[Mip6-firewall] BU to HA

Qiu Ying qiuying at i2r.a-star.edu.sg
Tue Mar 20 13:42:51 EDT 2007 

Hi, 
 
As discussed at breakfast, the major problem is how to let the binding update message to Home Agent through the firewall. As we know, the BU format is 
     BU_HA = {Src=CoA, Dst=HA, Opt=HoA, ESP(Seq#, Lifetime, ... ... )},
which use an unspecified source address (CoA) and the IPsec protocol type. 
 
Before send the BU_HA, the MN and HA must negotiate the session key (currently use IKE) for the security tunnel. The firewalls should not block the signals during IKE negotiation. After IKE, the firewall should open to the MN's CoA.   
 
However, due to the consideration of computing and processing time, the process of IKE is not always necessary. So, the problem is how the firewall deals with the BU_HA message with new CoA. The BU message is blocked by a firewall because of the IPsec protocol type (50) and variable source address (CoA). But the optional address in BU message is fixed (HoA). The conventional firewall never checks the optional address. We could propose to extend firewall features that could check the optional address in IPv6 network as well as the source address and destination address. 
 
As for the packet protocol, we could add the mobility protocol type (135) prior to the IPsec protocol (50). Then we could ask the firewall to allow the packets with optional address (HoA) and protocol type 135. 
 
Since the packets with mobility protocol type are very small and need less processing, even if a malicious node fakes other HoA at its optional address, it would not occur serious threats.
 
Any comments?
 
Regards
Qiu Ying
 

________________________________

From: mip6-firewall-bounces at zeke.ecotroph.net on behalf of Hannes Tschofenig
Sent: Mon 3/19/2007 5:28 PM
To: mip6-firewall at zeke.ecotroph.net
Subject: [Mip6-firewall] Prague Meeting, Tuesday Breakfast, 8am - 9am



Hi all,

let's meet for breakfast at the Hilton hotel (lobby) at 8am on Tuesday.

Ciao
Hannes

_______________________________________________
Mip6-firewall mailing list
Mip6-firewall at zeke.ecotroph.net
https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall



------------ Institute For Infocomm Research - Disclaimer -------------
This email is confidential and may be privileged.  If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you.
--------------------------------------------------------

More information about the Mip6-firewall mailing list