[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewall "uniformity" issue



 In your previous mail you wrote:

   > Of course, once there are shim6 aware firewalls, we don't know how  
   > they will behave. But we could at least recommend that they take  
   > this issue into consideration, by recommending
   > 1) that they not block shim6 by default, but instead look at the  
   > carried (TCP, UDP, etc) payload

=> I am pretty sure than the default action on unknown extension header
(but not unknown destination option) will be to block packets (I am
speaking about not shim6 aware firewalls, i.e., all currently available
firewalls).

   Another firewalling issue is whether we put the initial shim header  
   in a packet that also has payload, or if we give it its own packet.  

=> this is the Mobile IPv6 piggy-backing issue... but now we have
RFC2401bis IPsec so it can work.

Regards

Francis.Dupont@enst-bretagne.fr