[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewall "uniformity" issue

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: Firewall "uniformity" issue
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
Date: Mon, 02 May 2005 11:38:04 +0200
Cc: Erik Nordmark <erik.nordmark@sun.com>, shim6 <shim6@psg.com>
In-reply-to: Your message of Thu, 28 Apr 2005 20:05:45 +0200. <DD5BA5F9-3BA8-4CBD-80F9-7ABD5DA27895@muada.com>

 In your previous mail you wrote:

   > Of course, once there are shim6 aware firewalls, we don't know how  
   > they will behave. But we could at least recommend that they take  
   > this issue into consideration, by recommending
   > 1) that they not block shim6 by default, but instead look at the  
   > carried (TCP, UDP, etc) payload

=> I am pretty sure than the default action on unknown extension header
(but not unknown destination option) will be to block packets (I am
speaking about not shim6 aware firewalls, i.e., all currently available
firewalls).

   Another firewalling issue is whether we put the initial shim header  
   in a packet that also has payload, or if we give it its own packet.  

=> this is the Mobile IPv6 piggy-backing issue... but now we have
RFC2401bis IPsec so it can work.

Regards

Francis.Dupont@enst-bretagne.fr

References:
- Re: Firewall "uniformity" issue
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: Flow label versus Extension header - protocol itself
Next by Date: Re: Flow label versus Extension header - protocol itself
Previous by thread: Re: Firewall "uniformity" issue
Next by thread: RE: Firewall "uniformity" issue
Index(es):
- Date
- Thread