[Mip6-firewall] HA behind firewall - proposal

[QIU Ying]

Hi,

----- Original Message ----- 
From: "Vijay Devarapalli" <vijay.devarapalli at azairenet.com>
To: "Suresh Krishnan" <suresh.krishnan at ericsson.com>
Cc: <mip6-firewall at zeke.ecotroph.net>
Sent: Thursday, June 28, 2007 10:01 PM
Subject: Re: [Mip6-firewall] HA behind firewall - proposal


> Suresh,
>
> This does address bootstrapping the MIPv6 home address via the
> IKEv2 exchange. The home address would be unknown until then.

Yes. Configuring firewall as per HoA can not let all message from MN always 
through a firewall.

>
> What might want to add is to require the firewall to allow all
> IKEv2 messages also through to the home agent address.

Agree. I think it is one of major issues of firewall solution.

Regards
Qiu Ying

>
> Vijay
>
> Suresh Krishnan wrote:
>> Hi Folks,
>>    I feel that a BCP for firewall admins would be the best way to
>> address the HA being behind a firewall.
>>
>> * This firewall MUST NOT drop IPSec traffic bound to the Home Agent. The
>> home agent address needs to be configured on the firewall to explicitly
>> allow all IPSec traffic. If this traffic is found to be not legitimate,
>> a host based firewall or the HA implementation can drop the packet
>> * If an MN is providing services (i.e. allows incoming connections), the
>> firewall needs to allow connection requests with the MN HoA as the
>> destination address. The address(es) of such MN(s) need to be configured
>> on the firewalls
>> * The firewall MUST permit all HoT messages with a destination address
>> of a known MN HoA, if there was a HoTI message sent out with the same
>> source address. The firewall might verify if the home test init cookie
>> matches the one sent
>>
>> I believe that these rules are reasonable, but some of these might not
>> be acceptable to firewall admins. But, since the home network is
>> providing a service, there is not much room to maneuver without changing
>> the MIP6 protocol and end nodes (which might be another option).
>>
>> Cheers
>> Suresh
>> _______________________________________________
>> Mip6-firewall mailing list
>> Mip6-firewall at zeke.ecotroph.net
>> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
>
> _______________________________________________
> Mip6-firewall mailing list
> Mip6-firewall at zeke.ecotroph.net
> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall 


------------ Institute For Infocomm Research - Disclaimer -------------This email is confidential and may be privileged.  If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you.--------------------------------------------------------