[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewall "uniformity" issue



On 3-mei-2005, at 4:14, Christian Huitema wrote:

If we want end-to-end options to not be blocked by firewalls, the best
solution is to encrypt them. That is, run shim6 inside IPSEC, end to
end.

Say hello to key management...

I think trying to second-guess firewall admins is the wrong thing to do. If they want to block shim6, why should we try to sneak by them?

If the initial shim6 packet gets back some kind of ICMP unreachable or after several retransmissions there ins't an answer, we can just continue to operate in backward compatibility mode without any loss in connectivity. (Until there is a failure, of course.)