[Mip6-firewall] HA behind firewall - proposal
Niklas Steinleitner
steinleitner at cs.uni-goettingen.de
Thu Jun 28 09:59:24 EDT 2007
Hi Suresh,
Suresh Krishnan schrieb:
> Hi Folks,
> I feel that a BCP for firewall admins would be the best way to
> address the HA being behind a firewall.
>
> * This firewall MUST NOT drop IPSec traffic bound to the Home Agent. The
> home agent address needs to be configured on the firewall to explicitly
> allow all IPSec traffic. If this traffic is found to be not legitimate,
> a host based firewall or the HA implementation can drop the packet
> * If an MN is providing services (i.e. allows incoming connections), the
> firewall needs to allow connection requests with the MN HoA as the
> destination address. The address(es) of such MN(s) need to be configured
> on the firewalls
> * The firewall MUST permit all HoT messages with a destination address
> of a known MN HoA, if there was a HoTI message sent out with the same
> source address. The firewall might verify if the home test init cookie
> matches the one sent
>
How to match against a HoT?
The only possiblility i see here is to allow messages with a a
destination address of a known MN HoA and Mobility Header Type 3!
Niklas
> I believe that these rules are reasonable, but some of these might not
> be acceptable to firewall admins. But, since the home network is
> providing a service, there is not much room to maneuver without changing
> the MIP6 protocol and end nodes (which might be another option).
>
> Cheers
> Suresh
> _______________________________________________
> Mip6-firewall mailing list
> Mip6-firewall at zeke.ecotroph.net
> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
>
--
Niklas Steinleitner Tel: +49 551 3913583
Institute for Informatics steinleitner at cs.uni-goettingen.de
University of Göttingen http://www.tmg.informatik.uni-goettingen.de
Lotzestrasse 16-18
D-37083 Göttingen, Germany
More information about the Mip6-firewall
mailing list