[Mip6-firewall] HA Firewall BCP draft

Niklas Steinleitner steinleitner at cs.uni-goettingen.de
Fri Jun 29 05:10:07 EDT 2007 

Hi Qiu, all,

QIU Ying schrieb:
> Hi, Suresh
>
> The file looks good. But I have argument on section 3.2.
>
> According to RFC 3776, the HoTI/HoT messages between MN and HA is 
> encapsulated by ESP. So it is not need a special configuration for HoT 
> message.
>   
Section 3.2 specifies the firewall pinhole for the HoT message from the 
CN to HA, which is not protected by IPsec ESP. Therefore, we need a 
pinhole to let this message traverse.
What you are talking about here, is the HoT message from the HA to the 
MN. This message is ESP encapsulated and it is not necessary to install 
additional rules.
> Since checking protocol number is more popular than the header type, why not 
> just filter the mobility protocol number (it is 135 according to RFC3775) 
> for these signaling messages?
>   
This is one option.
However, administrators typically follow the policy to allow only as 
little as possible. If it is possible to specify a pinhole as fine as 
possible, i think most of the administrators will do this; at least our 
administrators will do ;-)
> If not objected, I would like to add sections about "CN behind a firewall" 
> and "MN behind a firewall".  The process of CN behind firewall would be 
> similar as HA behind firewall, but the CoTI/CoT is never protect by ipsec. 
> The process of MN behind firewall is a bit complicated as the 
> source/destination address CoA is changed frequently. I hope I could finish 
> by tomorrow.
>   
This is a good idea. I'm willing to help with this. What about divide 
the two scenarios? Which one do you prefer :-)
"CN behind a firewall" or "MN behind a firewall"?

Regards,
Niklas
> Regards
> Qiu Ying
>
>
> ----- Original Message ----- 
> From: "Suresh Krishnan" <suresh.krishnan at ericsson.com>
> To: <mip6-firewall at zeke.ecotroph.net>
> Sent: Friday, June 29, 2007 12:45 PM
> Subject: [Mip6-firewall] HA Firewall BCP draft
>
>
>   
>> Hi Folks,
>>   Here is the first cut of the firewall draft as promised. Please take
>> some time to review this. I have not had the time to settle the author
>> list yet.So if you would like to be included as an listed author, please
>> let me know.
>>
>> Cheers
>> Suresh
>>
>>     
>
>
> ------------ Institute For Infocomm Research - Disclaimer -------------This email is confidential and may be privileged.  If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you.--------------------------------------------------------
> _______________________________________________
> Mip6-firewall mailing list
> Mip6-firewall at zeke.ecotroph.net
> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
>   

-- 
Niklas Steinleitner          Tel: +49 551 3913583
Institute for Informatics    steinleitner at cs.uni-goettingen.de
University of Göttingen      http://www.tmg.informatik.uni-goettingen.de
Lotzestrasse 16-18
D-37083 Göttingen, Germany

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://zeke.ecotroph.net/pipermail/mip6-firewall/attachments/20070629/f9c9fca0/attachment-0001.html

More information about the Mip6-firewall mailing list