[Mip6-firewall] [MEXT] Nemo/Mext meeting at IETF-70?
Suresh Krishnan
suresh.krishnan at ericsson.com
Thu Nov 8 09:08:01 EST 2007
I agree there is a mix of rules in the document. I will try to get this separated out by the deadline.
Thanks
Suresh
________________________________
From: Gabor.Bajko at nokia.com [mailto:Gabor.Bajko at nokia.com]
Sent: November 7, 2007 8:36 PM
To: steinleitner at cs.uni-goettingen.de
Cc: Suresh Krishnan; qiuying at i2r.a-star.edu.sg; mip6-firewall at zeke.ecotroph.net
Subject: RE: [Mip6-firewall] [MEXT] Nemo/Mext meeting at IETF-70?
But I thought the draft already has a mix of 'static' and 'dynamic' rules. If you look into section 5.4, the text says that the fw adds a rule based on the BU message. That pinhole cannot be created statically, thus data can not flow if the fw does not install the pinhole in 5.4, unless you statically configure to allow any traffic to the CN (which is equal to removing the fw).
And btw, similar text should be in 4.4. The text currently wrongly states that the pinhole created in 4.3 will let data traffic pass through. A pinhole with:
destination address: CN Address
source address: MN CoA
has to be created based on the BU.
Also, 4.1 through 4.3 may not work if the CN is also an MN not at home. But I am not sure if we want to address this scenario.
If we want to make things work with FWs which are not MIP aware, we need additional things. That's what we tried to address with Hannes in the two drafts we wote (whose links I sent earlier).
- gabor
________________________________
From: ext Niklas Steinleitner [mailto:steinleitner at cs.uni-goettingen.de]
Sent: Wednesday, November 07, 2007 5:30 AM
To: Bajko Gabor (Nokia-SIR/MtView)
Cc: suresh.krishnan at ericsson.com; qiuying at i2r.a-star.edu.sg; Roberto.Baldessari at nw.neclab.eu; mip6-firewall at zeke.ecotroph.net
Subject: Re: [Mip6-firewall] [MEXT] Nemo/Mext meeting at IETF-70?
Is this in the scope of this draft?
I have thought that the draft should show how you have to 'static' configure your environment in a way that it allows Mobile IPv6 signaling and data messags to pass through - independently of the security aspects and how often/long this pinholes are required; i.e. "if you static configure your firewalls in that way, you can use MIPv6".
Is what you propose not a different document, that describes the pinholes which are needed to be 'dynamically' installed by a MIP6 firewall traversal solution (e.g. MIP6 aware FW, ...) to let the different MIPv6 packets traverse, isn't it? In this case the pinholes can be much more specific than in the draft, which allows it general, whereas such an document specified it only for a certain flow.
Niklas
Gabor.Bajko at nokia.com schrieb:
Suresh,
If you update the draft, you may want to consider to clarify that some
of the described pinholes are 'static', i.e. they can be created by the
admin in advance, while the other pinholes are 'dynamic', i.e. they have
to be created on the go. The creation of these latter pinholes require
the FWs to be MIP stateful, while current firewalls do not understand
MIP (filters on MH are not possible yet either, at least not in
commercial FWs). Even if MIP stateful FWs are gonna be out there in the
foreseeable future, the current situation will persist until all FWs are
upgraded. This way the readers may get an idea on what MIP operations
can be supported by the current firewalled environment.
- gabor
-----Original Message-----
From: mip6-firewall-bounces at zeke.ecotroph.net
[mailto:mip6-firewall-bounces at zeke.ecotroph.net] On Behalf Of ext Suresh
Krishnan
Sent: Tuesday, November 06, 2007 7:21 AM
To: QIU Ying
Cc: Roberto Baldessari; mip6-firewall at zeke.ecotroph.net
Subject: Re: [Mip6-firewall] [MEXT] Nemo/Mext meeting at IETF-70?
Hi Ying,
I already have started updating the firewalls draft. I will send out
a pre-release by Thursday this week. I made some modifications to
account for the fact that the IPSec b/w the MN and the HA offers only
authentication and not confidentiality.
