[Mip6-firewall] HA behind firewall - proposal

Niklas Steinleitner steinleitner at cs.uni-goettingen.de
Thu Jun 28 12:20:20 EDT 2007 

Hi Suresh, all,

as promised, an overview about the required firewall pinholes to let the 
messages traverse the firewall.

As written in the document, a pinhole for incoming packets to the HoA is 
from my point of view not a good solution. This is a very general 
firewall pinhole and would allow all kind of traffic toward the HoA. I 
think non administrator will install such a firewall rule in his 
environment. Therefore, I propose to let this issue open (at least for 
the moment) and study how this can be handle it with help of a dynamic 
solution (e.g. M-ICE).

Regards,
Niklas

Suresh Krishnan wrote:

>Hi Folks,
>   I feel that a BCP for firewall admins would be the best way to 
>address the HA being behind a firewall.
>
>* This firewall MUST NOT drop IPSec traffic bound to the Home Agent. The 
>home agent address needs to be configured on the firewall to explicitly 
>allow all IPSec traffic. If this traffic is found to be not legitimate, 
>a host based firewall or the HA implementation can drop the packet
>* If an MN is providing services (i.e. allows incoming connections), the 
>firewall needs to allow connection requests with the MN HoA as the 
>destination address. The address(es) of such MN(s) need to be configured 
>on the firewalls
>* The firewall MUST permit all HoT messages with a destination address 
>of a known MN HoA, if there was a HoTI message sent out with the same 
>source address. The firewall might verify if the home test init cookie 
>matches the one sent
>
>I believe that these rules are reasonable, but some of these might not 
>be acceptable to firewall admins. But, since the home network is 
>providing a service, there is not much room to maneuver without changing 
>the MIP6 protocol and end nodes (which might be another option).
>
>Cheers
>Suresh
>_______________________________________________
>Mip6-firewall mailing list
>Mip6-firewall at zeke.ecotroph.net
>https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
>  
>

-- 
Niklas Steinleitner          Tel: +49 551 3913583
Institute for Informatics    steinleitner at cs.uni-goettingen.de
University of Göttingen      http://www.tmg.informatik.uni-goettingen.de
Lotzestrasse 16-18
D-37083 Göttingen, Germany

-------------- next part --------------
A non-text attachment was scrubbed...
Name: bcpHAFW.doc
Type: application/msword
Size: 33280 bytes
Desc: not available
Url : http://zeke.ecotroph.net/pipermail/mip6-firewall/attachments/20070628/50536752/attachment-0001.doc

More information about the Mip6-firewall mailing list