[Mip6-firewall] HA Firewall BCP draft v01

Suresh Krishnan suresh.krishnan at ericsson.com
Fri Jul 6 16:01:11 EDT 2007 

Yaron Sheffer wrote:
> Hi Suresh, all,
> 
> here are some comments to the baseline -01 draft.
> 
>     * 3.1: wording: "either has to either"...

Fixed.

>     * 3.2: we are assuming that ALL IPv6 endpoints can correctly
>       recognize the Mobility Header. Is this the case today? Otherwise
>       this rule is a major security hole.

I propose adding the following text to the end of section 3.2

"If the firewall does not have the capability to recognize the mobility 
header type, it needs to at least filter on the IP payload protocol type 
135 (Mobility Header) in order to limit the scope of this filter rule."


>     * General: when you configure a firewall, you normally include the
>       allowed traffic types (to enable more granular traffic
>       inspection). So I would add: 3.1 - ESP, 3.2 - No payload (?), 3.3
>       - IKE, 3.4 - Any.

I am not sure I understand. Are you proposing payload inspection?

>     * 3.4: change "This might cause a Denial of Service at the MN" to
>       "This would expose the MN to any type of possibly malicious
>       traffic, resulting in e.g. denial of service or exploitation of
>       known security vulnerabilities. This practice is NOT RECOMMENDED".

OK.

>     * 4.1: this is the same problem as 3.2 - "CN address" is potentially
>       any address in the network. Do we allow any address to receive
>       such traffic from anybody?

OK.


>     * Please add:
> 
> 6. Additional Security Considerations [or else fold into the Sec 
> Considerations]
> 
> 6.1 Traffic Rate Control
> 
> If the rules specified in Sec. 3.2, 3.4, 4.1 are implemented, the 
> firewall MUST be configured to rate-limit such traffic on a 
> per-destination basis. This would allow the firewall to mitigate 
> possible denial of service attacks on the endpoints. Please note that 
> such measures would not mitigate other potential security issues.

I am more for a SHOULD instead of a MUST. Would that be strong enough 
for you. If someone wants to let all traffic through, they should be 
able to.


> 
>     * 4.3: doesn't this rule allow ANY traffic into the CN? You can
>       probably have an "empty" Dest Options header, right?
>     * Sec. 7 is way too mild. We are allowing DOS into any node, not
>       just the HA. MNs/CNs are always softer targets than the HA.

The section was written before I started including text from Niklas and 
Qiu. I will update this.


Cheers
Suresh

More information about the Mip6-firewall mailing list