I can briefly describe whats in the draft. what we have done so far is to let the home agent do the update (both direct and reverse tree) instead of the mobile node. this assumes the home agent is more trusted than the mobile node.
And would the mobile node have an IP6 address on the access network (i.e. roaming far away from its home agent) for which it would need to update the reverse DNS?
My general thinking goes into the direction of SIG0 based authentication. I think that can be made to work but I need to understand the relation between the maintainer of the DNS in the forward tree(s), the maintainer of the DNS in the reverse tree, and the maintainer of the mobile agent, the mobile client and the networks involved.
Obviously you will need to store the client's public keys somewhere in the DNS, that could be a duty of the home agent during the bootstrapping phase. The maintainers of the several pieces of DNS namespace should then put trust into those keys.
This technology (SIG0 based dynamic updates of secured zones) works today.
And now I should really scheadule some time to read about the general MIP6 architecture, for now I am just thinking out loud, a bad practice :-)
--Olaf ----------------------------------------------------------- Olaf M. Kolkman NLnet Labs http://www.nlnetlabs.nl/
Attachment:
PGP.sig
Description: This is a digitally signed message part