[Mip6-firewall] New version (-03) of drafts

Gabor.Bajko at nokia.com Gabor.Bajko at nokia.com
Wed Jan 23 17:38:16 EST 2008 

Hi Suresh,

I believe, we had a common understanding back in Vancouver regarding the
need for the FWs to allow unsolicited traffic through, more specifically
HoTI and CoTI. The admin draft says in 4.1, 4.2:

Destination Address: CN Address

      Mobility Header Type: 1 (2)

While every node behind the FW can be a CN, and this draft talks about
static pinholes, the above means that the FW must have a static pinhole
with both dest and source addresses wildcard and only filter on MH.
While the text in the draft does not necessarily contradict with this, I
think we need to make it more explicit.

My proposal is to change the pattern my deleting the "Destination
Address: CN Address" line and replace the sentence: "This pinhole allows
the HoTI message from the HA to the CN to
   traverse the firewall. " (both in 4.1 and 4.2, respectively) with
"This pinhole allows any unsolicited packet with a MH set to one to
pass. While allowing unsolicited traffic through the FWs may constitute
a security threat in many cases, the limited scope of the HoTI (and
CoTI) messages limit the threat possibility. Letting unsolicited traffic
through the FWs is the only possibility of letting external nodes
contact nodes behind the FWs. Local FW administrators may decide whether
contacting nodes behind FWs is an allowed scenario for the FW protected
network or not, and set up pinholes accordingly." or something like that
(please feel free guys to reformulate if you have a better wording).

Regarding 4.3, didn't we agree to move this to the vendor draft and say
that a dynamic pinhole based on CoT is going to be opened to allow the
BU pass through?

Regarding the vendor draft: I think the Intended status of it should be
Standards Track (or experimental). The reason I say that is that if it
is implemented in the FWs, then it will enable MIP6 through FWs, being
implicitly part of the protocol.

- gabor

-----Original Message-----
From: mip6-firewall-bounces at zeke.ecotroph.net
[mailto:mip6-firewall-bounces at zeke.ecotroph.net] On Behalf Of ext Suresh
Krishnan
Sent: Wednesday, January 23, 2008 12:22 PM
To: mip6-firewall at zeke.ecotroph.net
Subject: [Mip6-firewall] New version (-03) of drafts

Hi Folks,
   I fixed one issue with wrong text in the admin draft and added Gabor
as an author. I will submit the drafts this Saturday, if there are no
further comments.

Cheers
Suresh

More information about the Mip6-firewall mailing list