[Mip6-firewall] HA Firewall BCP draft
QIU Ying
qiuying at i2r.a-star.edu.sg
Fri Jun 29 05:31:17 EDT 2007
Hi, Niklas
OK. I choose MN behind firewall.
Regards
Qiu Ying
----- Original Message -----
From: Niklas Steinleitner
To: QIU Ying
Cc: Suresh Krishnan ; mip6-firewall at zeke.ecotroph.net
Sent: Friday, June 29, 2007 5:10 PM
Subject: Re: [Mip6-firewall] HA Firewall BCP draft
Hi Qiu, all,
QIU Ying schrieb:
Hi, Suresh
The file looks good. But I have argument on section 3.2.
According to RFC 3776, the HoTI/HoT messages between MN and HA is
encapsulated by ESP. So it is not need a special configuration for HoT
message.
Section 3.2 specifies the firewall pinhole for the HoT message from the CN to HA, which is not protected by IPsec ESP. Therefore, we need a pinhole to let this message traverse.
What you are talking about here, is the HoT message from the HA to the MN. This message is ESP encapsulated and it is not necessary to install additional rules.
Since checking protocol number is more popular than the header type, why not
just filter the mobility protocol number (it is 135 according to RFC3775)
for these signaling messages?
This is one option.
However, administrators typically follow the policy to allow only as little as possible. If it is possible to specify a pinhole as fine as possible, i think most of the administrators will do this; at least our administrators will do ;-)
If not objected, I would like to add sections about "CN behind a firewall"
and "MN behind a firewall". The process of CN behind firewall would be
similar as HA behind firewall, but the CoTI/CoT is never protect by ipsec.
The process of MN behind firewall is a bit complicated as the
source/destination address CoA is changed frequently. I hope I could finish
by tomorrow.
This is a good idea. I'm willing to help with this. What about divide the two scenarios? Which one do you prefer :-)
"CN behind a firewall" or "MN behind a firewall"?
Regards,
Niklas
Regards
Qiu Ying
----- Original Message -----
From: "Suresh Krishnan" <suresh.krishnan at ericsson.com>
To: <mip6-firewall at zeke.ecotroph.net>
Sent: Friday, June 29, 2007 12:45 PM
Subject: [Mip6-firewall] HA Firewall BCP draft
Hi Folks,
Here is the first cut of the firewall draft as promised. Please take
some time to review this. I have not had the time to settle the author
list yet.So if you would like to be included as an listed author, please
let me know.
Cheers
Suresh
------------ Institute For Infocomm Research - Disclaimer -------------This email is confidential and may be privileged. If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you.--------------------------------------------------------
_______________________________________________
Mip6-firewall mailing list
Mip6-firewall at zeke.ecotroph.net
https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
--
Niklas Steinleitner Tel: +49 551 3913583
Institute for Informatics steinleitner at cs.uni-goettingen.de
University of Göttingen http://www.tmg.informatik.uni-goettingen.de
Lotzestrasse 16-18
D-37083 Göttingen, Germany
------------ Institute For Infocomm Research - Disclaimer -------------This email is confidential and may be privileged. If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you.--------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://zeke.ecotroph.net/pipermail/mip6-firewall/attachments/20070629/5afb7463/attachment.html
More information about the Mip6-firewall
mailing list