[MEXT] Review of I-Ds draft-ietf-mext-firewall-vendor and draft-ietf-mext-firewall-admin

[<Basavaraj.Patil@nokia.com>]

My review comments about the following two I-Ds are below:

1. draft-ietf-mext-firewall-vendor-01
2. draft-ietf-mext-firewall-admin-01

The scope of the above I-Ds is restricted to Mobile IPv6 (RFC3775)
only. It would be much more useful to specify the guidelines for
firewall administrators and firewall implementers for the DSMIP6
protocol
(http://www.ietf.org/internet-drafts/draft-ietf-mext-nemo-v4traversal-10.txt
)
instead. DSMIP6 is much more practical in terms of real-world
deployments and hence the WG is better off specifying the firewall
considerations for DSMIP6. IMO it is time better spent and the
document much more useful if it were to include the rules for the
firewalls w.r.t DSMIP6.

1. draft-mext-firewall-vendor:

- The intent of this I-D is to simply specify the implications of
  Mobile IPv6 signaling and user data on firewalls. The statement :
  "This document describes how to implement stateful packet filtering
  capability for MIPv6" needs to be modified accordingly.

- The draft notes that signaling messages can be encrypted. However it
  does not capture the details of RFC4877 which explains the security
  for the signaling messages using ESP in transport and tunnel
  modes. The I-D needs to consider both these approaches in terms of
  the rules at the firewall.

- The I-D does not consider the DHAAD signaling messages. For
  completeness it should be included. (Use of DHAAD is an ogoing
  discussion in the context of 3775bis).

- The firewall rules in the case of DSMIP6 where the signaling and
  user data are encapsulated in IPv4 (and using UDP encapsulation in
  the case where the MN is behind a NAT) should be covered. The packet
  format as seen by the FW in various scenarios should be specified
  with the associated processing details.

- The I-D does not mention any rules to allow IKEv2 signaling between
  the MN and HA. Would be good to specify these rules as well. It is
  however covered in the fw-admin I-D.

- In the security considerations the I-D states:
  "In a typical enterprise environment, an administrator cannot
   distinguish Mobile IPv6 capable nodes from other nodes.  In such a
   situation any node in the protected network may end up receiving
   unsolicited packets from outside the firewall."
   With the proper FW rules packets would only be forwarded to the
  HA. I dont see how this vulnerability would exist. Can you elaborate
  further on this? Would'nt there be another firewall between the HA
  and the hosts in the enterprise domain as well with enterprise
  specific rules?

- It would be useful to have some figures which show the FWs that
  could be encountered between an MN-HA-CN. Rules which would apply to
  different FWs need to be specified explicitly.
  For example in the case of RO, the FW in front of an HA only needs
  to handle the RO signaling messages. But the FWs that are in the MN
  or CNs access networks may need to create pinholes for the RO
  traffic between the MN and CN.

2. draft-ietf-mext-firewall-admin-01

- Would be good to consider DSMIP6 as the baseline protocol for
  firewalls to deal with

- Again, the I-D needs to consider the transport and tunnel mode ESP
  options for signaling

- If the user data is also secured with IPsec, what are the rules at
  the FW?

-Basavaraj