[Mip6-firewall] IPSec through stateful firewalls

QIU Ying qiuying at i2r.a-star.edu.sg
Mon Jan 22 05:26:28 EST 2007 

Hi,

Yes. Some firewall rules block ipsec packets. However, MIPv6 uses ipsec to 
encapsulate HoTI/HoT messages between MN and HA. Therefore, we should find a 
way to let, at least, the mip6 signaling packets go through the firewall.

As we know, the HoTI/HoT messages between MN and HA, which are encapsulated 
by ipsec, are also with the mip6 mobility header. The header with protocol 
#135 is used by MN, CN and HA in all messaging related to the creation and 
management of bindings. So we could let the firewall allows all of packets 
with protocol #135 between HA and MN. Since this kind of packets with 
protocol 135 are only mip6 signaling messages, which is small and light 
processing, the secure risk and overhead is limited (even ignorable) if an 
attacker want to attack the firewall with this kind of messages.

Any comments?

Regards
Qiu Ying


----- Original Message ----- 
From: "Suresh Krishnan" <suresh.krishnan at ericsson.com>
To: <mip6-firewall at zeke.ecotroph.net>
Sent: Friday, January 19, 2007 9:39 PM
Subject: [Mip6-firewall] IPSec through stateful firewalls


> Hi Folks,
>   I have asked around quite a bit and I have got the same answer. There
> is no good way of letting IPSec pass through stateful firewalls. So if
> we are considering this as a solution, we need to define how we
> correlate the packets. Yaron, please correct me if I am wrong and you
> have some proprietary mechanism for doing so.
>
> Thanks
> Suresh
>
> _______________________________________________
> Mip6-firewall mailing list
> Mip6-firewall at zeke.ecotroph.net
> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall 


------------ Institute For Infocomm Research - Disclaimer -------------
This email is confidential and may be privileged.  If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you.
--------------------------------------------------------

More information about the Mip6-firewall mailing list