[Mip6] Review of draft-ietf-mip6-firewalls-00.txt (with reference to draft-chen-mip6-gprs-02.txt)
"James Kempf" <kempf@docomolabs-usa.com> Fri, 22 October 2004 23:38 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA14024 for <mip6-web-archive@ietf.org>; Fri, 22 Oct 2004 19:38:54 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CL9Ci-0000mE-Lc for mip6-web-archive@ietf.org; Fri, 22 Oct 2004 19:52:17 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CL8ox-000200-M9; Fri, 22 Oct 2004 19:27:43 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CL8hU-0005tf-Ba for mip6@megatron.ietf.org; Fri, 22 Oct 2004 19:20:00 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id TAA12478 for <mip6@ietf.org>; Fri, 22 Oct 2004 19:19:58 -0400 (EDT)
Received: from key1.docomolabs-usa.com ([216.98.102.225] helo=fridge.docomolabs-usa.com ident=fwuser) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CL8uE-0000KH-Tu for mip6@ietf.org; Fri, 22 Oct 2004 19:33:21 -0400
Message-ID: <006601c4b88d$bf0c7260$5d6015ac@dcml.docomolabsusa.com>
From: James Kempf <kempf@docomolabs-usa.com>
To: mip6@ietf.org
Date: Fri, 22 Oct 2004 16:20:36 -0700
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 00e94c813bef7832af255170dca19e36
Content-Transfer-Encoding: 7bit
Subject: [Mip6] Review of draft-ietf-mip6-firewalls-00.txt (with reference to draft-chen-mip6-gprs-02.txt)
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mip6.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
Sender: mip6-bounces@ietf.org
Errors-To: mip6-bounces@ietf.org
X-Spam-Score: 0.0 (/)
X-Scan-Signature: d185fa790257f526fedfd5d01ed9c976
Content-Transfer-Encoding: 7bit
I believe this draft is in last call at the moment. It seems to have been a "stealth" WG draft, since it was never listed on the WG Web page until recently. I also personally cannot recall having seen a concensus call on the mailing list to make it a WG draft, but perhaps that might be due to a lapse of memory on my part or an over-eager spam filter on my laptop's. In any case, the draft does deal with a problem that needs attention for successful deployment. In fact, draft-chen-mip6-gprs-02.txt represents a specific instantiation in GPRS of the general problem discussed in draft-ietf-mip6-firewalls. As a general comment, I believe draft-ietf-mip6-firewalls-00.txt is lacking precision in its description of the problem. One need only look at draft-chen-mip6-gprs-02.txt for an excellent example of how to more precisely describe the interaction between firewalls and MIPv6 packets, the firewall in that case being a GGSN. draft-chen goes through a few cases in very specific detail. The description, to be sure, is very specific to GPRS but draft-chen does a much better job of describing the problem than draft-ietf-mip6-firewalls. One way this draft could be made more readable is to organize it more like draft-chen, including all the cases of placement of the MN, HA, and CN. The current draft-ietf-mip6-firewalls has specific sections in 3.1, where the MN is outside and stays outside, and 3.2 in which the MN is inside and stays inside. Even for those cases the discussion is made somewhat vague by lack of specific description of the addresses involved and what state is established (or not) in the firewall when, something that draft-chen does very well. However, in draft-ietf-mip6-firewalls the discussion of the more complex case when an MN moves from outside a firewall to inside is somewhat muddied and vague in Section 3.2.2. This case is especially in need of very explict consideration of addresses and firewall state, and very clear explanation of the problem. Specific comments: Section 3.2.2, starting about Paragraph 3: the description of why packets forwarded between the HA and MN might get dropped is not very clear. The problem seems to be that when a MN roams into an area of network topology controlled by a stateful firewall, there is no state in the firewall corresponding to (HA src addr, MN CoA dest addr). But this is never specifically articulated. Section 3.2.2, Paragraph 8: This point is true for any case where a session is initiated from outside the firewall, for example, an incoming VoIP call started by SIP. Why is MIPv6 any different? Section 3.2.2, Paragraph 10: The discussion doesn't consider the distinction between a TCP and UDP session. Earlier in the text, the description of the state maintained in the firewall implies a distinction. But if a MIPv6 host is receiving TCP packets tunneled from the HA, then the firewall state will be for UDP (presuming it is set up at all). The firewall timers for UDP may interact negatively with the MN's TCP timeouts, and there may be other problems. Section 3.2.3, Paragraph 5: This paragraph is not only true of RR packets but also of BU packets if the MN chooses to use ESP encryption for them as well. Consequently, it should be discussed in a separate section not specifically devoted to RR. Section 3.2.3, Paragraph 7: This paragraph is implying that the problem may be due to the lack of ability to detect firewalls. IPsec can deal with NATs because they can be detected. Why not simply come out and say this? Having the ability to detect and negotiate with a firewall is something that the IETF has (in my opinion) been needing for some time, and MIP only makes the case stronger. In summary, I believe this draft needs a lot of work before it is ready to be sent to the IESG. I'd suggest the authors may want to talk to the authors of draft-chen about merging the two. jak _______________________________________________ Mip6 mailing list Mip6@ietf.org https://www1.ietf.org/mailman/listinfo/mip6