[Mip6-firewall] HA Firewall BCP draft

[Suresh Krishnan]

Hi Gabor,
   I see your point. We need to cover the cases when HA is behind 
firewall, MN is behind firewall and CN is behind firewall. But since the 
HA f/w is the most straight forward one to tackle, we started with that. 
This is certainly not the end of the work. There is lot more left to do 
:-). We also agreed that RO is really essential, but we need to start 
with making Bi-directional tunneled traffic work first before we tackle RO.

Cheers
Suresh

Gabor.Bajko at nokia.com wrote:
> Suresh,
> 
> In section 3.2, we should mention that even though HoTI/HoT may pass
> through the fw when the specified pattern is created, when there is a fw
> on the path between the MN and CN, CoTI/CoT will not, as they are sent
> from untrusted addresses. Thus without additional mechanism to create
> the necessary pattern, the RRT will not be successful. 
> MIP6 is designed to work even without RO as the MN falls back to reverse
> tunnelling through the HA when RRT fails, a direct path without
> involving intermediaries would be desirable by real-time, delay
> sensitive applications. 
> 
> It might be better to consider the scenarios when the HA is behind fw,
> the MN is behind fw, the CN is behind fw and a conbination of these
> separately.
> 
> Do we want to talk in the draft about the relation between fw rules and
> ipsec policies?
> 
> - gabor
> 
> 
> -----Original Message-----
> From: mip6-firewall-bounces at zeke.ecotroph.net
> [mailto:mip6-firewall-bounces at zeke.ecotroph.net] On Behalf Of ext Suresh
> Krishnan
> Sent: Thursday, June 28, 2007 9:45 PM
> To: mip6-firewall at zeke.ecotroph.net
> Subject: [Mip6-firewall] HA Firewall BCP draft
> 
> Hi Folks,
>    Here is the first cut of the firewall draft as promised. Please take
> some time to review this. I have not had the time to settle the author
> list yet.So if you would like to be included as an listed author, please
> let me know.
> 
> Cheers
> Suresh