[Mip6-firewall] Next Steps -- rrtfw comments
QIU Ying
qiuying at i2r.a-star.edu.sg
Wed Nov 28 09:53:43 EST 2007
Hi, Folks
I highlight my major comment about RRTFW draft
In Section 4.1
If the firewalls were configured to open UDP
port 500 for IKE negotiation, why could not they open port 135 for
mobility header, too? Both sizes of IKE negotiation message and MH
signal message are small. Then wrapping by UDP encapsulation could
be avoided.
So I mean we could just apply UDP encapsulation for IPSec packets
(such as BU for home agent, HoTI/HOT between MN and HA). For other
packets, such as HOTI/HOT between HA and CN, CoTI/CoT and BU/BA
between MN and CN, they are not need to wrapped by UDP encapsulation.
Because they are also small in term of size and in clear text with special
protocol 135, it would not occur serious security problem.
Regards
Qiu Ying
------------ Institute For Infocomm Research - Disclaimer -------------This email is confidential and may be privileged. If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you.--------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://zeke.ecotroph.net/pipermail/mip6-firewall/attachments/20071128/30b93b29/attachment.html
More information about the Mip6-firewall
mailing list