Thanks
Suresh
QIU Ying wrote:
Hi, Firewall Folks:
Should we update our draft "draft-krishnan-mip6-firewall-01" according
to the feedback getting at IETF69?
My comments are below"
6. Firewall Recommendations for MIPv6
I-D: draft-krishnan-mip6-firewall-01 15 min
Suresh Krishnan
--------------------------------------
* presentation:
- different scenario: firewall protecting HA, MN, CN, respectively
- recommends which kind of traffic should not be blocked by firewalls
- Adopt as WG draft?
* discussion
- hesham: just to clarify, only some firewalls in enterprise networks
block ipsec. Not in public networks
- frank: your solution makes network less safe (let all IPsec traffic
to HA through).
- Suresh: but this is the HA service, you have to let this
traffic through
Frankly, in practice realm, home agents are very special nodes: 1)
only few nodes are charged as home agents within a networks. 2) Home
agent is normally functioned as a server or a stationary machine at
least, so it is strong enough to protect itself (e.g. Jari mentioned
access mechanisms) and not have to rely on the protection of firewall.
A firewall that opens few channels for some specified robust nodes do
not means to weaken the strength of network security.
But in order to prevent the flood attacks, the firewall can constrain
the throughput of these channels.
- Alex: some operators don't want to allow RO due to security
weaknessses
- Suresh: that's why we separated rules for RO and for non-RO
No matter RO or non RO, the issue of IPsec packets through a firewall
can not avoid due to home binding update.
Any more comments?
Regards
Qiu Ying
----- Original Message -----
From: "Roberto Baldessari" <Roberto.Baldessari at nw.neclab.eu> <mailto:Roberto.Baldessari at nw.neclab.eu>
To: <nemo at ietf.org> <mailto:nemo at ietf.org> ; <mext at ietf.org> <mailto:mext at ietf.org>
Sent: Tuesday, November 06, 2007 5:18 PM
Subject: [MEXT] Nemo/Mext meeting at IETF-70?
Hi all,
According to the IETF draft agenda, no NEMO nor MEXT WG meeting has
been scheduled yet. Are there plans to have one at IETF-70?
Concerning the activity on automotive requirements for NEMO RO, we are
in the process to update the doc according to the feedback we got at
IETF-69 and preparing it to include/unify requirements from both
C2C-CC and ISO CALM.
Anyway, as (I guess) the contributions from CALM won't be ready in
time for IETF-70, I don't have anything against waiting until IETF-71
to present a more complete document. Also, I hope that by then MEXT WG
will be actually in place.
Best regards,
Roberto
================================================
Roberto Baldessari
Research Scientist
NEC Laboratories, Network Division, NEC Europe Ltd.
Kurfuerstenanlage 36, D-69115 Heidelberg
Tel. +49 (0)6221 4342-167
Fax: +49 (0)6221 4342-55
e-mail: roberto.baldessari at nw.neclab.eu
web: http://www.netlab.nec.de/
NEC Europe Limited | Registered Office:
NEC House, 1 Victoria Road, London W3 6BL Registered in England
2832014 ================================================
_______________________________________________
MEXT mailing list
MEXT at ietf.org
https://www1.ietf.org/mailman/listinfo/mext
------------ Institute For Infocomm Research - Disclaimer
-------------This email is confidential and may be privileged. If you
are not the intended recipient, please delete it and notify us
immediately. Please do not copy or use it for any purpose, or disclose
its contents to any other person. Thank
you.--------------------------------------------------------
_______________________________________________
Mip6-firewall mailing list
Mip6-firewall at zeke.ecotroph.net
https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
_______________________________________________
Mip6-firewall mailing list
Mip6-firewall at zeke.ecotroph.net
https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
_______________________________________________
Mip6-firewall mailing list
Mip6-firewall at zeke.ecotroph.net
https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
--
Niklas Steinleitner Tel: +49 551 3913583
Institute for Informatics steinleitner at cs.uni-goettingen.de
University of Göttingen http://www.tmg.informatik.uni-goettingen.de
Lotzestrasse 16-18
D-37083 Göttingen, Germany
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://zeke.ecotroph.net/pipermail/mip6-firewall/attachments/20071108/00d045bc/attachment-0001.html
More information about the Mip6-firewall
mailing list