draft-ietf-mext-firewall-admin-03.txt   draft-ietf-mext-firewall-admin-04.txt 
Network Working Group S. Krishnan Network Working Group S. Krishnan
Internet-Draft Ericsson Internet-Draft Ericsson
Intended status: Informational N. Steinleitner Intended status: Informational N. Steinleitner
Expires: December 29, 2010 University of Goettingen Expires: September 15, 2011 University of Goettingen
Y. Qiu Y. Qiu
Institute for Infocomm Research Institute for Infocomm Research
G. Bajko G. Bajko
Nokia Nokia
June 27, 2010 March 14, 2011
Guidelines for firewall administrators regarding MIPv6 traffic Guidelines for firewall administrators regarding MIPv6 traffic
draft-ietf-mext-firewall-admin-03 draft-ietf-mext-firewall-admin-04
Abstract Abstract
This document presents some recommendations for firewall This document presents some recommendations for firewall
administrators to help them configure their existing firewalls in a administrators to help them configure their existing firewalls in a
way that allows in certain deployment scenarios the Mobile IPv6 and way that allows in certain deployment scenarios the Mobile IPv6 and
DSMIPv6 signaling and data messages to pass through. For other DSMIPv6 signaling and data messages to pass through. For other
scenarios, the support of additional mechanisms to create pinholes scenarios, the support of additional mechanisms to create pinholes
required for MIPv6 will be necessary. This document assumes that the required for MIPv6 will be necessary. This document assumes that the
firewalls in question include some kind of stateful packet filtering firewalls in question include some kind of stateful packet filtering
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 29, 2010. This Internet-Draft will expire on September 15, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2011 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 3, line 36 skipping to change at page 3, line 36
kind of stateful packet filtering capability. The static rules that kind of stateful packet filtering capability. The static rules that
need to be configured are described in this document. In some need to be configured are described in this document. In some
scenarios, the support of additional mechanisms to create pinholes scenarios, the support of additional mechanisms to create pinholes
required for MIPv6 signalling and data traffic to pass through will required for MIPv6 signalling and data traffic to pass through will
be necessary. A possible solution, describing the dynamic be necessary. A possible solution, describing the dynamic
capabilities needed for the firewalls to create pinholes based on capabilities needed for the firewalls to create pinholes based on
MIPv6 signalling traffic is described in a companion document MIPv6 signalling traffic is described in a companion document
[MIP6FWVENDOR]. Other solutions may also be possible. [MIP6FWVENDOR]. Other solutions may also be possible.
Some Mobile IPv6 signalling messages require the use of encryption to Some Mobile IPv6 signalling messages require the use of encryption to
protect the confidentiality of the payload (e.g. the HoTI and HoT protect the confidentiality of the payload (e.g. the BU and the BA
messages between the MN and the HA). The other signalling messages messages between the MN and the HA). The other signalling messages
allow the use of encryption. If encryption is being used, it is not allow the use of encryption. If encryption is being used, it is not
possible to inspect the contents of the signalling packets. For possible to inspect the contents of the signalling packets. For
these messages to get through, a generic rule needs to be added in these messages to get through, a generic rule needs to be added in
the firewall to let ESP packets through without further inspection. the firewall to let ESP packets through without further inspection.
3. Abbreviations 3. Abbreviations
This document uses the following abbreviations: This document uses the following abbreviations:
skipping to change at page 10, line 32 skipping to change at page 10, line 32
(especially Section 4.3.2). [RFC4942] describes security issues (especially Section 4.3.2). [RFC4942] describes security issues
present in IPv6 and related protocols (especially Sections 2.1.2 and present in IPv6 and related protocols (especially Sections 2.1.2 and
2.1.15). 2.1.15).
8. Acknowledgements 8. Acknowledgements
The authors would like to thank the following members of the MIPv6 The authors would like to thank the following members of the MIPv6
firewall design team for contributing to this document: Hannes firewall design team for contributing to this document: Hannes
Tschofenig, Hesham Soliman, Yaron Sheffer, and Vijay Devarapalli. Tschofenig, Hesham Soliman, Yaron Sheffer, and Vijay Devarapalli.
The authors would also like to thank William Ivancic, Ryuji Wakikawa, The authors would also like to thank William Ivancic, Ryuji Wakikawa,
Jari Arkko, Henrik Levkowetz, Pasi Eronen and Noriaki Takamiya for Jari Arkko, Henrik Levkowetz, Pasi Eronen, Noriaki Takamiya and
their thorough reviews of the document and for providing comments to Arnaud Ebalard for their thorough reviews of the document and for
improve the quality of the document. providing comments to improve the quality of the document.
9. IANA Considerations 9. IANA Considerations
This document does not require any IANA action. This document does not require any IANA action.
10. Security Considerations 10. Security Considerations
This document specifies recommendations for firewall administrators This document specifies recommendations for firewall administrators
to allow Mobile IPv6 traffic to pass through unhindered. Since some to allow Mobile IPv6 traffic to pass through unhindered. Since some
of this traffic is encrypted it is not possible for firewalls to of this traffic is encrypted it is not possible for firewalls to
 End of changes. 7 change blocks. 
9 lines changed or deleted 9 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/