[Mip6-firewall] HA behind firewall - proposal

Yaron Sheffer yaronf at checkpoint.com
Thu Jun 28 15:57:09 EDT 2007 

Hi Suresh,


my comments below.


Thanks,

    Yaron


Suresh Krishnan wrote:

> Hi Folks,
>    I feel that a BCP for firewall admins would be the best way to 
> address the HA being behind a firewall.
>
> * This firewall MUST NOT drop IPSec traffic bound to the Home Agent. The 
> home agent address needs to be configured on the firewall to explicitly 
> allow all IPSec traffic. If this traffic is found to be not legitimate, 
> a host based firewall or the HA implementation can drop the packet
> * If an MN is providing services (i.e. allows incoming connections), the 
> firewall needs to allow connection requests with the MN HoA as the 
> destination address. The address(es) of such MN(s) need to be configured 
> on the firewalls
>   
There are several issues here:

    * The number of MNs may be very large. Not all firewall
      implementations may support such a large number of specific rules,
      or support may not be efficient. Management of these rules will be
      difficult, too.
    * Alternatively, if the operator allows ALL MNs to "provide
      services", then they all will be expected to protect themselves.
      This is not practical today.
    * In either case, network-based firewalls will not be able to deal
      with ESP traffic going into MNs, and will not be able to mitigate
      battery drainage and spectrum sucking attacks.

> * The firewall MUST permit all HoT messages with a destination address 
> of a known MN HoA, if there was a HoTI message sent out with the same 
> source address. The firewall might verify if the home test init cookie 
> matches the one sent
>
> I believe that these rules are reasonable, but some of these might not 
> be acceptable to firewall admins. But, since the home network is 
> providing a service, there is not much room to maneuver without changing 
> the MIP6 protocol and end nodes (which might be another option).
>
> Cheers
> Suresh
> _______________________________________________
> Mip6-firewall mailing list
> Mip6-firewall at zeke.ecotroph.net
> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
>
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://zeke.ecotroph.net/pipermail/mip6-firewall/attachments/20070628/7612f5a9/attachment.html

More information about the Mip6-firewall mailing list