<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML style="DIRECTION: ltr"><HEAD>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.3199" name=GENERATOR></HEAD>
<BODY style="DIRECTION: ltr" text=#000000 bgColor=#ffffff>
<DIV dir=ltr align=left><SPAN class=298225316-13112007><FONT face=Arial
color=#0000ff size=2>right.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=298225316-13112007><FONT face=Arial
color=#0000ff size=2>the scenario in section 4.4 talks about the CN behind the
FW case, and it is a fair assumption that any user (ie CN) can be contacted by
an MN located outside of the CN's network. So, anyone could be CN at any time,
not only the laptops.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=298225316-13112007><FONT face=Arial
color=#0000ff size=2>So, the statement should be added to this document, and the
dynamic pinhole to the other document.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=298225316-13112007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=298225316-13112007><FONT face=Arial
color=#0000ff size=2>- gabor</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> ext Yaron Sheffer
[mailto:yaronf@checkpoint.com] <BR><B>Sent:</B> Tuesday, November 13, 2007 8:29
AM<BR><B>To:</B> Niklas Steinleitner<BR><B>Cc:</B> Bajko Gabor
(Nokia-SIR/MtView); mip6-firewall@zeke.ecotroph.net<BR><B>Subject:</B> Re:
[Mip6-firewall] New versions of firewall drafts : UPDATE<BR></FONT><BR></DIV>
<DIV></DIV>
<P style="MARGIN-TOP: 0pt; MARGIN-BOTTOM: 0cm">Hi Niklas,</P>
<P style="MARGIN-TOP: 0pt; MARGIN-BOTTOM: 0cm"><BR></P>
<P style="MARGIN-TOP: 0pt; MARGIN-BOTTOM: 0cm">Virtually all machines are MNs.
In a modern enterprise, 90% of the desktops may be laptops, i.e. mobile
machines.</P>
<P style="MARGIN-TOP: 0pt; MARGIN-BOTTOM: 0cm"><BR></P>
<P style="MARGIN-TOP: 0pt; MARGIN-BOTTOM: 0cm">I certainly agree to: "With a
static pre-configuration solution it is too insecure to install a pinhole which
allow this kind of data traffic to pass through the firewall."</P>
<P style="MARGIN-TOP: 0pt; MARGIN-BOTTOM: 0cm"><BR></P>
<P style="MARGIN-TOP: 0pt; MARGIN-BOTTOM: 0cm">Thanks,</P>
<P style="MARGIN-TOP: 0pt; MARGIN-BOTTOM: 0cm"> Yaron</P>
<P style="MARGIN-TOP: 0pt; MARGIN-BOTTOM: 0cm"><BR></P>
<P style="MARGIN-TOP: 0pt; MARGIN-BOTTOM: 0cm">Niklas Steinleitner
wrote:<BR></P>
<BLOCKQUOTE cite=mid:4739CE8F.2070304@cs.uni-goettingen.de
type="cite">Gabor,<BR>
<BLOCKQUOTE
cite=mid:E5E76343C87BB34ABC6C3FDF3B31272701ACC93C@daebe103.NOE.Nokia.com
type="cite">
<META content="MSHTML 6.00.2900.3199" name=GENERATOR>
<DIV dir=ltr align=left> </DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> <A class=moz-txt-link-abbreviated
href="mailto:mip6-firewall-bounces@zeke.ecotroph.net"
moz-do-not-send="true">mip6-firewall-bounces@zeke.ecotroph.net</A> [<A
class=moz-txt-link-freetext
href="mailto:mip6-firewall-bounces@zeke.ecotroph.net"
moz-do-not-send="true">mailto:mip6-firewall-bounces@zeke.ecotroph.net</A>]
<B>On Behalf Of </B>ext Niklas Steinleitner<BR><B>Sent:</B> Tuesday,
November 13, 2007 6:30 AM<BR><B>To:</B> Suresh Krishnan<BR><B>Cc:</B> <A
class=moz-txt-link-abbreviated href="mailto:mip6-firewall@zeke.ecotroph.net"
moz-do-not-send="true">mip6-firewall@zeke.ecotroph.net</A><BR><B>Subject:</B>
Re: [Mip6-firewall] New versions of firewall drafts :
UPDATE<BR></FONT></DIV>
<UL>
<LI>Section 4.4: </LI></UL>
<DIV>as Gabor already mention, this pinhole doesn't allow the data traffic.
Gabors pinhole includes th dynamic MN CoAddress, therefore is propose to use
the following pinhole as it can be manually pre-configured:<BR></DIV>
<UL>
<LI>Destination address: CN Address </LI></UL>
<UL>
<LI>Next Header: 60 (IPv6 Destination Options Header)
<LI>(Not the best and secured solution, at least better than allow every
kind of traffic to the CN.) <SPAN class=636513915-13112007><FONT
face=Arial color=#0000ff size=2> </FONT></SPAN> </LI></UL>
<DIV><SPAN class=636513915-13112007><FONT face=Arial color=#0000ff
size=2>This is not secure at all. The FW admin does not know in advance
which nodes will become CNs, so it will need to open a pinhole saying that
all packets destined to inside network with next header 60 to pass. You
can't be serious about this.</FONT></SPAN></DIV></BLOCKQUOTE>In the draft we
wrote:<BR>"This section presents the recommendations for configuring a
firewall <B>if a node behind it should be able to act as Mobile IPv6
CN</B>."<BR>Therefore, we can assume that the FW admin known in advance which
node(s) could become an CN and allow only packets with next header 60 for this
addresses.<BR><BR>However, i understand your provisos as i have the same. But
as we already have several kind of insecurities within the draft, so it only
one more which can be also marked as "NOT RECOMMENDED".<BR>Isn't that the
reason why we are looking for a better solution? Or do you prefer to write
something like:<BR>"With a static pre-configuration solution it is too
insecure to install a pinhole which allow this kind of data traffic to pass
through the firewall."<BR><BR>Niklas<BR>
<BLOCKQUOTE
cite=mid:E5E76343C87BB34ABC6C3FDF3B31272701ACC93C@daebe103.NOE.Nokia.com
type="cite">
<DIV><SPAN class=636513915-13112007></SPAN> </DIV>
<DIV><SPAN class=636513915-13112007><FONT face=Arial color=#0000ff size=2>It
should be acknowledged that a static pinhole which preserves the desired
security of the network and the nodes behind the FW can not be installed for
this case. Thus move this section to the other doc and make it dynamic
pinhole, which includes the MN CoA.</FONT></SPAN></DIV>
<DIV><SPAN class=636513915-13112007></SPAN> </DIV>
<DIV><SPAN class=636513915-13112007><FONT face=Arial color=#0000ff size=2>-
gabor</FONT></SPAN></DIV></BLOCKQUOTE><BR><BR><BR><BR>Scanned by Check Point
VPN-1 UTM NGX R65 with Messaging Security <BR><BR><PRE wrap=""><HR width="90%" SIZE=4>
_______________________________________________
Mip6-firewall mailing list
<A class=moz-txt-link-abbreviated href="mailto:Mip6-firewall@zeke.ecotroph.net">Mip6-firewall@zeke.ecotroph.net</A>
<A class=moz-txt-link-freetext href="https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall">https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall</A>
</PRE></BLOCKQUOTE></BODY></HTML>