Theodore Tso wrote: > With Mobile IP, the security model seems to be (in order to avoid > triangle routing), that I need to a secure messages to arbitrary > machines in the Internet, who then need to somehow magically know that > I am the person authorized to redirect traffic for 216.175.175.175 to > some other arbitrary point in the Internet. (Amazon.com, buy.com, > yahoo.com, ietf.org, etc., etc., etc., etc. all needs to know that the > distinguished name in my X.509 certificate is authorized to speak for > 216.175.175.175, and can redirect packets sent to that host to > far-flung places in the world like to Australia or Finland. Yeah, > right.) Actually, we hope to get it to work without requiring X.509. I wonder what someone 30 years ago would have thought about the statement "I can get my data to go anywhere in the world. All I need is to have the IP address of the destination and some knowledgeable routers that I don't even know about will magically redirect my packets to that address, without me even knowing where it is." Sure, that's different than Mobile IP -- I can hear the objection already! But the main difference is that you already believe that IP routing can work. I also believe that IP redirection can work, and a lot faster than DNS resolution redirection can work -- or, any other application-oriented approach. > One is deployable (modulo a few minor bugs in the HOWTO document, > which I've been meaning to find time to write up and report, really I > have), and I've currently got it set up and working on my laptop > today. The other, is as near as I can tell, completely and totally > hopeless as far as being practical or deployable. The approach you favor would require resolution via DNS after every movement. That's going to be a disaster for smooth handovers, I reckon. Regards, Charlie P.