[Mip6-firewall] HA behind firewall - proposal

QIU Ying qiuying at i2r.a-star.edu.sg
Thu Jun 28 11:18:21 EDT 2007 

Hi,

My cents are inline:

----- Original Message ----- 
From: "Suresh Krishnan" <suresh.krishnan at ericsson.com>
To: <mip6-firewall at zeke.ecotroph.net>
Sent: Thursday, June 28, 2007 9:50 PM
Subject: [Mip6-firewall] HA behind firewall - proposal


> Hi Folks,
>   I feel that a BCP for firewall admins would be the best way to
> address the HA being behind a firewall.
>
> * This firewall MUST NOT drop IPSec traffic bound to the Home Agent. The
> home agent address needs to be configured on the firewall to explicitly
> allow all IPSec traffic. If this traffic is found to be not legitimate,
> a host based firewall or the HA implementation can drop the packet

Opening firewall to all IPsec traffic is high risk because the process of 
ipsec is computing consideration. It is easy to attack by flood.

> * If an MN is providing services (i.e. allows incoming connections), the
> firewall needs to allow connection requests with the MN HoA as the
> destination address. The address(es) of such MN(s) need to be configured
> on the firewalls

We can configure for the HoA but can not configure for CoA (which always 
changed). And any packet with CoA as the source addreess is block by the 
firewall.

> * The firewall MUST permit all HoT messages with a destination address
> of a known MN HoA, if there was a HoTI message sent out with the same
> source address. The firewall might verify if the home test init cookie
> matches the one sent

The HoTI is encrypted by ipsec on the path MN-HA (refer to RFC 3776). So the 
firewall is not able to verfy the HoTI message.

Therefore, I think the reasonable and practicable solution is to configure 
the fireall to allow all trafic with mobility protocol 135. In fact, there 
are mere 6 messages with protocol 135 (HoTI, HoT, CoTI CoT, BU and BA). All 
of these messages are small and easy to process. So open protocol 135 would 
not occue bring any serious security issue.

Regards
Qiu Ying


>
> I believe that these rules are reasonable, but some of these might not
> be acceptable to firewall admins. But, since the home network is
> providing a service, there is not much room to maneuver without changing
> the MIP6 protocol and end nodes (which might be another option).
>
> Cheers
> Suresh
> _______________________________________________
> Mip6-firewall mailing list
> Mip6-firewall at zeke.ecotroph.net
> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall 


------------ Institute For Infocomm Research - Disclaimer -------------This email is confidential and may be privileged.  If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you.--------------------------------------------------------

More information about the Mip6-firewall mailing list