[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewall "uniformity" issue

To: Christian Huitema <huitema@windows.microsoft.com>
Subject: Re: Firewall "uniformity" issue
From: Iljitsch van Beijnum <iljitsch@muada.com>
Date: Tue, 3 May 2005 11:53:39 +0200
Cc: shim6 <shim6@psg.com>
In-reply-to: <DAC3FCB50E31C54987CD10797DA511BA0E7C87AE@WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com>
References: <DAC3FCB50E31C54987CD10797DA511BA0E7C87AE@WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com>

On 3-mei-2005, at 4:14, Christian Huitema wrote:

If we want end-to-end options to not be blocked by firewalls, the best
solution is to encrypt them. That is, run shim6 inside IPSEC, end to
end.


Say hello to key management...

I think trying to second-guess firewall admins is the wrong thing to do. If they want to block shim6, why should we try to sneak by them?

If the initial shim6 packet gets back some kind of ICMP unreachable or after several retransmissions there ins't an answer, we can just continue to operate in backward compatibility mode without any loss in connectivity. (Until there is a failure, of course.)

Follow-Ups:
- Re: Firewall "uniformity" issue
  - From: Brian E Carpenter <brc@zurich.ibm.com>

References:
- RE: Firewall "uniformity" issue
  - From: "Christian Huitema" <huitema@windows.microsoft.com>

Prev by Date: Re: Flow label versus Extension header - protocol itself
Next by Date: Re: Flow label versus Extension header - protocol itself
Previous by thread: RE: Firewall "uniformity" issue
Next by thread: Re: Firewall "uniformity" issue
Index(es):
- Date
- Thread