<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html style="direction: ltr;">
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body style="direction: ltr;" bgcolor="#ffffff" text="#000000">
<p style="margin-bottom: 0cm; margin-top: 0pt;">Sunday doesn't work for
me, I am only landing Sunday 6:30 PM.</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;"><br>
</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;">I suggest we meet
Monday 15:20-17:40, and if we get carried away we can overflow into the
late afternoon session.</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;"><br>
</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;">Thanks,</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;"> Yaron<br>
</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;"><br>
</p>
<p style="margin-bottom: 0cm; margin-top: 0pt;">QIU Ying wrote:<br>
</p>
<blockquote cite="mid:012201c8316a$141760f0$a389a8c0@precision5570"
type="cite">
<pre wrap="">Monday sounds better.
----- Original Message -----
From: "Vijay Devarapalli" <a class="moz-txt-link-rfc2396E" href="mailto:vijay.devarapalli@azairenet.com"><vijay.devarapalli@azairenet.com></a>
To: <a class="moz-txt-link-rfc2396E" href="mailto:Gabor.Bajko@nokia.com"><Gabor.Bajko@nokia.com></a>
Cc: <a class="moz-txt-link-rfc2396E" href="mailto:mip6-firewall@zeke.ecotroph.net"><mip6-firewall@zeke.ecotroph.net></a>
Sent: Wednesday, November 28, 2007 8:35 AM
Subject: Re: [Mip6-firewall] FW: Latest version of the firewall Drafts
</pre>
<blockquote type="cite">
<pre wrap="">I can join Monday....
Vijay
<a class="moz-txt-link-abbreviated" href="mailto:Gabor.Bajko@nokia.com">Gabor.Bajko@nokia.com</a> wrote:
</pre>
<blockquote type="cite">
<pre wrap=""> sorry, I intended to send it to the list ...
-----Original Message-----
From: Bajko Gabor (Nokia/MtView)
Sent: Tuesday, November 27, 2007 3:35 PM
To: 'ext Yaron Sheffer'
Cc: <a class="moz-txt-link-abbreviated" href="mailto:suresh.krishnan@ericsson.com">suresh.krishnan@ericsson.com</a>
Subject: RE: [Mip6-firewall] Latest version of the firewall Drafts
Hi Yaron,
I am fine with having a meeting discussing these two drafts in
Vancouver. We should agree the day&time and, to make the discussion more
efficient, the list of specific issues to be discussed.
Here are a few possibilities for the day&time:
a) Sunday, December 2nd, any time between 3-9pm
b) Monday, December 3rd, any time between 3-9pm
>From the feedback sent to the list so far, Sunday seem to work for
Hannes, Niklas, Suresh and myself, but not for Yaron. What about Monday?
If we want to chat for two hours, we should meet no later than 7pm and
some time should also be reserved to discuss about the next steps
strategies. And Yaron, could you make a list of issues to be discussed
regarding the two existing drafts, and send them to the list beforehand?
All, please indicate your availability for Monday. Yaron, if you'll be
able to make it for Sunday evening, please let us know that too.
- gabor
-----Original Message-----
From: ext Yaron Sheffer [<a class="moz-txt-link-freetext" href="mailto:yaronf@checkpoint.com">mailto:yaronf@checkpoint.com</a>]
Sent: Tuesday, November 20, 2007 3:55 AM
To: Bajko Gabor (Nokia-SIR/MtView)
Cc: <a class="moz-txt-link-abbreviated" href="mailto:suresh.krishnan@ericsson.com">suresh.krishnan@ericsson.com</a>
Subject: Re: [Mip6-firewall] Latest version of the firewall Drafts
Hi Suresh, Gabor,
I suggest that we meet in Vancouver for ~2 hours to brainstorm these two
drafts.
First, I believe that what we classify as vendor functionality can
actually be done by administrators, if the firewall is extensible
enough. I am actually working now to demonstrate this point.
Also, there's a variety of proposals on the table for firewall traversal
*protocols*. There are also a number of reasons why such protocols have
not been used in the past and will be hard to deploy in the future. So I
think a much more practical avenue would be small tweaks to MIPv6, so
that the firewall can open the right pinholes and the pinholes are as
tight as possible. Realistically, there is so little adoption of MIPv6
today that such tweaks should still be possible.
I am actually in favor of firewall traversal protocols, but I view them
as longer-term solutions. Making the secure adoption of MIPv6
conditional on them is in my opinion a mistake.
Please let me know if this makes sense.
Thanks,
Yaron
<a class="moz-txt-link-abbreviated" href="mailto:Gabor.Bajko@nokia.com">Gabor.Bajko@nokia.com</a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Suresh,
I would have had a few more issues, but I saw you rushed to submit the
</pre>
</blockquote>
<blockquote type="cite">
<pre wrap="">documents ...
Anyway, here are some issues which would need to be clarified at some
point in the drafts:
firewall-admin draft:
The abstract and intro section do not say that the static
configuration by itself is not enough to enable mip6 signalling and
data traffic for all scenarios.
