[Mip6-firewall] New versions of firewall drafts : UPDATE

Niklas Steinleitner steinleitner at cs.uni-goettingen.de
Tue Nov 13 09:30:06 EST 2007 

Suresh,
my comments to the admin draft:

    * Typos:
          o Abstract: messags
          o Introduction: missing "." at the end
          o Home Agent: ... a firewall that protects a ... (to be
            removed: *is*)
          o section 4.5: missing "." at the end
    * Section 4.4:
          o as Gabor already mention, this pinhole doesn't allow the
            data traffic. Gabors pinhole includes th dynamic MN
            CoAddress, therefore is propose to use the following pinhole
            as it can be manually pre-configured:
                + Destination address: CN Address
                + Next Header: 60 (IPv6 Destination Options Header)
                + (Not the best and secured solution, at least better
                  than allow every kind of traffic to the CN.)
    * Section 5.1:
          o If the FW is not working stateful for IPsec ESP (i think the
            most of the current FWs doesn't do this), a second pinhole
            which explicitly allow this return packets (BA+HoT) could be
            mention within the draft:
                + Destination Address: Visited subnet prefix
                + IP payload protocol number: 50 (ESP)
    * Section 5.2:
          o As we explicitly mention the number for the Mobility Header
            Type in the whole draft, we should do the same for this
            case. Additionally, the text in this section assumes that
            the the CoT and the BA messages can traverse the FW because
            of the stateful behaviour of the FW. The rule specified here
            only allows the BU and the CoTI with their src address, not
            the upcoming BA and CoT with the src address CN and the *dst
            address* of the visited subnet prefix. Therefore i propose
            to rewrite this whole section:

/Signaling between MN and CN
Route Optimization allows direct communication of data packets between 
the MN and a CN without tunneling it back through the HA. It includes 3 
pairs of messages: HoTI/HoT, CoTI/CoT and BU/BA. The HoTI/HoT pair can 
pass through the firewall using the pattern described in section 5.1. 
The following two pattern permits these messages through the firewall.

Destination Address: Visited subnet prefix
Mobility Header Type: 4

Destination Address: Visited subnet prefix
Mobility Header Type: 6

This pattern allows the //BA //and //CoT //messages from the CN to the 
MN pass through the firewall. The BU and CoTI messages can traverse the 
firewall without any assistance./

Regards,
Niklas



Suresh Krishnan schrieb:
> Hi Folks,
> This is the admin document that I failed to attach in the last mail.
>
> Thanks
> Suresh
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Mip6-firewall mailing list
> Mip6-firewall at zeke.ecotroph.net
> https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall

-- 
Niklas Steinleitner          Tel: +49 551 3913583
Institute for Informatics    steinleitner at cs.uni-goettingen.de
University of Göttingen      http://www.tmg.informatik.uni-goettingen.de
Lotzestrasse 16-18
D-37083 Göttingen, Germany

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://zeke.ecotroph.net/pipermail/mip6-firewall/attachments/20071113/4ba34f90/attachment.html

More information about the Mip6-firewall mailing list