[Mip6-firewall] Latest version of the firewall Drafts

Suresh Krishnan suresh.krishnan at ericsson.com
Sun Nov 18 21:51:32 EST 2007 

Hi Gabor,
   I have made the changes you requested and submitted a -02 draft.

Thanks
Suresh

Gabor.Bajko at nokia.com wrote:
> Suresh,
> 
> I would have had a few more issues, but I saw you rushed to submit the
> documents ...
> 
> Anyway, here are some issues which would need to be clarified at some
> point in the drafts:
> 
> firewall-admin draft:
> 
> The abstract and intro section do not say that the static configuration
> by itself is not enough to enable mip6 signalling and data traffic for
> all scenarios.
> 
> Suggested remedy:
> 
> Replace the abstract section with this: 
> 
> "This document presents some recommendations for firewall
>    administrators to help them configure their existing firewalls in a
> way that allows in certain deployment scenarios the Mobile IPv6
> signaling and data messages to pass through. For other scenarios, the
> support of additional mechanisms to create pinholes required for MIPv6
> will be necessary. This document assumes that the firewalls in question
> include some kind of stateful packet filtering capability."
> 
> And the 2nd paragraph of the intro with this:
> 
> "This document presents some recommendations for firewall
>    administrators to help them configure their firewalls in a way that
>    allows in certain deployment scenarios the Mobile IPv6 signaling and
> data messages to pass through.  This document assumes that the firewalls
> in question include some kind of stateful packet filtering capability.
> The static rules that need to be configured are described in this
> document. In some scenarios, the support of additional mechanisms to
> create pinholes required for MIPv6 signalling and data traffic to pass
> through will be necessary.
> A possible solution, describing the dynamic capabilities needed for the
> firewalls to create pinholes based on MIPv6 signalling traffic is
> described in a companion document [MIP6FWVENDOR]. Other solutions may
> also be possible."
> 
> It is important to emphasize that creation of pinholes based on MIPv6
> traffic snooping is not the only possible solution.
> 
> The sentence "Since MNs do not usually provide
>    services, this is not usually a problem." from 3.3 should be deleted,
> as it is not true any more.
> 
> Section 4.4:
> 
> The solution described in [MIP6FWVENDOR] is only one possible solution.
> There should not be such a strong link between the documents. Modify the
> sentence: "The stateful
>    firewall rules specified in [MIP6FWVENDOR] will open a pinhole for
>    this traffic."
> To: "A dynamically created pinhole like the one e.g. in [MIP6FWVENDOR]
> will open a pinhole for this traffic."
> 
> Section 4.5: creating a dynamic pinhole similar to the ones created in
> section 5 of the vendor draft, but using the MN's HoA instead of the CoA
> would solve this problem too. And add a sentence to the end of the
> section: "This practice is NOT RECOMMENDED, instead a dynamically
> created pinhole like the one e.g. in [MIP6FWVENDOR] will open a pinhole
> for this traffic."
> 
> Firewall-vendor draft:
> 
> Section 5: Create a pinhole for the bi-directional tunnelled traffic as
> suggested above.
> 
> - gabor
> 
> -----Original Message-----
> From: mip6-firewall-bounces at zeke.ecotroph.net
> [mailto:mip6-firewall-bounces at zeke.ecotroph.net] On Behalf Of ext Suresh
> Krishnan
> Sent: Thursday, November 15, 2007 3:52 PM
> To: mip6-firewall at zeke.ecotroph.net
> Subject: [Mip6-firewall] Latest version of the firewall Drafts
> 
> Hi Folks,
>     I have enclosed the latest version of the firewall drafts. I believe
> I have addressed all the comments I received. Please let me know if you
> have any comments. I will submit the drafts this weekend if there are no
> comments.
> 
> Cheers
> Suresh

More information about the Mip6-firewall mailing list