procedure should be initiated to > in response to receiving a packet meeting all of the above tests is the > Source Address in the original (inner) IPv6 header of the packet. If a > Home Address destination option is present in the packet (inner IPv6 > header), the source address MUST be the home address in the home address > option." [11.7.2] Clumsy text... > I think this is trying to say that if a MN (abroad) receives a packet > containing a HAO then the address in the HAO had better be the same as > the source address of the packet containing the HAO. But this strikes me > as wrong. If MN receives a packet containing HAO from some CN then CN is I agree that this would be wrong. > itself mobile and in the first instance is probably sending a BU to MN. > Call the two nodes MN1 and MN2 respectively. The BU message look like this: > > MN1 receives: IP(HAMN1,CoAH1), ESP, IP(CoAH2, HoAH1), HAO(HoAH2), MH(BU) > In other words a Home addresss option is present in the (inner) IPv6 > packet but the source address (of the inner packet) is NOT the same as > the home address in the home address option (in the inner packet). Note > that because this is not a home binding there is not (necessarily) an > alt CoA opt with the BU, so where else is MN1 going to discover MN2's > CoA appart from the source addr of the packet containing the BU? I think 11.7.2 tries to say something different, but fails to do so properly. There's two important things that we need to worry about in the initiated correspondent binding procedure: - What address do we use as our own address when running the procedure? (If we have multiple home addresses.) - What is the address of the node we run the procedure to? (If the peer is mobile too, and has both hoa and coa.) Perhaps the following would be a better version of the paragraph in 11.7.2: If a mobile node has multiple home addresses, it becomes important to select the right home address to use in the correspondent binding procedure. The used home address MUST be the Destination Address of the original (inner) packet. The peer address used in the procedure MUST be determined as follows: o If a Home Address destination option is present in the original packet (inner IPv6 header), the address from this option is used. o Otherwise, the Source Address in the original (inner) IPv6 header of the packet is used. ----------------------- Brian Haley writes: But doesn't this violate the other rule that packets with unverified HAOs must be dropped, unless the packet contains a BU? Why would a CN/MN be sending a HAO unless it has a binding with this MN anyways? This packet was encapsulated by the HA, so should have had the CN/MNs home address as the (inner) source, that would be the target address. Everything is home address <-> home address until there's a binding established, with the HAs doing all the work. ----------------------- Jari Arkko responds to Brian Haley: Aren't there two independent BCE entries? I am initiating the binding procedure because apparently the peer does not have a BCE entry for *me*. But I can still have a BCE entry for *it*, making it possible that I can receive a legal packet with a HAO? My head hurts from thinking about this. But if I'm right above then we should still take in account your comment that the HAO must only be accepted when a BCE exists on our side for it. ----------------------- Hesham Soliman responds to Jari Arkko: > Aren't there two independent BCE entries? I am initiating the > binding procedure because apparently the peer does not have a > BCE entry for *me*. But I can still have a BCE entry for *it*, > making it possible that I can receive a legal packet with > a HAO? Yes, that's right. > > My head hurts from thinking about this. But if I'm right above > then we should still take in account your comment that the > HAO must only be accepted when a BCE exists on our side for > it. That's a different check in a different part of the code/spec. This check will be (MUST) done anyway when any packet is received containing a HAO. I don't think you need to include it in this text. It's already stated in other parts of the spec. ----------------------- Brian Haley writes: > Aren't there two independent BCE entries? I am initiating the > binding procedure because apparently the peer does not have a > BCE entry for *me*. But I can still have a BCE entry for *it*, > making it possible that I can receive a legal packet with > a HAO? Yes, you're right I didn't think about that case, but the wording you proposed didn't give any warning about not accepting the HAO. Maybe just a ref to section 9.3.1 so noone gets confused? ----------------------- Jari Arkko writes: The final text is now: "If a mobile node has multiple home addresses, it becomes important to select the right home address to use in the correspondent binding procedure. The used home address MUST be the Destination Address of the original (inner) packet. The peer address used in the procedure MUST be determined as follows: o If a Home Address destination option is present in the original (inner) packet, the address from this option is used. o Otherwise, the Source Address in the original (inner) IPv6 header of the packet is used. Note that the validity of the original packet is checked before attempting to initiate a correspondent binding procedure. For instance, if a Home Address destination option appeared in the original packet, then rules in Section 9.3.1 are followed." ----------------------- Hesham Soliman writes: Fine with me. -----------------------