<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Gabor,<br>
<blockquote
cite="mid:E5E76343C87BB34ABC6C3FDF3B31272701ACC93C@daebe103.NOE.Nokia.com"
type="cite">
<meta http-equiv="Content-Type" content="text/html; ">
<meta content="MSHTML 6.00.2900.3199" name="GENERATOR">
<div dir="ltr" align="left"> </div>
<br>
<div class="OutlookMessageHeader" dir="ltr" align="left" lang="en-us">
<hr tabindex="-1"><font face="Tahoma" size="2"><b>From:</b>
<a class="moz-txt-link-abbreviated" href="mailto:mip6-firewall-bounces@zeke.ecotroph.net">mip6-firewall-bounces@zeke.ecotroph.net</a>
[<a class="moz-txt-link-freetext" href="mailto:mip6-firewall-bounces@zeke.ecotroph.net">mailto:mip6-firewall-bounces@zeke.ecotroph.net</a>] <b>On Behalf Of </b>ext
Niklas Steinleitner<br>
<b>Sent:</b> Tuesday, November 13, 2007 6:30 AM<br>
<b>To:</b> Suresh Krishnan<br>
<b>Cc:</b> <a class="moz-txt-link-abbreviated" href="mailto:mip6-firewall@zeke.ecotroph.net">mip6-firewall@zeke.ecotroph.net</a><br>
<b>Subject:</b> Re: [Mip6-firewall] New versions of firewall drafts :
UPDATE<br>
</font></div>
<ul>
<li>Section 4.4: </li>
</ul>
<div>as Gabor already mention, this pinhole doesn't allow the data
traffic. Gabors pinhole includes th dynamic MN CoAddress, therefore is
propose to use the following pinhole as it can be manually
pre-configured:<br>
</div>
<ul>
<li>Destination address: CN Address </li>
</ul>
<ul>
<li>Next Header: 60 (IPv6 Destination Options Header) </li>
<li>(Not the best and secured solution, at least better than allow
every kind of traffic to the CN.) <span class="636513915-13112007"><font
color="#0000ff" face="Arial" size="2"> </font></span></li>
</ul>
<div><span class="636513915-13112007"><font color="#0000ff"
face="Arial" size="2">This is not secure at all. The FW admin does not
know in advance which nodes will become CNs, so it will need to open a
pinhole saying that all packets destined to inside network with next
header 60 to pass. You can't be serious about this.</font></span></div>
</blockquote>
In the draft we wrote:<br>
"This section presents the recommendations for configuring a firewall <b>if
a node behind it should be able to act as Mobile IPv6 CN</b>."<br>
Therefore, we can assume that the FW admin known in advance which
node(s) could become an CN and allow only packets with next header 60
for this addresses.<br>
<br>
However, i understand your provisos as i have the same. But as we
already have several kind of insecurities within the draft, so it only
one more which can be also marked as "NOT RECOMMENDED".<br>
Isn't that the reason why we are looking for a better solution? Or do
you prefer to write something like:<br>
"With a static pre-configuration solution it is too insecure to install
a pinhole which allow this kind of data traffic to pass through the
firewall."<br>
<br>
Niklas<br>
<blockquote
cite="mid:E5E76343C87BB34ABC6C3FDF3B31272701ACC93C@daebe103.NOE.Nokia.com"
type="cite">
<div><span class="636513915-13112007"></span> </div>
<div><span class="636513915-13112007"><font color="#0000ff"
face="Arial" size="2">It should be acknowledged that a static pinhole
which preserves the desired security of the network and the nodes
behind the FW can not be installed for this case. Thus move this
section to the other doc and make it dynamic pinhole, which includes
the MN CoA.</font></span></div>
<div><span class="636513915-13112007"></span> </div>
<div><span class="636513915-13112007"><font color="#0000ff"
face="Arial" size="2">- gabor</font></span></div>
</blockquote>
<br>
<br>
</body>
</html>