RE: [Mip6] Review of draft-ietf-mip6-firewalls-00.txt (with referenceto draft-chen-mip6-gprs-02.txt)
Franck.Le@nokia.com Mon, 25 October 2004 22:50 UTC
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA06012 for <mip6-web-archive@ietf.org>; Mon, 25 Oct 2004 18:50:55 -0400 (EDT)
Received: from megatron.ietf.org ([132.151.6.71]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CMDta-0000HA-2h for mip6-web-archive@ietf.org; Mon, 25 Oct 2004 19:04:58 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CMBTq-0003gm-Fm; Mon, 25 Oct 2004 16:30:14 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1CMB4r-0006FE-El for mip6@megatron.ietf.org; Mon, 25 Oct 2004 16:04:25 -0400
Received: from ietf-mx.ietf.org (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA29454 for <mip6@ietf.org>; Mon, 25 Oct 2004 16:04:23 -0400 (EDT)
From: Franck.Le@nokia.com
Received: from mgw-x1.nokia.com ([131.228.20.21]) by ietf-mx.ietf.org with esmtp (Exim 4.33) id 1CMBIM-0006OR-Vi for mip6@ietf.org; Mon, 25 Oct 2004 16:18:23 -0400
Received: from esdks001.ntc.nokia.com (esdks001.ntc.nokia.com [172.21.138.120]) by mgw-x1.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id i9PK4K303300; Mon, 25 Oct 2004 23:04:22 +0300 (EET DST)
X-Scanned: Mon, 25 Oct 2004 23:03:03 +0300 Nokia Message Protector V1.3.31 2004060815 - RELEASE
Received: (from root@localhost) by esdks001.ntc.nokia.com (8.12.9/8.12.9) id i9PK338V026946; Mon, 25 Oct 2004 23:03:03 +0300
Received: from mgw-int1.ntc.nokia.com (172.21.143.96) by esdks001.ntc.nokia.com 00TbWLer; Mon, 25 Oct 2004 23:03:01 EEST
Received: from daebh002.NOE.Nokia.com (daebh002.americas.nokia.com [10.241.35.122]) by mgw-int1.ntc.nokia.com (Switch-2.2.8/Switch-2.2.8) with ESMTP id i9PK2ra01545; Mon, 25 Oct 2004 23:02:53 +0300 (EET DST)
Received: from daebe007.NOE.Nokia.com ([10.241.35.107]) by daebh002.NOE.Nokia.com with Microsoft SMTPSVC(5.0.2195.6881); Mon, 25 Oct 2004 15:02:16 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.0.6487.1
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [Mip6] Review of draft-ietf-mip6-firewalls-00.txt (with referenceto draft-chen-mip6-gprs-02.txt)
Date: Mon, 25 Oct 2004 15:02:16 -0500
Message-ID: <57A26D272F67A743952F6B4371B8F811017CA9BD@daebe007.americas.nokia.com>
Thread-Topic: [Mip6] Review of draft-ietf-mip6-firewalls-00.txt (with referenceto draft-chen-mip6-gprs-02.txt)
Thread-Index: AcS4kHiDtK3VvqSHTliOwcXO3LvzhgCOjMnQ
To: kempf@docomolabs-usa.com, mip6@ietf.org
X-OriginalArrivalTime: 25 Oct 2004 20:02:16.0504 (UTC) FILETIME=[86C07B80:01C4BACD]
X-Spam-Score: 0.3 (/)
X-Scan-Signature: 2086112c730e13d5955355df27e3074b
Content-Transfer-Encoding: quoted-printable
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: mip6.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
Sender: mip6-bounces@ietf.org
Errors-To: mip6-bounces@ietf.org
X-Spam-Score: 0.3 (/)
X-Scan-Signature: 22bbb45ef41b733eb2d03ee71ece8243
Content-Transfer-Encoding: quoted-printable
Hello James, Thank you for your suggestions. Please find some comments below, > One way this draft could be made more readable is to organize > it more like > draft-chen, including all the cases of placement of the MN, > HA, and CN. The > current draft-ietf-mip6-firewalls has specific sections in > 3.1, where the MN > is outside and stays outside, and 3.2 in which the MN is > inside and stays > inside. Even for those cases the discussion is made somewhat > vague by lack > of specific description of the addresses involved and what state is > established (or not) in the firewall when, something that > draft-chen does > very well. However, in draft-ietf-mip6-firewalls the > discussion of the more > complex case when an MN moves from outside a firewall to > inside is somewhat > muddied and vague in Section 3.2.2. This case is especially > in need of very > explict consideration of addresses and firewall state, and very clear > explanation of the problem. For the description of the problem (e.g. mismatch between the firewall states and incoming packets), we tried to explicitely describe them. As an example, to quote section 3.1.1: "The state created by the