Re: [MEXT] firewall docs review

To: "RYUJI WAKIKAWA" <ryuji.wakikawa at gmail.com>, <mext at ietf.org>
Subject: Re: [MEXT] firewall docs review
From: "QIU Ying" <qiuying at i2r.a-star.edu.sg>
Date: Mon, 18 Feb 2008 18:57:24 +0800
Delivered-to: ietfarch-mip6-web-archive at core3.amsl.com
Delivered-to: mext at core3.amsl.com
List-archive: <http://www.ietf.org/pipermail/mext>
List-help: <mailto:mext-request@ietf.org?subject=help>
List-id: Mobile IPv6 EXTensions WG <mext.ietf.org>
List-post: <mailto:mext@ietf.org>
List-subscribe: <http://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=subscribe>
List-unsubscribe: <http://www.ietf.org/mailman/listinfo/mext>, <mailto:mext-request@ietf.org?subject=unsubscribe>
References: <7C5C82DC-66BA-4C6E-9195-4B773C8D3542 at gmail.com>
Sender: mext-bounces at ietf.org

Hi, Ryuji

Thanks for your comments. My response is inline.

----- Original Message ----- 
"RYUJI WAKIKAWA" wrote


> Hi Suresh and authors,
>
> I was asked to review draft-krishnan-mip6-firewall-admin-02 and
> draft-krishnan-mip6-firewall-vendor-02.
>
> - Can current filtering mechanism check the IP options field?!

No. Current firewall filter does not support to check the IP options field.

>   If yes, the document should mention which IP options are appeared
> for which packets.
>   An example is DST Opt for BU and RTHDR for BA.
>   Otherwise, the operator might just block all the packets having
> RTHDR option regardless of BA.
>
> For example, in section 3.1 of draft-admin ,
>      Destination Address: Address of HA
>                                                    <-- adding  Dest
> option (HoA option)?
>      Next Header: 50 (ESP)
>      Mobility Header Type: 5 (BU)

For draft-admin, which purpose is BCP, so we could not solicit the function 
here. But we could provide the filter in draft-vender.

>
> - missing authentication option and DSMIP support?
>    DSMIP will introduce much complexity to firewall setup.

The target of these two draft is to make MIP6 signalling pass through the 
firewalls. So, in my opinion, the issue of authentication and DSMIP might be 
out of the scope.

>
> - RO is optional in the RFC3775. I am not sure you can treat
>   RO signaling as same as the BU/BA for firewall filters setup.
>    It might be good if you provide the minimum set of rules (BU/BA
> only)
>   and the full set of rules (All MH signaling).

Good comments.

Regards and Thanks
Qiu Ying


>
> - why are these two separate documents?
>
> regards,
> ryuji
> _______________________________________________
> MEXT mailing list
> MEXT at ietf.org
> http://www.ietf.org/mailman/listinfo/mext 


------------ Institute For Infocomm Research - Disclaimer -------------This email is confidential and may be privileged.  If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you.--------------------------------------------------------
_______________________________________________
MEXT mailing list
MEXT at ietf.org
http://www.ietf.org/mailman/listinfo/mext

Follow-Ups:
- Re: [MEXT] firewall docs review
  - From: RYUJI WAKIKAWA

References:
- [MEXT] firewall docs review
  - From: RYUJI WAKIKAWA

Prev by Date: Re: [MEXT] [Recharter.2]
Next by Date: Re: [MEXT] [Recharter.2]
Previous by thread: [MEXT] firewall docs review
Next by thread: Re: [MEXT] firewall docs review
Index(es):
- Date
- Thread

Re: [MEXT] firewall docs review

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.