Re: [MEXT] firewall docs review
"QIU Ying" <qiuying@i2r.a-star.edu.sg> Wed, 20 February 2008 06:50 UTC
Return-Path: <mext-bounces@ietf.org>
X-Original-To: ietfarch-nemo-archive@core3.amsl.com
Delivered-To: ietfarch-nemo-archive@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 09D1828C41D; Tue, 19 Feb 2008 22:50:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.045
X-Spam-Level:
X-Spam-Status: No, score=0.045 tagged_above=-999 required=5 tests=[AWL=-0.118, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_ORG=0.611, J_CHICKENPOX_26=0.6, RDNS_NONE=0.1]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VTpQoHdd17LK; Tue, 19 Feb 2008 22:50:16 -0800 (PST)
Received: from core3.amsl.com (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id D8A6F3A6D50; Tue, 19 Feb 2008 22:50:16 -0800 (PST)
X-Original-To: mext@core3.amsl.com
Delivered-To: mext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B04233A6860 for <mext@core3.amsl.com>; Tue, 19 Feb 2008 22:50:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pgCdStRVD6dH for <mext@core3.amsl.com>; Tue, 19 Feb 2008 22:50:13 -0800 (PST)
Received: from rodin.i2r.a-star.edu.sg (rodin.i2r.a-star.edu.sg [192.122.139.27]) by core3.amsl.com (Postfix) with ESMTP id 0D30A3A6D50 for <mext@ietf.org>; Tue, 19 Feb 2008 22:50:12 -0800 (PST)
Received: from rodin.i2r.a-star.edu.sg (unknown [127.0.0.1]) by IMSA (Postfix) with ESMTP id BBB9A13B66D; Tue, 19 Feb 2008 21:24:03 +0800 (SGT)
Received: from mailfe01.teak.local.net (unknown [192.122.134.9]) by rodin.i2r.a-star.edu.sg (Postfix) with ESMTP id AD41413B666; Tue, 19 Feb 2008 21:24:03 +0800 (SGT)
Received: from precision5570 ([192.168.137.53]) by mailfe01.teak.local.net with Microsoft SMTPSVC(6.0.3790.1830); Wed, 20 Feb 2008 14:49:19 +0800
Message-ID: <003a01c8738c$d4656690$3589a8c0@precision5570>
From: QIU Ying <qiuying@i2r.a-star.edu.sg>
To: RYUJI WAKIKAWA <ryuji.wakikawa@gmail.com>
References: <7C5C82DC-66BA-4C6E-9195-4B773C8D3542@gmail.com> <003201c8721d$0ae7f190$3589a8c0@precision5570> <950BDB72-2EF2-4C61-AA25-40059B1F1D04@gmail.com>
Date: Wed, 20 Feb 2008 14:50:07 +0800
MIME-Version: 1.0
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198
X-OriginalArrivalTime: 20 Feb 2008 06:49:19.0665 (UTC) FILETIME=[B7D1BA10:01C8738C]
Cc: mext@ietf.org
Subject: Re: [MEXT] firewall docs review
X-BeenThere: mext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-Unsubscribe: <http://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/mext>
List-Post: <mailto:mext@ietf.org>
List-Help: <mailto:mext-request@ietf.org?subject=help>
List-Subscribe: <http://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: mext-bounces@ietf.org
Errors-To: mext-bounces@ietf.org
Hi, Ryuji On February 19, 2008 11:00 AM, RYUJI WAKIKAWA wrote > Hi, Qiu > > On 2008/02/18, at 19:57, QIU Ying wrote: > >> Hi, Ryuji >> >> Thanks for your comments. My response is inline. >> >> ----- Original Message ----- "RYUJI WAKIKAWA" wrote >> >> >>> Hi Suresh and authors, >>> >>> I was asked to review draft-krishnan-mip6-firewall-admin-02 and >>> draft-krishnan-mip6-firewall-vendor-02. >>> >>> - Can current filtering mechanism check the IP options field?! >> >> No. Current firewall filter does not support to check the IP options >> field. > > It's up to implementation, isn't it? > I can easily setup the firewall with PC which can check the IP options... > Which firewall products are you assuming? > > Are there substantial reasons to say NO here? Do you mean to use the filter of routing header? If I am not wrong, the current ip6tables (e.g. in Linux) only support route header in type 0. But the formats between type 0 and type 2 route header are a bit of difference. It's why we should suggest the modification in vendor-draft instead of the admin-draft. Anyway, if most current firewalls already implement this feature, we should mention it in admin-draft > >> >>> If yes, the document should mention which IP options are appeared >>> for which packets. >>> An example is DST Opt for BU and RTHDR for BA. >>> Otherwise, the operator might just block all the packets having >>> RTHDR option regardless of BA. >>> >>> For example, in section 3.1 of draft-admin , >>> Destination Address: Address of HA >>> <-- adding Dest >>> option (HoA option)? >>> Next Header: 50 (ESP) >>> Mobility Header Type: 5 (BU) >> >> For draft-admin, which purpose is BCP, so we could not solicit the >> function here. But we could provide the filter in draft-vender. >> >>> >>> - missing authentication option and DSMIP support? >>> DSMIP will introduce much complexity to firewall setup. >> >> The target of these two draft is to make MIP6 signalling pass through >> the firewalls. So, in my opinion, the issue of authentication and DSMIP >> might be out of the scope. > > DSMIP seems to be adapted to many deployment case. > why not:-) In my opinion, the dual stack issues are more focused on the process on the two-peers of communication. A firewall, which is located on middle-way, is just take care the IP headers. A traffic packet is either IPv4 packet or IPv6 packet no matter if it includes dual stock information. So I do not think it was necessary to require a firewall to detect the dual stack information. These 2 drafts are about the modification of IPv6 firewall. If IPv4 issues should be considered too, we could raise other drafts Regards Qiu Ying > > ryuji > >>> >>> - RO is optional in the RFC3775. I am not sure you can treat >>> RO signaling as same as the BU/BA for firewall filters setup. >>> It might be good if you provide the minimum set of rules (BU/BA >>> only) >>> and the full set of rules (All MH signaling). >> >> Good comments. >> >> Regards and Thanks >> Qiu Ying >> >> >>> >>> - why are these two separate documents? >>> >>> regards, >>> ryuji >>> _______________________________________________ >>> MEXT mailing list >>> MEXT@ietf.org >>> http://www.ietf.org/mailman/listinfo/mext ------------ Institute For Infocomm Research - Disclaimer -------------This email is confidential and may be privileged. If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you.-------------------------------------------------------- _______________________________________________ MEXT mailing list MEXT@ietf.org http://www.ietf.org/mailman/listinfo/mext
- [MEXT] firewall docs review RYUJI WAKIKAWA
- Re: [MEXT] firewall docs review QIU Ying
- Re: [MEXT] firewall docs review RYUJI WAKIKAWA
- Re: [MEXT] firewall docs review QIU Ying