[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Firewall "uniformity" issue

To: "Francis Dupont" <Francis.Dupont@enst-bretagne.fr>, "Iljitsch van Beijnum" <iljitsch@muada.com>
Subject: RE: Firewall "uniformity" issue
From: "Christian Huitema" <huitema@windows.microsoft.com>
Date: Mon, 2 May 2005 19:14:58 -0700
Cc: "Erik Nordmark" <erik.nordmark@sun.com>, "shim6" <shim6@psg.com>

>    > Of course, once there are shim6 aware firewalls, we don't know
how
>    > they will behave. But we could at least recommend that they take
>    > this issue into consideration, by recommending
>    > 1) that they not block shim6 by default, but instead look at the
>    > carried (TCP, UDP, etc) payload

You may ask firewall admins to "please not block shim6". You may even
shout from the hill tops. Whether they will heed your advice is
anybody's guess. After all, these are the same folks who routinely block
ICMP. 

> => I am pretty sure than the default action on unknown extension
header
> (but not unknown destination option) will be to block packets (I am
> speaking about not shim6 aware firewalls, i.e., all currently
available
> firewalls).

If we want end-to-end options to not be blocked by firewalls, the best
solution is to encrypt them. That is, run shim6 inside IPSEC, end to
end.

-- Christian Huitema

Follow-Ups:
- Re: Firewall "uniformity" issue
  - From: Erik Nordmark <erik.nordmark@sun.com>
- Re: Firewall "uniformity" issue
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: Flow label versus Extension header - protocol itself
Next by Date: Re: Flow label versus Extension header - protocol itself
Previous by thread: Re: Firewall "uniformity" issue
Next by thread: Re: Firewall "uniformity" issue
Index(es):
- Date
- Thread