[Mip6-firewall] IPsec-protected Packets

QIU Ying qiuying at i2r.a-star.edu.sg
Mon Jan 15 06:18:50 EST 2007 

Hi,

I thought it was our consensus: our attention would focus on the IP 
addresses as well as the ports.

As for the IPsec issue, it is include 2 phases, 1) session key negotiation 
(IKE), and 2) IPsec packet traffic.

For IKE part, my opinion is that we should concern the conflict between the 
changeful IP addresses of mobile node (CoAs) and the requirement of 
stationary IP addresses in firewall side. Maybe Vijay is more familiar with 
the IKE issue.

For IPsec packet issue, some firewall blocks this kind of traffics because 
it does not know the real purpose of the packets. IPsec packets only carry 
protocol 50 or 52, no matter what is its final purpose.

Following is my feedback about the meeting minutes of last phone conference:

> It was clear that the problems for the data and the signaling
> traffic are different. With the signaling message related firewall
> traversal problems one needs to make a differentiation between
> the different scenarios.

Agree. In the signaling phase, there are many challenges, such as the 
unexpected IP addresses (CoA). After finishing the signaling phase, we could 
open a pinhole for the following data traffic.

> following aspects as out-of-scope for the initial work:
> Transferring packet filter rules between HA and MAP (HMIP)
> secured using IKE.

OK. The purpose of transferring packet filter rules is to continuously 
protect/control the mobile nodes activities. It is out of our scope 
currently.

> Open questions:
> Should a firewall understand Mobile IP or firewall specific
> messages?
Yes. At least let the firewall know protocol 135.

> Is it allowed to modify the MIPv6 signaling behavior?
> E.g., fixing MIPv6 signaling exchange to deal with RRT
Yes. If we could bundle CoA and HoA together, it might be much easier to go 
through a firewall.


Is the phone meeting held on schedule? Still use the same bridge: Conference 
Dial-in Number: +1 (712) 580-0600, Participant Access Code: 288204# ? I only 
see 3 person are available today.

Regards
Qiu Ying

----- Original Message ----- 
From: "Hannes Tschofenig" <Hannes.Tschofenig at gmx.net>
To: <suresh.krishnan at ericsson.com>
Cc: <mip6-firewall at zeke.ecotroph.net>
Sent: Thursday, January 11, 2007 11:58 PM
Subject: [Mip6-firewall] IPsec-protected Packets


> Hi Suresh,
>
> have you been successful in your research about potential problems of
> getting IPsec protected packets through IPv6 firewalls?
>
> Ciao
> Hannes
>
> _______________________________________________
> Mip6-firewall mailing list
> Mip6-firewall at zeke.ecotroph.net
> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall 


------------ Institute For Infocomm Research - Disclaimer -------------
This email is confidential and may be privileged.  If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you.
--------------------------------------------------------

More information about the Mip6-firewall mailing list