Theodore Tso wrote:
With Mobile IP, the security model seems to be (in order to avoid
triangle routing), that I need to a secure messages to arbitrary
machines in the Internet, who then need to somehow magically know that
I am the person authorized to redirect traffic for 216.175.175.175 to
some other arbitrary point in the Internet. (Amazon.com, buy.com,
yahoo.com, ietf.org, etc., etc., etc., etc. all needs to know that the
distinguished name in my X.509 certificate is authorized to speak for
216.175.175.175, and can redirect packets sent to that host to
far-flung places in the world like to Australia or Finland. Yeah,
right.)
Actually, we hope to get it to work without requiring X.509.
I wonder what someone 30 years ago would have thought about the
statement "I can get my data to go anywhere in the world. All
I need is to have the IP address of the destination and some
knowledgeable routers that I don't even know about will magically
redirect my packets to that address, without me even knowing where
it is."
Sure, that's different than Mobile IP -- I can hear the objection already!
But the main difference is that you already believe that IP routing
can work. I also believe that IP redirection can work, and a lot
faster than DNS resolution redirection can work -- or, any other
application-oriented approach.
One is deployable (modulo a few minor bugs in the HOWTO document,
which I've been meaning to find time to write up and report, really I
have), and I've currently got it set up and working on my laptop
today. The other, is as near as I can tell, completely and totally
hopeless as far as being practical or deployable.
The approach you favor would require resolution via DNS after
every movement. That's going to be a disaster for smooth handovers,
I reckon.
Regards,
Charlie P.