[Mip6-firewall] [MEXT] Nemo/Mext meeting at IETF-70?

QIU Ying qiuying at i2r.a-star.edu.sg
Wed Nov 7 02:45:14 EST 2007 

Agree with Gabor.

But even for static pinholes, such as ipsec pinhole, it is not also widely 
accepted because the admins thought they can not control the activities of 
ipsec packets.

So we should suggest the HA to protect itself, not rely on the FW.

Regards
Qiu Ying


----- Original Message ----- 
From: <Gabor.Bajko at nokia.com>
To: <suresh.krishnan at ericsson.com>; <qiuying at i2r.a-star.edu.sg>
Cc: <Roberto.Baldessari at nw.neclab.eu>; <mip6-firewall at zeke.ecotroph.net>
Sent: Wednesday, November 07, 2007 2:29 AM
Subject: RE: [Mip6-firewall] [MEXT] Nemo/Mext meeting at IETF-70?


Suresh,

If you update the draft, you may want to consider to clarify that some
of the described pinholes are 'static', i.e. they can be created by the
admin in advance, while the other pinholes are 'dynamic', i.e. they have
to be created on the go. The creation of these latter pinholes require
the FWs to be MIP stateful, while current firewalls do not understand
MIP (filters on MH are not possible yet either, at least not in
commercial FWs). Even if MIP stateful FWs are gonna be out there in the
foreseeable future, the current situation will persist until all FWs are
upgraded. This way the readers may get an idea on what MIP operations
can be supported by the current firewalled environment.

- gabor

-----Original Message-----
From: mip6-firewall-bounces at zeke.ecotroph.net
[mailto:mip6-firewall-bounces at zeke.ecotroph.net] On Behalf Of ext Suresh
Krishnan
Sent: Tuesday, November 06, 2007 7:21 AM
To: QIU Ying
Cc: Roberto Baldessari; mip6-firewall at zeke.ecotroph.net
Subject: Re: [Mip6-firewall] [MEXT] Nemo/Mext meeting at IETF-70?

Hi Ying,
   I already have started updating the firewalls draft. I will send out
a pre-release by Thursday this week. I made some modifications to
account for the fact that the IPSec b/w the MN and the HA offers only
authentication and not confidentiality.

Thanks
Suresh

QIU Ying wrote:
> Hi, Firewall Folks:
>
> Should we update our draft "draft-krishnan-mip6-firewall-01" according

> to the feedback getting at IETF69?
>
> My comments are below"
>
>
>> 6. Firewall Recommendations for MIPv6
>>   I-D: draft-krishnan-mip6-firewall-01            15 min
>>   Suresh Krishnan
>> --------------------------------------
>> * presentation:
>> - different scenario: firewall protecting HA, MN, CN, respectively
>> - recommends which kind of traffic should not be blocked by firewalls
>> - Adopt as WG draft?
>>
>> * discussion
>> - hesham: just to clarify, only some firewalls in enterprise networks

>> block ipsec. Not in public networks
>> - frank: your solution makes network less safe (let all IPsec traffic

>> to HA through).
>>    - Suresh: but this is the HA service, you have to let this
>>    traffic through
>
> Frankly, in practice realm, home agents are very special nodes: 1)
> only few nodes are charged as home agents within a networks. 2) Home
> agent is normally functioned as a server or a stationary machine at
> least, so it is strong enough to protect itself (e.g. Jari mentioned
> access mechanisms) and not have to rely on the protection of firewall.
>
> A firewall that opens few channels for some specified robust nodes do
> not means to weaken the strength of network security.
>
> But in order to prevent the flood attacks, the firewall can constrain
> the throughput of these channels.
>
>
>> - Alex: some operators don't want to allow RO due to security
weaknessses
>>    - Suresh: that's why we separated rules for RO and for non-RO
>
> No matter RO or non RO, the issue of IPsec packets through a firewall
> can not avoid due to home binding update.
>
>
> Any more comments?
>
> Regards
> Qiu Ying
>
>
> ----- Original Message -----
> From: "Roberto Baldessari" <Roberto.Baldessari at nw.neclab.eu>
> To: <nemo at ietf.org>; <mext at ietf.org>
> Sent: Tuesday, November 06, 2007 5:18 PM
> Subject: [MEXT] Nemo/Mext meeting at IETF-70?
>
>
>
> Hi all,
>
> According to the IETF draft agenda, no NEMO nor MEXT WG meeting has
> been scheduled yet. Are there plans to have one at IETF-70?
>
> Concerning the activity on automotive requirements for NEMO RO, we are

> in the process to update the doc according to the feedback we got at
> IETF-69 and preparing it to include/unify requirements from both
> C2C-CC and ISO CALM.
>
> Anyway, as (I guess) the contributions from CALM won't be ready in
> time for IETF-70, I don't have anything against waiting until IETF-71
> to present a more complete document. Also, I hope that by then MEXT WG

> will be actually in place.
>
> Best regards,
>
> Roberto
>
>
> ================================================
> Roberto Baldessari
> Research Scientist
> NEC Laboratories, Network Division, NEC Europe Ltd.
> Kurfuerstenanlage 36, D-69115 Heidelberg
> Tel.     +49 (0)6221 4342-167
> Fax:     +49 (0)6221 4342-55
> e-mail:  roberto.baldessari at nw.neclab.eu
> web:     http://www.netlab.nec.de/
>
> NEC Europe Limited | Registered Office:
> NEC House, 1 Victoria Road, London W3 6BL Registered in England
> 2832014 ================================================
>
> _______________________________________________
> MEXT mailing list
> MEXT at ietf.org
> https://www1.ietf.org/mailman/listinfo/mext
>
>
> ------------ Institute For Infocomm Research - Disclaimer
> -------------This email is confidential and may be privileged.  If you

> are not the intended recipient, please delete it and notify us
> immediately. Please do not copy or use it for any purpose, or disclose

> its contents to any other person. Thank
> you.--------------------------------------------------------
> _______________________________________________
> Mip6-firewall mailing list
> Mip6-firewall at zeke.ecotroph.net
> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall

_______________________________________________
Mip6-firewall mailing list
Mip6-firewall at zeke.ecotroph.net
https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall 


------------ Institute For Infocomm Research - Disclaimer -------------This email is confidential and may be privileged.  If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you.--------------------------------------------------------

More information about the Mip6-firewall mailing list