[Mip6-firewall] HA Firewall BCP draft

[Suresh Krishnan]

Hi Niklas,

Niklas Steinleitner wrote:
> Hi Qiu, all,
> 
> QIU Ying schrieb:
>> Hi, Suresh
>>
>> The file looks good. But I have argument on section 3.2.
>>
>> According to RFC 3776, the HoTI/HoT messages between MN and HA is 
>> encapsulated by ESP. So it is not need a special configuration for HoT 
>> message.
>>   
> Section 3.2 specifies the firewall pinhole for the HoT message from the 
> CN to HA, which is not protected by IPsec ESP. Therefore, we need a 
> pinhole to let this message traverse.

Exactly. That was what I was thinking as well.

> What you are talking about here, is the HoT message from the HA to the 
> MN. This message is ESP encapsulated and it is not necessary to install 
> additional rules.

This is already covered at the end of section 3.1

>> Since checking protocol number is more popular than the header type, why not 
>> just filter the mobility protocol number (it is 135 according to RFC3775) 
>> for these signaling messages?
>>   
> This is one option.
> However, administrators typically follow the policy to allow only as 
> little as possible. If it is possible to specify a pinhole as fine as 
> possible, i think most of the administrators will do this; at least our 
> administrators will do ;-)

+1

>> If not objected, I would like to add sections about "CN behind a firewall" 
>> and "MN behind a firewall".  The process of CN behind firewall would be 
>> similar as HA behind firewall, but the CoTI/CoT is never protect by ipsec. 
>> The process of MN behind firewall is a bit complicated as the 
>> source/destination address CoA is changed frequently. I hope I could finish 
>> by tomorrow.
>>   
> This is a good idea. I'm willing to help with this. What about divide 
> the two scenarios? Which one do you prefer :-)
> "CN behind a firewall" or "MN behind a firewall"?

Would you guys like me to keep change control of the document and 
incorporate text you provide or would you like to take over?

Cheers
Suresh