[Mip6-firewall] HA Firewall BCP draft
Suresh Krishnan
suresh.krishnan at ericsson.com
Fri Jun 29 11:03:45 EDT 2007
Hi Qiu,
QIU Ying wrote:
> Hi, Suresh
>
> The file looks good. But I have argument on section 3.2.
>
> According to RFC 3776, the HoTI/HoT messages between MN and HA is
> encapsulated by ESP. So it is not need a special configuration for HoT
> message.
Section 3.2 talks about the HoTI/HoT messages between the CN and HA. If
you look at section 3.1 I have already covered this
"It will also allow the HoTI and HoT messages (related to route
optimization) between the MN and the HA to pass through."
>
> Since checking protocol number is more popular than the header type, why
> not just filter the mobility protocol number (it is 135 according to
> RFC3775) for these signaling messages?
If we can specify finer rules, I think it is better. I am willing to
change this if people feel this is better.
>
> If not objected, I would like to add sections about "CN behind a
> firewall" and "MN behind a firewall". The process of CN behind firewall
> would be similar as HA behind firewall, but the CoTI/CoT is never
> protect by ipsec. The process of MN behind firewall is a bit complicated
> as the source/destination address CoA is changed frequently. I hope I
> could finish by tomorrow.
Sure.
Cheers
Suresh
More information about the Mip6-firewall
mailing list