<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body dir="ltr" bgcolor="#ffffff" text="#000000">
Hi Suresh, all,<br>
<br>
here are some comments to the baseline -01 draft.<br>
<ul>
<li>3.1: wording: "either has to either"...</li>
<li>3.2: we are assuming that ALL IPv6 endpoints can correctly
recognize the Mobility Header. Is this the case today? Otherwise this
rule is a major security hole.</li>
<li>General: when you configure a firewall, you normally include the
allowed traffic types (to enable more granular traffic inspection). So
I would add: 3.1 - ESP, 3.2 - No payload (?), 3.3 - IKE, 3.4 - Any.</li>
<li>3.4: change "This might cause a Denial of Service at the MN" to
"This would expose the MN to any type of possibly malicious traffic,
resulting in e.g. denial of service or exploitation of known security
vulnerabilities. This practice is NOT RECOMMENDED".</li>
<li>4.1: this is the same problem as 3.2 - "CN address" is
potentially any address in the network. Do we allow any address to
receive such traffic from anybody?</li>
<li>Please add:</li>
</ul>
6. Additional Security Considerations [or else fold into the Sec
Considerations]<br>
<br>
6.1 Traffic Rate Control<br>
<br>
If the rules specified in Sec. 3.2, 3.4, 4.1 are implemented, the
firewall MUST be configured to rate-limit such traffic on a
per-destination basis. This would allow the firewall to mitigate
possible denial of service attacks on the endpoints. Please note that
such measures would not mitigate other potential security issues.<br>
<ul>
<li>4.3: doesn't this rule allow ANY traffic into the CN? You can
probably have an "empty" Dest Options header, right?</li>
<li>Sec. 7 is way too mild. We are allowing DOS into any node, not
just the HA. MNs/CNs are always softer targets than the HA.</li>
</ul>
Thanks,<br>
Yaron<br>
<br>
<p style="margin-bottom: 0cm; margin-top: 0pt;">Suresh Krishnan wrote:<br>
</p>
<blockquote cite="mid:468D7207.9000501@ericsson.com" type="cite">Hi
Folks,
<br>
Here is v01 of the draft. Since I have not heard back from Qiu Ying
regarding my comments, I have not included the MN part yet. I will try
to wait until Sunday to submit this in case there are any comments.
<br>
<br>
Cheers
<br>
Suresh
<br>
<pre wrap=""><pre wrap="">
<hr size="4" width="90%">
_______________________________________________
Mip6-firewall mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Mip6-firewall@zeke.ecotroph.net">Mip6-firewall@zeke.ecotroph.net</a>
<a class="moz-txt-link-freetext" href="https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall">https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall</a>
</pre></pre>
</blockquote>
</body>
</html>