[Mip6-firewall] New versions of firewall drafts : UPDATE
Gabor.Bajko at nokia.com
Gabor.Bajko at nokia.com
Tue Nov 13 10:47:50 EST 2007
________________________________
From: mip6-firewall-bounces at zeke.ecotroph.net
[mailto:mip6-firewall-bounces at zeke.ecotroph.net] On Behalf Of ext Niklas
Steinleitner
Sent: Tuesday, November 13, 2007 6:30 AM
To: Suresh Krishnan
Cc: mip6-firewall at zeke.ecotroph.net
Subject: Re: [Mip6-firewall] New versions of firewall drafts : UPDATE
* Section 4.4:
as Gabor already mention, this pinhole doesn't allow the data traffic.
Gabors pinhole includes th dynamic MN CoAddress, therefore is propose to
use the following pinhole as it can be manually pre-configured:
* Destination address: CN Address
* Next Header: 60 (IPv6 Destination Options Header)
* (Not the best and secured solution, at least better than allow
every kind of traffic to the CN.)
This is not secure at all. The FW admin does not know in advance which
nodes will become CNs, so it will need to open a pinhole saying that all
packets destined to inside network with next header 60 to pass. You
can't be serious about this.
It should be acknowledged that a static pinhole which preserves the
desired security of the network and the nodes behind the FW can not be
installed for this case. Thus move this section to the other doc and
make it dynamic pinhole, which includes the MN CoA.
- gabor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://zeke.ecotroph.net/pipermail/mip6-firewall/attachments/20071113/1b93f559/attachment-0001.html
More information about the Mip6-firewall
mailing list