<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3199" name=GENERATOR></HEAD>
<BODY text=#000000 bgColor=#ffffff>
<DIV dir=ltr align=left><FONT face=Arial color=#0000ff
size=2></FONT> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> mip6-firewall-bounces@zeke.ecotroph.net
[mailto:mip6-firewall-bounces@zeke.ecotroph.net] <B>On Behalf Of </B>ext Niklas
Steinleitner<BR><B>Sent:</B> Tuesday, November 13, 2007 6:30 AM<BR><B>To:</B>
Suresh Krishnan<BR><B>Cc:</B> mip6-firewall@zeke.ecotroph.net<BR><B>Subject:</B>
Re: [Mip6-firewall] New versions of firewall drafts : UPDATE<BR></FONT></DIV>
<UL>
<LI>Section 4.4: </LI></UL>
<DIV>as Gabor already mention, this pinhole doesn't allow the data traffic.
Gabors pinhole includes th dynamic MN CoAddress, therefore is propose to use the
following pinhole as it can be manually pre-configured:<BR></DIV>
<UL>
<LI>Destination address: CN Address </LI></UL>
<UL>
<LI>Next Header: 60 (IPv6 Destination Options Header)
<LI>(Not the best and secured solution, at least better than allow every kind
of traffic to the CN.) <SPAN class=636513915-13112007><FONT face=Arial
color=#0000ff size=2> </FONT></SPAN></LI></UL>
<DIV><SPAN class=636513915-13112007><FONT face=Arial color=#0000ff size=2>This
is not secure at all. The FW admin does not know in advance which nodes will
become CNs, so it will need to open a pinhole saying that all packets destined
to inside network with next header 60 to pass. You can't be serious about
this.</FONT></SPAN></DIV>
<DIV><SPAN class=636513915-13112007><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=636513915-13112007><FONT face=Arial color=#0000ff size=2>It
should be acknowledged that a static pinhole which preserves the desired
security of the network and the nodes behind the FW can not be installed for
this case. Thus move this section to the other doc and make it dynamic pinhole,
which includes the MN CoA.</FONT></SPAN></DIV>
<DIV><SPAN class=636513915-13112007><FONT face=Arial color=#0000ff
size=2></FONT></SPAN> </DIV>
<DIV><SPAN class=636513915-13112007><FONT face=Arial color=#0000ff size=2>-
gabor</FONT></SPAN></DIV></BODY></HTML>