[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Firewall "uniformity" issue



Erik,

> > If we want end-to-end options to not be blocked by firewalls, the best
> > solution is to encrypt them. That is, run shim6 inside IPSEC, end to
> > end.
> 
> FWIW I've visited "visitor networks" where UDP port 500 (IKE) was 
> blocked. So it it is a goal to sneak through any firewall, I think we 
> need to make the protocol look like a http get for www.cnn.com's front 
> page, (or some other innocuous site that isn't likely to be blocked).
> 
> But can we please not solve that problem in the shim6 WG; I think it is 
> out of scope.

FWIW, I agree.  Designing SHIM6 to work in reasonable cases should be
the goal; if a network admin really wants to block traffic, even
IPsec can/will be blocked.

See http://www.ietf.org/internet-drafts/draft-klensin-ip-service-terms-04.txt
for a discussion of different IP connectivity types.  

I don't think we can say that SHIM6 can work in all of them.

John