stateful inspection packet filter protecting A is therefore initially based on the IP address of A(IP A) and the home address of the node B (IP HoA B)." then "The Care of Test Init message is sent using the new CoA of B as the source address. Such a packet does not match any entry in the firewall protecting A and as described in Section 2, the CoTi message will thus be dropped by the firewall." If you want to make it clearer, would you have any suggestion? For the other scenarios you pointed out, I agree with you. They are not in the scope of the document. We described some of the issues, and specifically focused on the basic ones. I will add an explicit statement in the document to explain that the scenarios you mentioned are not included. > Specific comments: > > Section 3.2.2, starting about Paragraph 3: the description of > why packets > forwarded between the HA and MN might get dropped is not very > clear. The > problem seems to be that when a MN roams into an area of > network topology > controlled by a stateful firewall, there is no state in the firewall > corresponding to (HA src addr, MN CoA dest addr). But this is never > specifically articulated. Thank you for your comment. I will try to make it clearer in the next version of the document. > Section 3.2.2, Paragraph 8: This point is true for any case > where a session > is initiated from outside the firewall, for example, an > incoming VoIP call > started by SIP. Why is MIPv6 any different? Sorry if that section is not clear. MIPv6 is not different. What we wanted to say is that while MIPv6 has been designed to allow reachability even when the MN roams (thanks to the HoA and HA), firewalls may present issues to this property. I will try to clarify our intent in this section. > Section 3.2.2, Paragraph 10: The discussion doesn't consider > the distinction > between a TCP and UDP session. Earlier in the text, the > description of the > state maintained in the firewall implies a distinction. But > if a MIPv6 host > is receiving TCP packets tunneled from the HA, then the > firewall state will > be for UDP (presuming it is set up at all). The firewall > timers for UDP may > interact negatively with the MN's TCP timeouts, and there may be other > problems. Can you please clarify what you mean? > Section 3.2.3, Paragraph 5: This paragraph is not only true > of RR packets > but also of BU packets if the MN chooses to use ESP > encryption for them as > well. Consequently, it should be discussed in a separate section not > specifically devoted to RR. The problem with IPsec is described in section 3.2.1. We can add a reference. > Section 3.2.3, Paragraph 7: This paragraph is implying that > the problem may > be due to the lack of ability to detect firewalls. IPsec can > deal with NATs > because they can be detected. Why not simply come out and say > this? Having > the ability to detect and negotiate with a firewall is > something that the > IETF has (in my opinion) been needing for some time, and MIP > only makes the > case stronger. The ability to detect firewalls could help to solve the issue. We will mention it in the next version of the draft. > In summary, I believe this draft needs a lot of work before > it is ready to > be sent to the IESG. I'd suggest the authors may want to talk > to the authors > of draft-chen about merging the two. We are aware of the draft-chen but draft-ietf-mip6-firewalls is more generic and applicable to firewalls in general. Xiabao's I-D is focused on GPRS aspects. Thanking you again for your comments, Franck _______________________________________________ Mip6 mailing list Mip6@ietf.org https://www1.ietf.org/mailman/listinfo/mip6
- RE: [Mip6] Review of draft-ietf-mip6-firewalls-00… Basavaraj.Patil
- Re: [Mip6] Review of draft-ietf-mip6-firewalls-00… James Kempf
- RE: [Mip6] Review of draft-ietf-mip6-firewalls-00… Franck.Le
- Re: [Mip6] Review of draft-ietf-mip6-firewalls-00… James Kempf
- RE: [Mip6] Review of draft-ietf-mip6-firewalls-00… Franck.Le
- Re: [Mip6] Review of draft-ietf-mip6-firewalls-00… James Kempf
- RE: [Mip6] Review of draft-ietf-mip6-firewalls-00… Franck.Le