[Mip6-firewall] HA Firewall BCP draft
Suresh Krishnan
suresh.krishnan at ericsson.com
Wed Jul 4 16:23:35 EDT 2007
Hi Qiu,
I went through your proposal. I think it goes beyond what we agreed
to do in phase 1 of our firewall bcp. I believe we agreed to start off
with what is currently implementable without changes to the end nodes
(MN,HA and CN). This is why I find the sentences like "MN solicits a
pinhole..." disturbing. Is it possible for you to rephrase your text
similar to Niklas and I, by defining firewall rule parameters instead
(SRC==blah DST=foo PROTO=bar...).
Cheers
Suresh
QIU Ying wrote:
> Hi, Suresh
>
> Attached please found the text on mobile node behind a firewall. The
> part should be section 5, right? Please review and attached to your parts.
>
> Regards and Thanks
> Qiu Ying
>
>
>
>
> ------------ Institute For Infocomm Research - Disclaimer
> -------------This email is confidential and may be privileged. If you
> are not the intended recipient, please delete it and notify us
> immediately. Please do not copy or use it for any purpose, or disclose
> its contents to any other person. Thank
> you.--------------------------------------------------------
> 5. Mobile Node behind a Firewall
>
> This section recommends a procedure if a mobile node is within a
> network protected by firewall. In the specifications of mobile IPv6
> [RFC3775, RFC3776], the mobile node will send/receive following
> messages: home binding updated messages (BU_HA, BA_HA), return
> routablity messages (HoTI, HoT, CoTI, CoT) and correspondent binding
> update messages (BU_CN and BA_CN).
>
> No matter if a MN is roaming into a visiting network or already stays
> in the visiting network and need to update its CoA, after allocated
> or authorized a new CoA, it informs its HA and CN of its current CoA.
> Since the MN is always the initiator, it is able to apply the pinholes
> from the firewall for the communications with other parties.
>
>
> 5.1. Open a pinhole between MN and HA:
>
> The procedure of the home binding update is
>
> 1) The mobile node gets current care-of address;
> 2) The mobile node solicits a firewall pinhole for the
> Communications between the care-of address and its home agent
> (with a fixed address) with the protocol number 50 (ESP);
> 3) the mobile node sends the home binding update message BUHA to
> its home agent through the pinhole;
> 4) the home agent sends back a acknowledgement BAHA through the
> pinholes and set up security tunnel between the home agent and its
> home agent;
> 5) thereafter every packet between the mobile node and its home
> agent goes through the security tunnel.
> 6) this pinhole is a long term one, which is kept to open till MN
> leaves the network or applies a new CoA.
>
> 5.2. Open a pinhole between MN and CN:
>
> The procedure of opening pinholes between MN and CN is:
>
> 1) the mobile node sends the HoTI message to its home agent through
> the security tunnel;
> 2) after receiving the HoT message from the correspondent node, the
> home agent forwards the HoT message to the mobile node through
> the security tunnel, too;
> 3) the mobile node solicits a firewall pinhole with protocol number
> 135 for the communications between the care-of address and the
> correspondent node;
> 4) the mobile node sends the CoTI message to its correspondent node
> through the pinhole;
> 5) the correspondent node sends back the CoT message through the
> pinhole;
> 6) the mobile send the binding update message BUCN to its
> correspondent node through the pinhole;
> 7) the correspondent node sends back a acknowledgement BACN through
> the pinholes;
> 8) the mobile node requires to open more ports for the pinhole;
> 9) thereafter every packet between the mobile node and its
> correspondent node goes through the pinhole.
> 10) this pinhole is a short term one. Once the communication between
> MN and CN is terminated, the pinhole must be closed.
More information about the Mip6-firewall
mailing list