[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewall "uniformity" issue

To: Erik Nordmark <erik.nordmark@sun.com>
Subject: Re: Firewall "uniformity" issue
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Thu, 28 Apr 2005 20:05:45 +0200
Cc: shim6 <shim6@psg.com>
In-reply-to: <42711F1B.1010805@sun.com>
References: <42711F1B.1010805@sun.com>

On 28-apr-2005, at 19:36, Erik Nordmark wrote:

Of course, once there are shim6 aware firewalls, we don't know how they will behave. But we could at least recommend that they take this issue into consideration, by recommending 1) that they not block shim6 by default, but instead look at the carried (TCP, UDP, etc) payload 2) if they need to block shim6, block the context establishment and testing parts of the protocol and not just the data packets

Comments?


This is in line with my message from two days ago.

Another firewalling issue is whether we put the initial shim header in a packet that also has payload, or if we give it its own packet. In the former case if a firewall drops the packet we've also lost data which is never good. On the other hand having the shim in a data packet is more efficient.

Iljitsch

Follow-Ups:
- Re: Firewall "uniformity" issue
  - From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
- Re: Firewall "uniformity" issue
  - From: Erik Nordmark <erik.nordmark@sun.com>

References:
- Firewall "uniformity" issue
  - From: Erik Nordmark <erik.nordmark@sun.com>

Prev by Date: Firewall "uniformity" issue
Next by Date: Re: Firewall "uniformity" issue
Previous by thread: Firewall "uniformity" issue
Next by thread: Re: Firewall "uniformity" issue
Index(es):
- Date
- Thread