<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Qiu, all,<br>
<br>
QIU Ying schrieb:
<blockquote cite="mid:020d01c7ba1e$c7fbed70$ba89a8c0@DELL9150"
type="cite">
<pre wrap="">Hi, Suresh
The file looks good. But I have argument on section 3.2.
According to RFC 3776, the HoTI/HoT messages between MN and HA is
encapsulated by ESP. So it is not need a special configuration for HoT
message.
</pre>
</blockquote>
Section 3.2 specifies the firewall pinhole for the HoT message from the
CN to HA, which is not protected by IPsec ESP. Therefore, we need a
pinhole to let this message traverse.<br>
What you are talking about here, is the HoT message from the HA to the
MN. This message is ESP encapsulated and it is not necessary to install
additional rules.
<blockquote cite="mid:020d01c7ba1e$c7fbed70$ba89a8c0@DELL9150"
type="cite">
<pre wrap="">
Since checking protocol number is more popular than the header type, why not
just filter the mobility protocol number (it is 135 according to RFC3775)
for these signaling messages?
</pre>
</blockquote>
This is one option.<br>
However, administrators typically follow the policy to allow only as
little as possible. If it is possible to specify a pinhole as fine as
possible, i think most of the administrators will do this; at least our
administrators will do ;-)
<blockquote cite="mid:020d01c7ba1e$c7fbed70$ba89a8c0@DELL9150"
type="cite">
<pre wrap="">
If not objected, I would like to add sections about "CN behind a firewall"
and "MN behind a firewall". The process of CN behind firewall would be
similar as HA behind firewall, but the CoTI/CoT is never protect by ipsec.
The process of MN behind firewall is a bit complicated as the
source/destination address CoA is changed frequently. I hope I could finish
by tomorrow.
</pre>
</blockquote>
This is a good idea. I'm willing to help with this. What about divide
the two scenarios? Which one do you prefer :-)<br>
"CN behind a firewall" or "MN behind a firewall"?<br>
<br>
Regards,<br>
Niklas<br>
<blockquote cite="mid:020d01c7ba1e$c7fbed70$ba89a8c0@DELL9150"
type="cite">
<pre wrap="">
Regards
Qiu Ying
----- Original Message -----
From: "Suresh Krishnan" <a class="moz-txt-link-rfc2396E" href="mailto:suresh.krishnan@ericsson.com"><suresh.krishnan@ericsson.com></a>
To: <a class="moz-txt-link-rfc2396E" href="mailto:mip6-firewall@zeke.ecotroph.net"><mip6-firewall@zeke.ecotroph.net></a>
Sent: Friday, June 29, 2007 12:45 PM
Subject: [Mip6-firewall] HA Firewall BCP draft
</pre>
<blockquote type="cite">
<pre wrap="">Hi Folks,
Here is the first cut of the firewall draft as promised. Please take
some time to review this. I have not had the time to settle the author
list yet.So if you would like to be included as an listed author, please
let me know.
Cheers
Suresh
</pre>
</blockquote>
<pre wrap=""><!---->
------------ Institute For Infocomm Research - Disclaimer -------------This email is confidential and may be privileged. If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you.--------------------------------------------------------
_______________________________________________
Mip6-firewall mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Mip6-firewall@zeke.ecotroph.net">Mip6-firewall@zeke.ecotroph.net</a>
<a class="moz-txt-link-freetext" href="https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall">https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Niklas Steinleitner Tel: +49 551 3913583
Institute for Informatics <a class="moz-txt-link-abbreviated" href="mailto:steinleitner@cs.uni-goettingen.de">steinleitner@cs.uni-goettingen.de</a>
University of Göttingen <a class="moz-txt-link-freetext" href="http://www.tmg.informatik.uni-goettingen.de">http://www.tmg.informatik.uni-goettingen.de</a>
Lotzestrasse 16-18
D-37083 Göttingen, Germany</pre>
</body>
</html>