[Mip6-firewall] HA behind firewall - proposal

Yaron Sheffer yaronf at checkpoint.com
Thu Jun 28 15:48:44 EDT 2007 

I agree that we need to add an IKEv2 pinhole. But note that the mere 
fact of having an IKEv2 exchange from address X does not mean that it 
was successful and all later ESP packets from the same address are 
legitimate.


    Yaron


Vijay Devarapalli wrote:

> Suresh,
>
> This does address bootstrapping the MIPv6 home address via the
> IKEv2 exchange. The home address would be unknown until then.
>
> What might want to add is to require the firewall to allow all
> IKEv2 messages also through to the home agent address.
>
> Vijay
>
> Suresh Krishnan wrote:
>   
>> Hi Folks,
>>    I feel that a BCP for firewall admins would be the best way to 
>> address the HA being behind a firewall.
>>
>> * This firewall MUST NOT drop IPSec traffic bound to the Home Agent. The 
>> home agent address needs to be configured on the firewall to explicitly 
>> allow all IPSec traffic. If this traffic is found to be not legitimate, 
>> a host based firewall or the HA implementation can drop the packet
>> * If an MN is providing services (i.e. allows incoming connections), the 
>> firewall needs to allow connection requests with the MN HoA as the 
>> destination address. The address(es) of such MN(s) need to be configured 
>> on the firewalls
>> * The firewall MUST permit all HoT messages with a destination address 
>> of a known MN HoA, if there was a HoTI message sent out with the same 
>> source address. The firewall might verify if the home test init cookie 
>> matches the one sent
>>
>> I believe that these rules are reasonable, but some of these might not 
>> be acceptable to firewall admins. But, since the home network is 
>> providing a service, there is not much room to maneuver without changing 
>> the MIP6 protocol and end nodes (which might be another option).
>>
>> Cheers
>> Suresh
>> _______________________________________________
>> Mip6-firewall mailing list
>> Mip6-firewall at zeke.ecotroph.net
>> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
>>     
>
> _______________________________________________
> Mip6-firewall mailing list
> Mip6-firewall at zeke.ecotroph.net
> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://zeke.ecotroph.net/pipermail/mip6-firewall/attachments/20070628/38c6354d/attachment.html

More information about the Mip6-firewall mailing list