Vijay Devarapalli writes: I didnt notice this before. > When the mobile node is at home, the above rules are different as the > mobile node can use its home address as a source address. This > typically happens for the de-registration Binding Update when the > mobile is returning home. In this situation, the Binding Updates > MUST support at least the following headers in the following order: > > IPv6 header (source = home address, > destination = home agent) > ESP header > Mobility header > Binding Update > Alternative Care-of Address option (care-of address) > It is a deregistration BU. I am not sure if the alt-CoA option will ever be added to a deregistration BU from the home link. --------------- Jari Arkko responds to Vijay Devarapalli: Actually, ha-ipsec 3.1 and 4.3 agree on this: every binding update protected by esp needs to contain alt-coa. However, base 11.7.1 says "registrations", which doesn't cover de-reg BUs. So we have an inconsistency here. The right thing would appear to be mandatory use of alt-coa on all of them because otherwise an attacker can convert the de-registration to a registration. No, wait! Actually since the lifetime is zero, our current rules say that's a deregistration anyway. In conclusion, maybe be base doesn't need to be changed (relief!) and ha-ipsec indeed needs to change, both 3.1 and 4.3. The change is deleting alt-coa from 3.1 and saying "registrations" instead of "all binding updates" in 4.3. How does that sound? --------------- Vijay Devarapalli responds to Jari Arkko: Sounds good. I am okay with this change. --------------- Jari Arkko writes to the ADs: This information is for the IESG to know that such clarifications have been made, and to ask for your OK for these modifications. - 270: Base and ha-ipsec disagreed about whether to include Alternate Care-of Address option in de-reg BUs. This is not necessary and ha-ipsec has been updated on the web. The change is deleting alt-coa from 3.1 de-reg case and saying "registrations" instead of "all binding updates" in 4.3. For further info, see http://www.piuha.net/~jarkko/publications/mipv6/issues/issue270.txt --------------- --------------- --------------- ---------------