[Mip6-firewall] HA Firewall BCP draft
Niklas Steinleitner
steinleitner at cs.uni-goettingen.de
Fri Jun 29 12:25:07 EDT 2007
Hi Suresh,
>> - in section 3.1 you write "Source Address: Address of HA". This has
>> to be "Destination Address: Address of HA"!
>
>
> Nice catch. But I think it has to be both. I will revise the text to say
>
> Source Address: Address of HA
> IP payload protocol number: 50 (ESP)
>
> Destination Address: Address of HA
> IP payload protocol number: 50 (ESP)
Based on the assumption it might be necessary to have both. But only if
we have a SPF which doesnot allow outgoing IPsec traffic, both are
necessary.
However, is this realistic and the normal case?
>> - section 3.4: from my point of view we should discourage from
>> install such firewall pinholes!
>
>
> Do you think this warning currently in the text is not good enough
>
> Allowing this traffic might allow any kind of traffic, including
> malicious traffic, to pass through unfiltered to the MN. This might
> cause a Denial of Service at the MN.
OK, should be enough ;-)
Regards,
Niklas
--
Niklas Steinleitner Tel: +49 551 3913583
Institute for Informatics steinleitner at cs.uni-goettingen.de
University of Göttingen http://www.tmg.informatik.uni-goettingen.de
Lotzestrasse 16-18
D-37083 Göttingen, Germany
More information about the Mip6-firewall
mailing list