Re: [MEXT] Regarding realistic deployment and operations of Mobile-IP.

["Jean-Michel Combes" <jeanmichel.combes at gmail.com>]

Hi,

2008/2/15, Ivancic, William D. (GRC-RCN0) <william.d.ivancic at nasa.gov>:
> (This message has been cross posted to Operational Security Capabilities
>  for IP Network Infrastructure (opsec) in hopes of getting some response
>  from firewall administrators)
>
>
>  Regarding realistic deployment and operations of Mobile-IP.
>
>  Two documents were review:
>
>  Guidelines for firewall vendors regarding MIPv6 traffic
>  draft-krishnan-mip6-firewall-vendor-02
>
>  and
>
>  Guidelines for firewall administrators regarding MIPv6 traffic
>  draft-krishnan-mip6-firewall-admin-02
>
>  These two documents provide a "technical" solution to enabling
>  Mobile-IPv6 to operate through firewalls.  In all cases, some security
>  has to be relaxed to enable operation.
>
>  In my experience there are three elements to all network design:  the
>  architecture, the protocol and the policy.  These two documents assume a
>  firewall is in place for security and how to generically configure that
>  firewall.
>
>  Item #1:
>  ==========
>  Perhaps a document is needed to address the policy and architecture
>  portions of mobile-ip operations.  For example:
>
>  If my policy states no IPsec can pass the firewall, IKEv2 is dead and so
>  is MIPv6 which uses IKEv2.  Now, if I architect the network such that
>  all mobile units allowed to operate through the firewall are on specific
>  networks within my corporate network, I may be able to get the policy
>  makers to modify policy as I have reduced the security risks relative to
>  the overall corporate network.

IMO, this is already the case (i.e. base your security policy on the
HoA, or more precisely, on the range of addresses from which are based
the HoAs)

>
>  Question #1:  Is it realistic to believe that security policy will be
>  modified to enable capabilities such a mobile-ip in a corporate network?

IMO again, this is an optimization (e.g. the FW could allow, in a
first step, only IKEv2 exchanges and incoming BUs. After, when the FW
sees an outgoing BA, it allows all the rest of the traffic for the
specific HoA).

>
>
>  Item #2:
>  ===========
>  Regarding the admin-02 document:
>
>  If the Home Agent or Mobile Nodes are behind my corporate firewall, I
>  have knowledge of what network space is mobile-ip "allowed". As such, I
>  may be able to convince the security policy makers to "allow" specific
>  signaling to specific networks and be able to realistically manage this
>  as filters would be via network address rather than host address. Also,
>  most initial communication from the mobile nodes (MN) is outbound first.
>
>  If the Corresponding Node (CN) is behind the firewall, and the mobile
>  node initiates communication, I suspect that this is an administrative
>  nightmare unless all CNs are place on mobile-ip "allowed" networks.
>
>  Question #2;  Is it reasonable to expect a firewall administrator to
>  manually manage firewall rules on a per host basis - particularly with
>  regard to CNs inside the firewall?

Maybe, you can:
- just allow MIPv6 signalling in a first step and after a BA, allow
all the rest of the traffic.
- just put CN in a dedicated DMZ in the case where CN are usually used
by MN (e.g. WWW server)

>
>  Item #3
>  ============
>  Would a vendor consider implementing the firewall-vendor
>  recommendations?
>  If security policy would not permit such operations, the effort to
>  implement the firewall-vendor recommendations provides zero return on
>  investment.  It appears to be a classic chicken/egg problem.
>
>
>  Comment:
>  ===========
>  Until something like dynamic firewall technology comes about, practical
>  management of firewalls needs to be considered and intelligent
>  architecting of the network may help.
>  The firewall-vendor document
>  actually does specify some cleaver ways to partially dynamically
>  configure a firewall.  The owner of the Home Agent and Mobile Nodes has
>  knowledge of those hosts and routers and therefore has a reasonable
>  sense of what will be allowed through the firewall.  The corporate
>  network that is protecting a corresponding node has much less knowledge.
>  Thus, communicating to CNs that are behind a firewall seems much more
>  problematic without knowledge of the MN.

Sorry, maybe I missed one point, but what are you waiting for exactly
from the WGs?

Best regards.

JMC.

>
>  /will
>  _______________________________________________
>  MEXT mailing list
>  MEXT at ietf.org
>  http://www.ietf.org/mailman/listinfo/mext
>
_______________________________________________
MEXT mailing list
MEXT at ietf.org
http://www.ietf.org/mailman/listinfo/mext