[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Firewall "uniformity" issue

To: Iljitsch van Beijnum <iljitsch@muada.com>
Subject: Re: Firewall "uniformity" issue
From: Brian E Carpenter <brc@zurich.ibm.com>
Date: Tue, 03 May 2005 12:40:26 +0200
Cc: Christian Huitema <huitema@windows.microsoft.com>, shim6 <shim6@psg.com>
In-reply-to: <6618A33B-16AC-4D51-A836-7919EFE1209C@muada.com>
Organization: IBM
References: <DAC3FCB50E31C54987CD10797DA511BA0E7C87AE@WIN-MSG-10.wingroup.windeploy.ntdev.microsoft.com> <6618A33B-16AC-4D51-A836-7919EFE1209C@muada.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113

Iljitsch van Beijnum wrote:

On 3-mei-2005, at 4:14, Christian Huitema wrote:
If we want end-to-end options to not be blocked by firewalls, the best
solution is to encrypt them. That is, run shim6 inside IPSEC, end to
end.
Say hello to key management...
I think trying to second-guess firewall admins is the wrong thing to do. If they want to block shim6, why should we try to sneak by them?

If the initial shim6 packet gets back some kind of ICMP unreachable or after several retransmissions there ins't an answer, we can just continue to operate in backward compatibility mode without any loss in connectivity. (Until there is a failure, of course.)


On the "do no harm" principle, we should ensure that even if a firewall
drops shim6 traffic, at least monohoming will continue to work (i.e. the
original locator pair can still be used as long as there is connectivity).

   Brian

References:
- RE: Firewall "uniformity" issue
  - From: "Christian Huitema" <huitema@windows.microsoft.com>
- Re: Firewall "uniformity" issue
  - From: Iljitsch van Beijnum <iljitsch@muada.com>

Prev by Date: Re: Flow label versus Extension header - protocol itself
Next by Date: Re: Flow label versus Extension header - protocol itself
Previous by thread: Re: Firewall "uniformity" issue
Next by thread: Re: Firewall "uniformity" issue
Index(es):
- Date
- Thread