Re: [MEXT] feedback on draft-ietf-firewall-[vendor|admin]-05
Suresh Krishnan <suresh.krishnan@ericsson.com> Tue, 29 November 2011 21:22 UTC
Return-Path: <suresh.krishnan@ericsson.com>
X-Original-To: mext@ietfa.amsl.com
Delivered-To: mext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C865911E80D0 for <mext@ietfa.amsl.com>; Tue, 29 Nov 2011 13:22:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -104.41
X-Spam-Level:
X-Spam-Status: No, score=-104.41 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DATE_IN_FUTURE_12_24=2.189, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QfXe4rju3iAL for <mext@ietfa.amsl.com>; Tue, 29 Nov 2011 13:22:17 -0800 (PST)
Received: from imr4.ericy.com (imr4.ericy.com [198.24.6.9]) by ietfa.amsl.com (Postfix) with ESMTP id 143B111E80C4 for <mext@ietf.org>; Tue, 29 Nov 2011 13:22:17 -0800 (PST)
Received: from eusaamw0711.eamcs.ericsson.se ([147.117.20.178]) by imr4.ericy.com (8.14.3/8.14.3/Debian-9.1ubuntu1) with ESMTP id pATLL9A8022984; Tue, 29 Nov 2011 15:21:43 -0600
Received: from [142.133.10.111] (147.117.20.214) by smtps-am.internal.ericsson.com (147.117.20.178) with Microsoft SMTP Server (TLS) id 8.3.137.0; Tue, 29 Nov 2011 16:21:22 -0500
Message-ID: <4ED69E3E.4000200@ericsson.com>
Date: Wed, 30 Nov 2011 16:21:02 -0500
From: Suresh Krishnan <suresh.krishnan@ericsson.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Marc Lampo <marc.lampo@eurid.eu>
References: <006901ccada5$d8644200$892cc600$@lampo@eurid.eu>
In-Reply-To: <006901ccada5$d8644200$892cc600$@lampo@eurid.eu>
X-Enigmail-Version: 1.3.3
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
Cc: "mext@ietf.org" <mext@ietf.org>
Subject: Re: [MEXT] feedback on draft-ietf-firewall-[vendor|admin]-05
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Nov 2011 21:22:17 -0000
Hi Marc, Thanks for your comments. Please see responses inline. On 11/28/2011 03:15 AM, Marc Lampo wrote: > Hello, > > Looking at the list archive, I see no comments on these drafts, published > October 17th. > Nor do I find any traces of discussions on IETF-82. > > However, from a security point of view, I do have a remark. > In both drafts, the "Security Considerations" state : > (quoting extracts) > ... "recommends a liberal setting of firewall rules" ... > ... "some malicious traffic may be permitted" ... > ... "allow the initiation of Denial of Service attacks against Mobile IPv6 > capable nodes" ... This selective quoting misses out the context. This text only refers to MIPv6 *signaling* traffic that is *encrypted*. I am not sure what more can be done here. If you get an encrypted packet at a firewall, you can either drop it or allow it to pass. > > Is this acceptable ? > Being concerned with security, I'd say that these statements as "Security > Considerations" > might lead to the conclusion that these mobility extensions cannot be > used, in practice ?! > > We hear that mobile networks might be the first to be IPv6 only (if there > aren't already such networks around) > --> IPv6 only in mobile nets : the target for Mobility Extensions > We see that more and more banks offer clients for smartphones for Internet > banking > --> the "correspondent node" might very well be in some bank's DMZ These blanket IPsec rules are applicable only for packets to/from the HA address and not any arbitrary address. They are not relevant to the CNs. > > ??? if they, bank security admins, will accept to setup security devices > in such a way that "firewall rules are liberal" > and "potentially allow that DOS attacks are started" ??? I am not getting the reference to bank security admins here. The encrypted packets are between the HA and the MN. So the firewalls that need to handle them are in the home network (housing the HA) and the network to which the MN is attached. > > It is my impression that, to put mobility information so "deep" in the > stack > - as "extension header" with IPPROTO_NONE in the next header field - > implies that security infrastructure will need quite some CPU resources > to work its way through them. > Wouldn't it have been wiser to assign a (UDP ?) portnumber to the Mobility > "application" ? This is how it is done for DSMIPv6 (port 4191) as described in Section 4.1. Thanks Suresh
- [MEXT] feedback on draft-ietf-firewall-[vendor|ad… Marc Lampo
- Re: [MEXT] feedback on draft-ietf-firewall-[vendo… Basavaraj.Patil
- Re: [MEXT] feedback on draft-ietf-firewall-[vendo… Suresh Krishnan