What the document is trying to say is that because HELD uses
the requestor's IP address as a location identifier, if the
LIS is trying to assure that location is actually only
provided to the host that originates a request, then it must
have assurance that the source IP address of the request is
that of the originator, i.e., that the source address of the
request has not been spoofed. If there is no requirement for
that level of assurance, then there is no requirement for
anti-spoofing.
On the other hand, given that the LIS is notionally operated
by the access network operator, this is actually a local
requirement: If you, the network/LIS operator, require this
degree of assurance then you MUST implement measures to
prevent IP address spoofing. (Note, however, the
conditionality.)
--Richard
I think it is also important to mention that IP address spoofing itself
is not sufficient. As an adversary you also need to see the response in
order to actually see the provided location information.
Ciao
Hannes
_______________________________________________
IETF mailing list
IETF(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf