[Mip6-firewall] HA behind firewall - proposal

Hannes Tschofenig Hannes.Tschofenig at gmx.net
Thu Jun 28 15:51:59 EDT 2007 

That's indeed a problem.

That's why a number of folks came up with solutions to let signaling 
messages look exactly like data packets. It's annoying when the 
signaling traffic is able to pass through and subsequently the data 
traffic is blocked.

Ciao
Hannes

Yaron Sheffer wrote:
> I agree that we need to add an IKEv2 pinhole. But note that the mere 
> fact of having an IKEv2 exchange from address X does not mean that it 
> was successful and all later ESP packets from the same address are 
> legitimate.
>
>
>    Yaron
>
>
> Vijay Devarapalli wrote:
>
>> Suresh,
>>
>> This does address bootstrapping the MIPv6 home address via the
>> IKEv2 exchange. The home address would be unknown until then.
>>
>> What might want to add is to require the firewall to allow all
>> IKEv2 messages also through to the home agent address.
>>
>> Vijay
>>
>> Suresh Krishnan wrote:
>>  
>>> Hi Folks,
>>>    I feel that a BCP for firewall admins would be the best way to 
>>> address the HA being behind a firewall.
>>>
>>> * This firewall MUST NOT drop IPSec traffic bound to the Home Agent. 
>>> The home agent address needs to be configured on the firewall to 
>>> explicitly allow all IPSec traffic. If this traffic is found to be 
>>> not legitimate, a host based firewall or the HA implementation can 
>>> drop the packet
>>> * If an MN is providing services (i.e. allows incoming connections), 
>>> the firewall needs to allow connection requests with the MN HoA as 
>>> the destination address. The address(es) of such MN(s) need to be 
>>> configured on the firewalls
>>> * The firewall MUST permit all HoT messages with a destination 
>>> address of a known MN HoA, if there was a HoTI message sent out with 
>>> the same source address. The firewall might verify if the home test 
>>> init cookie matches the one sent
>>>
>>> I believe that these rules are reasonable, but some of these might 
>>> not be acceptable to firewall admins. But, since the home network is 
>>> providing a service, there is not much room to maneuver without 
>>> changing the MIP6 protocol and end nodes (which might be another 
>>> option).
>>>
>>> Cheers
>>> Suresh
>>> _______________________________________________
>>> Mip6-firewall mailing list
>>> Mip6-firewall at zeke.ecotroph.net
>>> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
>>>     
>>
>> _______________________________________________
>> Mip6-firewall mailing list
>> Mip6-firewall at zeke.ecotroph.net
>> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
>>
>>   
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Mip6-firewall mailing list
> Mip6-firewall at zeke.ecotroph.net
> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
>

More information about the Mip6-firewall mailing list