[Mip6-firewall] HA Firewall BCP draft
Yaron Sheffer
yaronf at checkpoint.com
Tue Jul 3 09:02:57 EDT 2007
Hi Suresh,
for a stateful firewall, it is very important just who initiates each
connection. In other words, if you specify (from: any-address, to:
HA-address, protocol: 50, action: allow), then the return traffic is
also allowed, but ONLY if the connection was first initiated *into* the
HA. So this is not equivalent to writing two unidirectional rules.
Also, the draft talks about DOS threats. But allowing any traffic to
e.g. the MN's HoA would create a much bigger hole, e.g. if there are any
known vulnerabilities on the endpoints.
Thanks,
Yaron
Suresh Krishnan wrote:
> Hi Niklas,
>
> Niklas Steinleitner wrote:
>
>> Hi Suresh,
>>
>> just a few comments after quickly scan the document:
>> - in section 3.1 you write "Source Address: Address of HA". This has to
>> be "Destination Address: Address of HA"!
>>
>
> Nice catch. But I think it has to be both. I will revise the text to say
>
> Source Address: Address of HA
> IP payload protocol number: 50 (ESP)
>
> Destination Address: Address of HA
> IP payload protocol number: 50 (ESP)
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://zeke.ecotroph.net/pipermail/mip6-firewall/attachments/20070703/71762042/attachment.html
More information about the Mip6-firewall
mailing list