[Mip6-firewall] New versions of firewall drafts : UPDATE
Gabor.Bajko at nokia.com
Gabor.Bajko at nokia.com
Tue Nov 13 11:58:08 EST 2007
right.
the scenario in section 4.4 talks about the CN behind the FW case, and
it is a fair assumption that any user (ie CN) can be contacted by an MN
located outside of the CN's network. So, anyone could be CN at any time,
not only the laptops.
So, the statement should be added to this document, and the dynamic
pinhole to the other document.
- gabor
________________________________
From: ext Yaron Sheffer [mailto:yaronf at checkpoint.com]
Sent: Tuesday, November 13, 2007 8:29 AM
To: Niklas Steinleitner
Cc: Bajko Gabor (Nokia-SIR/MtView); mip6-firewall at zeke.ecotroph.net
Subject: Re: [Mip6-firewall] New versions of firewall drafts : UPDATE
Hi Niklas,
Virtually all machines are MNs. In a modern enterprise, 90% of the
desktops may be laptops, i.e. mobile machines.
I certainly agree to: "With a static pre-configuration solution it is
too insecure to install a pinhole which allow this kind of data traffic
to pass through the firewall."
Thanks,
Yaron
Niklas Steinleitner wrote:
Gabor,
________________________________
From: mip6-firewall-bounces at zeke.ecotroph.net
[mailto:mip6-firewall-bounces at zeke.ecotroph.net] On Behalf Of ext Niklas
Steinleitner
Sent: Tuesday, November 13, 2007 6:30 AM
To: Suresh Krishnan
Cc: mip6-firewall at zeke.ecotroph.net
Subject: Re: [Mip6-firewall] New versions of firewall
drafts : UPDATE
* Section 4.4:
as Gabor already mention, this pinhole doesn't allow the
data traffic. Gabors pinhole includes th dynamic MN CoAddress, therefore
is propose to use the following pinhole as it can be manually
pre-configured:
* Destination address: CN Address
* Next Header: 60 (IPv6 Destination Options
Header)
* (Not the best and secured solution, at least
better than allow every kind of traffic to the CN.)
This is not secure at all. The FW admin does not know in
advance which nodes will become CNs, so it will need to open a pinhole
saying that all packets destined to inside network with next header 60
to pass. You can't be serious about this.
In the draft we wrote:
"This section presents the recommendations for configuring a
firewall if a node behind it should be able to act as Mobile IPv6 CN."
Therefore, we can assume that the FW admin known in advance
which node(s) could become an CN and allow only packets with next header
60 for this addresses.
However, i understand your provisos as i have the same. But as
we already have several kind of insecurities within the draft, so it
only one more which can be also marked as "NOT RECOMMENDED".
Isn't that the reason why we are looking for a better solution?
Or do you prefer to write something like:
"With a static pre-configuration solution it is too insecure to
install a pinhole which allow this kind of data traffic to pass through
the firewall."
Niklas
It should be acknowledged that a static pinhole which
preserves the desired security of the network and the nodes behind the
FW can not be installed for this case. Thus move this section to the
other doc and make it dynamic pinhole, which includes the MN CoA.
- gabor
Scanned by Check Point VPN-1 UTM NGX R65 with Messaging Security
________________________________
_______________________________________________
Mip6-firewall mailing list
Mip6-firewall at zeke.ecotroph.net
https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://zeke.ecotroph.net/pipermail/mip6-firewall/attachments/20071113/bdc97d26/attachment-0001.html
More information about the Mip6-firewall
mailing list