Re: Firewall "uniformity" issue

[Erik Nordmark <erik.nordmark@sun.com>]

Christian Huitema wrote:
> >   > Of course, once there are shim6 aware firewalls, we don't know
>
> how
>
> >   > they will behave. But we could at least recommend that they take
> >   > this issue into consideration, by recommending
> >   > 1) that they not block shim6 by default, but instead look at the
> >   > carried (TCP, UDP, etc) payload
>
>
> You may ask firewall admins to "please not block shim6". You may even
> shout from the hill tops. Whether they will heed your advice is
> anybody's guess. After all, these are the same folks who routinely block
> ICMP. 

I was pretty leery about adding the above text to the message, since I 
feared it would detract from the topic of the uniformity of firewall 
handling of the shim6 control messages and the data messages.

Either that part of my message was utterly non-controversial, or my fear 
was to the point :-)

> If we want end-to-end options to not be blocked by firewalls, the best
> solution is to encrypt them. That is, run shim6 inside IPSEC, end to
> end.

FWIW I've visited "visitor networks" where UDP port 500 (IKE) was 
blocked. So it it is a goal to sneak through any firewall, I think we 
need to make the protocol look like a http get for www.cnn.com's front 
page, (or some other innocuous site that isn't likely to be blocked).

But can we please not solve that problem in the shim6 WG; I think it is 
out of scope.

   Erik