[Mip6-firewall] [MEXT] Firewall presentation - HA inside firewall and MN and CNoutside firewall

Gabor.Bajko at nokia.com Gabor.Bajko at nokia.com
Tue Dec 4 13:37:17 EST 2007 

This looks like a valid comment. I believe the remedy is to remove the
reference to [mip6vendor] from this  section.

- gabor

-----Original Message-----
From: Ivancic, William D. (GRC-RCN0) [mailto:william.d.ivancic at nasa.gov]

Sent: Tuesday, December 04, 2007 10:04 AM
To: mext at ietf.org
Subject: [MEXT] Firewall presentation - HA inside firewall and MN and
CNoutside firewall

In Administrator document:

"3.3.  Data traffic from and to MN passing through the HA

   If a CN tries to initiate traffic to an MN, a stateful firewall would
   prevent these connection requests to pass through as there is no
   established state on the firewall.  If this is necessary to do, the
   pattern to look for is

     Destination Address: MN HoA

   Allowing this traffic might allow any kind of traffic, including
   malicious traffic, to pass through unfiltered to the MN.  This would
   expose the MN to any type of possibly malicious traffic, resulting in
   a denial of service or exploitation of known security
   vulnerabilities.  This practice is NOT RECOMMENDED.  Instead, a
   dynamically created pinhole like the one specified in [MIP6FWVENDOR]"

The last sentence implies a way to dynamically create a pinhole is
specified in the "MIP6FWVENDOR" document.

However, upon review of the MIP6FWVENDOR the solution appears to be only
for rules where the MN sends a binding update.

"5. Allowing data packets based on signaling

   Once the MIPv6 signaling completes, the data traffic can begin to
   flow.  The traffic filters for the data traffic can be inferred from
   the contents of the signaling messages that setup the session.  This
   section describes how firewalls can intelligently setup filters for
   data traffic based on signaling traffic.The following example
   describes how to setup a filter for allowing incoming route optimized
   messages from a CN to an MN after the MN sent a BU message to a CN."


If this is correct, either the last sentence in 3.3 needs to me removed
or modified or some clarification has to be made that a CN either has to
be allowed to transition the FW at all times and take the risk or if a
CN initiates a conversation with the MN when both are outside the
firewall, the communiciation will fail.


Will

_______________________________________________
MEXT mailing list
MEXT at ietf.org
https://www1.ietf.org/mailman/listinfo/mext

More information about the Mip6-firewall mailing list