50 likes | 196 Views
Firewall friendly RRT for MIPv6. Gabor Bajko Franck Le draft-bajko-mip6-rrtfw-00.txt. RFC 4487. Mobile IPv6 and Firewalls: Problem Statement Outlines two set of problems: firewall between the MN and its HA BU/BA uses IPSec ESP, firewalls will drop Use UDP encapsulation?
E N D
Firewall friendly RRT for MIPv6 Gabor BajkoFranck Le draft-bajko-mip6-rrtfw-00.txt
RFC 4487 Mobile IPv6 and Firewalls: Problem Statement Outlines two set of problems: • firewall between the MN and its HA • BU/BA uses IPSec ESP, firewalls will drop • Use UDP encapsulation? • Not addressed in the current proposal • firewall between the MN and CN • Proposes a modified RRT to get RRT and RO through the firewall
MN FW Firewall between the MN and CN • HoTI is coming from an already trusted source, MN HoA • When MN moves, and initiates a new RRT, the CoTI will arrive to the FW from an untrusted source and dropped. • RRT will fail as CoTI will never be received by the CN HoTI HA FW X CN CoTI HoTI Network(s) protected by FW(s)
Solution HA CN MN HoTI HoTI · CoTI-FW would carry the CoA of the MN to the CN in a MO ·Otherwise similar to CoTI ·new Mobility Options required to carry the CoA of the MN CoTI CoTI FW FW X dropped HoT HoT CoT not sent (as CoTI was not received by the CN) < ·················· Timeout waiting for CoT CoTI-FW CoTI-FW CoT CoT CoT FW FW
Conclusion • A document containing recommendations for MIPv6 friendly Firewall configurations might be useful • Modified, firewall friendly RRT procedure Question • Is the WG interested in this problem space?