Suggested remedy:
Replace the abstract section with this:
"This document presents some recommendations for firewall
administrators to help them configure their existing firewalls in a
</pre>
</blockquote>
<blockquote type="cite">
<pre wrap="">way that allows in certain deployment scenarios the Mobile IPv6
signaling and data messages to pass through. For other scenarios, the
support of additional mechanisms to create pinholes required for MIPv6
</pre>
</blockquote>
<blockquote type="cite">
<pre wrap="">will be necessary. This document assumes that the firewalls in
question include some kind of stateful packet filtering capability."
And the 2nd paragraph of the intro with this:
"This document presents some recommendations for firewall
administrators to help them configure their firewalls in a way that
allows in certain deployment scenarios the Mobile IPv6 signaling
and data messages to pass through. This document assumes that the
firewalls in question include some kind of stateful packet filtering
</pre>
</blockquote>
<pre wrap="">capability.
</pre>
<blockquote type="cite">
<pre wrap="">The static rules that need to be configured are described in this
document. In some scenarios, the support of additional mechanisms to
create pinholes required for MIPv6 signalling and data traffic to pass
</pre>
</blockquote>
<blockquote type="cite">
<pre wrap="">through will be necessary.
A possible solution, describing the dynamic capabilities needed for
the firewalls to create pinholes based on MIPv6 signalling traffic is
described in a companion document [MIP6FWVENDOR]. Other solutions may
also be possible."
It is important to emphasize that creation of pinholes based on MIPv6
traffic snooping is not the only possible solution.
The sentence "Since MNs do not usually provide
services, this is not usually a problem." from 3.3 should be
deleted, as it is not true any more.
Section 4.4:
The solution described in [MIP6FWVENDOR] is only one possible
</pre>
</blockquote>
<pre wrap="">solution.
</pre>
<blockquote type="cite">
<pre wrap="">There should not be such a strong link between the documents. Modify
the
sentence: "The stateful
firewall rules specified in [MIP6FWVENDOR] will open a pinhole for
this traffic."
To: "A dynamically created pinhole like the one e.g. in [MIP6FWVENDOR]
</pre>
</blockquote>
<blockquote type="cite">
<pre wrap="">will open a pinhole for this traffic."
Section 4.5: creating a dynamic pinhole similar to the ones created in
</pre>
</blockquote>
<blockquote type="cite">
<pre wrap="">section 5 of the vendor draft, but using the MN's HoA instead of the
CoA would solve this problem too. And add a sentence to the end of the
section: "This practice is NOT RECOMMENDED, instead a dynamically
created pinhole like the one e.g. in [MIP6FWVENDOR] will open a
pinhole for this traffic."
Firewall-vendor draft:
Section 5: Create a pinhole for the bi-directional tunnelled traffic
as suggested above.
- gabor
-----Original Message-----
From: <a class="moz-txt-link-abbreviated" href="mailto:mip6-firewall-bounces@zeke.ecotroph.net">mip6-firewall-bounces@zeke.ecotroph.net</a>
[<a class="moz-txt-link-freetext" href="mailto:mip6-firewall-bounces@zeke.ecotroph.net">mailto:mip6-firewall-bounces@zeke.ecotroph.net</a>] On Behalf Of ext
Suresh Krishnan
Sent: Thursday, November 15, 2007 3:52 PM
To: <a class="moz-txt-link-abbreviated" href="mailto:mip6-firewall@zeke.ecotroph.net">mip6-firewall@zeke.ecotroph.net</a>
Subject: [Mip6-firewall] Latest version of the firewall Drafts
Hi Folks,
I have enclosed the latest version of the firewall drafts. I
believe I have addressed all the comments I received. Please let me
know if you have any comments. I will submit the drafts this weekend
if there are no comments.
Cheers
Suresh
_______________________________________________
Mip6-firewall mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Mip6-firewall@zeke.ecotroph.net">Mip6-firewall@zeke.ecotroph.net</a>
<a class="moz-txt-link-freetext" href="https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall">https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall</a>
Scanned by Check Point Total Security
</pre>
</blockquote>
<pre wrap="">_______________________________________________
Mip6-firewall mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Mip6-firewall@zeke.ecotroph.net">Mip6-firewall@zeke.ecotroph.net</a>
<a class="moz-txt-link-freetext" href="https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall">https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall</a>
</pre>
</blockquote>
<pre wrap="">_______________________________________________
Mip6-firewall mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Mip6-firewall@zeke.ecotroph.net">Mip6-firewall@zeke.ecotroph.net</a>
<a class="moz-txt-link-freetext" href="https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall">https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall</a>
</pre>
</blockquote>
<pre wrap=""><!---->
------------ Institute For Infocomm Research - Disclaimer -------------This email is confidential and may be privileged. If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you.--------------------------------------------------------
_______________________________________________
Mip6-firewall mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Mip6-firewall@zeke.ecotroph.net">Mip6-firewall@zeke.ecotroph.net</a>
<a class="moz-txt-link-freetext" href="https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall">https://zeke.ecotroph.net/mailman/listinfo/mip6-firewall</a>
Scanned by Check Point Total Security Gateway.
</pre>
</blockquote>
</body>
</html>