[Mip6-firewall] New versions of firewall drafts : UPDATE

Niklas Steinleitner steinleitner at cs.uni-goettingen.de
Tue Nov 13 11:19:27 EST 2007 

Gabor,
>  
>
> ------------------------------------------------------------------------
> *From:* mip6-firewall-bounces at zeke.ecotroph.net 
> [mailto:mip6-firewall-bounces at zeke.ecotroph.net] *On Behalf Of *ext 
> Niklas Steinleitner
> *Sent:* Tuesday, November 13, 2007 6:30 AM
> *To:* Suresh Krishnan
> *Cc:* mip6-firewall at zeke.ecotroph.net
> *Subject:* Re: [Mip6-firewall] New versions of firewall drafts : UPDATE
>
>     * Section 4.4:
>
> as Gabor already mention, this pinhole doesn't allow the data traffic. 
> Gabors pinhole includes th dynamic MN CoAddress, therefore is propose 
> to use the following pinhole as it can be manually pre-configured:
>
>     * Destination address: CN Address
>
>     * Next Header: 60 (IPv6 Destination Options Header)
>     * (Not the best and secured solution, at least better than allow
>       every kind of traffic to the CN.)  
>
> This is not secure at all. The FW admin does not know in advance which 
> nodes will become CNs, so it will need to open a pinhole saying that 
> all packets destined to inside network with next header 60 to pass. 
> You can't be serious about this.
In the draft we wrote:
"This section presents the recommendations for configuring a firewall 
*if a node behind it should be able to act as Mobile IPv6 CN*."
Therefore, we can assume that the FW admin known in advance which 
node(s) could become an CN and allow only packets with next header 60 
for this addresses.

However, i understand your provisos as i have the same. But as we 
already have several kind of insecurities within the draft, so it only 
one more which can be also marked as "NOT RECOMMENDED".
Isn't that the reason why we are looking for a better solution? Or do 
you prefer to write something like:
"With a static pre-configuration solution it is too insecure to install 
a pinhole which allow this kind of data traffic to pass through the 
firewall."

Niklas
>  
> It should be acknowledged that a static pinhole which preserves the 
> desired security of the network and the nodes behind the FW can not be 
> installed for this case. Thus move this section to the other doc and 
> make it dynamic pinhole, which includes the MN CoA.
>  
> - gabor


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://zeke.ecotroph.net/pipermail/mip6-firewall/attachments/20071113/6b1c28de/attachment.html

More information about the Mip6-firewall mailing list