[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Firewall "uniformity" issue
> > Of course, once there are shim6 aware firewalls, we don't know
how
> > they will behave. But we could at least recommend that they take
> > this issue into consideration, by recommending
> > 1) that they not block shim6 by default, but instead look at the
> > carried (TCP, UDP, etc) payload
You may ask firewall admins to "please not block shim6". You may even
shout from the hill tops. Whether they will heed your advice is
anybody's guess. After all, these are the same folks who routinely block
ICMP.
> => I am pretty sure than the default action on unknown extension
header
> (but not unknown destination option) will be to block packets (I am
> speaking about not shim6 aware firewalls, i.e., all currently
available
> firewalls).
If we want end-to-end options to not be blocked by firewalls, the best
solution is to encrypt them. That is, run shim6 inside IPSEC, end to
end.
-- Christian Huitema