<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body dir="ltr" bgcolor="#ffffff" text="#000000">
<p style="margin-bottom: 0cm; margin-top: 0pt;">I agree that we need to
add an IKEv2 pinhole. But note that the mere fact of having an IKEv2
exchange from address X does not mean that it was successful and all
later ESP packets from the same address are legitimate.</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;"><br>
</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;"> Yaron</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;"><br>
</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;">Vijay Devarapalli wrote:<br>
</p>
<blockquote cite="mid:4683BF21.8090203@azairenet.com" type="cite">
<pre wrap="">Suresh,
This does address bootstrapping the MIPv6 home address via the
IKEv2 exchange. The home address would be unknown until then.
What might want to add is to require the firewall to allow all
IKEv2 messages also through to the home agent address.
Vijay
Suresh Krishnan wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi Folks,
I feel that a BCP for firewall admins would be the best way to
address the HA being behind a firewall.
* This firewall MUST NOT drop IPSec traffic bound to the Home Agent. The
home agent address needs to be configured on the firewall to explicitly
allow all IPSec traffic. If this traffic is found to be not legitimate,
a host based firewall or the HA implementation can drop the packet
* If an MN is providing services (i.e. allows incoming connections), the
firewall needs to allow connection requests with the MN HoA as the
destination address. The address(es) of such MN(s) need to be configured
on the firewalls
* The firewall MUST permit all HoT messages with a destination address
of a known MN HoA, if there was a HoTI message sent out with the same
source address. The firewall might verify if the home test init cookie
matches the one sent
I believe that these rules are reasonable, but some of these might not
be acceptable to firewall admins. But, since the home network is
providing a service, there is not much room to maneuver without changing
the MIP6 protocol and end nodes (which might be another option).
Cheers
Suresh
_______________________________________________
Mip6-firewall mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Mip6-firewall@zeke.ecotroph.net">Mip6-firewall@zeke.ecotroph.net</a>
<a class="moz-txt-link-freetext" href="https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall">https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall</a>
</pre>
</blockquote>
<pre wrap=""><!---->
_______________________________________________
Mip6-firewall mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Mip6-firewall@zeke.ecotroph.net">Mip6-firewall@zeke.ecotroph.net</a>
<a class="moz-txt-link-freetext" href="https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall">https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall</a>
</pre>
</blockquote>
</body>
</html>