[Mip6-firewall] HA Firewall BCP draft v01

Yaron Sheffer yaronf at checkpoint.com
Fri Jul 6 13:37:28 EDT 2007 

Hi Suresh, all,

here are some comments to the baseline -01 draft.

    * 3.1: wording: "either has to either"...
    * 3.2: we are assuming that ALL IPv6 endpoints can correctly
      recognize the Mobility Header. Is this the case today? Otherwise
      this rule is a major security hole.
    * General: when you configure a firewall, you normally include the
      allowed traffic types (to enable more granular traffic
      inspection). So I would add: 3.1 - ESP, 3.2 - No payload (?), 3.3
      - IKE, 3.4 - Any.
    * 3.4: change "This might cause a Denial of Service at the MN" to
      "This would expose the MN to any type of possibly malicious
      traffic, resulting in e.g. denial of service or exploitation of
      known security vulnerabilities. This practice is NOT RECOMMENDED".
    * 4.1: this is the same problem as 3.2 - "CN address" is potentially
      any address in the network. Do we allow any address to receive
      such traffic from anybody?
    * Please add:

6. Additional Security Considerations [or else fold into the Sec 
Considerations]

6.1 Traffic Rate Control

If the rules specified in Sec. 3.2, 3.4, 4.1 are implemented, the 
firewall MUST be configured to rate-limit such traffic on a 
per-destination basis. This would allow the firewall to mitigate 
possible denial of service attacks on the endpoints. Please note that 
such measures would not mitigate other potential security issues.

    * 4.3: doesn't this rule allow ANY traffic into the CN? You can
      probably have an "empty" Dest Options header, right?
    * Sec. 7 is way too mild. We are allowing DOS into any node, not
      just the HA. MNs/CNs are always softer targets than the HA.

Thanks,
    Yaron

Suresh Krishnan wrote:

> Hi Folks,
>   Here is v01 of the draft. Since I have not heard back from Qiu Ying 
> regarding my comments, I have not included the MN part yet. I will try 
> to wait until Sunday to submit this in case there are any comments.
>
> Cheers
> Suresh
> ------------------------------------------------------------------------
>
> _______________________________________________
> Mip6-firewall mailing list
> Mip6-firewall at zeke.ecotroph.net
> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://zeke.ecotroph.net/pipermail/mip6-firewall/attachments/20070706/1cb4ae78/attachment.html

More information about the Mip6-firewall mailing list