[Mip6-firewall] HA behind firewall - proposal

Yaron Sheffer yaronf at checkpoint.com
Thu Jun 28 16:26:35 EDT 2007 

Hi Niklas,


thank you, this is very clear now.


I think the ESP rule into the HA (section 1) is not an issue. If you 
implement ESP, you need to deal with all that this implies, including 
possible denial of service attacks.


I agree that the rule for data traffic (allow anything to the HoA, sec. 
4) is in general out of the question.


Thanks,

    Yaron


Niklas Steinleitner wrote:

> Hi Suresh, all,
>
> as promised, an overview about the required firewall pinholes to let 
> the messages traverse the firewall.
>
> As written in the document, a pinhole for incoming packets to the HoA 
> is from my point of view not a good solution. This is a very general 
> firewall pinhole and would allow all kind of traffic toward the HoA. I 
> think non administrator will install such a firewall rule in his 
> environment. Therefore, I propose to let this issue open (at least for 
> the moment) and study how this can be handle it with help of a dynamic 
> solution (e.g. M-ICE).
>
> Regards,
> Niklas
>
> Suresh Krishnan wrote:
>
>> Hi Folks,
>>   I feel that a BCP for firewall admins would be the best way to 
>> address the HA being behind a firewall.
>>
>> * This firewall MUST NOT drop IPSec traffic bound to the Home Agent. 
>> The home agent address needs to be configured on the firewall to 
>> explicitly allow all IPSec traffic. If this traffic is found to be 
>> not legitimate, a host based firewall or the HA implementation can 
>> drop the packet
>> * If an MN is providing services (i.e. allows incoming connections), 
>> the firewall needs to allow connection requests with the MN HoA as 
>> the destination address. The address(es) of such MN(s) need to be 
>> configured on the firewalls
>> * The firewall MUST permit all HoT messages with a destination 
>> address of a known MN HoA, if there was a HoTI message sent out with 
>> the same source address. The firewall might verify if the home test 
>> init cookie matches the one sent
>>
>> I believe that these rules are reasonable, but some of these might 
>> not be acceptable to firewall admins. But, since the home network is 
>> providing a service, there is not much room to maneuver without 
>> changing the MIP6 protocol and end nodes (which might be another 
>> option).
>>
>> Cheers
>> Suresh
>> _______________________________________________
>> Mip6-firewall mailing list
>> Mip6-firewall at zeke.ecotroph.net
>> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
>>  
>>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Mip6-firewall mailing list
> Mip6-firewall at zeke.ecotroph.net
> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://zeke.ecotroph.net/pipermail/mip6-firewall/attachments/20070628/08f940a2/attachment.html

More information about the Mip6-firewall mailing list