[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Firewall control
Le Wednesday 14 November 2007 06:14:26 Hesham Soliman, vous avez écrit :
> We've submitted the draft below. I requested a slot from Fred to discuss
> this in Vancouver. I look forward to your input on this.
I really think, that for any practical matter, right to control the firewall
should be granted if:
- you are behind the firewall and "own" the IP address,
- the request is allowed by local firewall policy.
I really question the point of asymetric cryptography here. It is going to be
a pain to deploy. And lets face it, neither the end device, nor the firewall
want to do public key operation. It's not exactly "cheap" in term of CPU.
Easy to deploy, safe and operational security: use simple return-path check,
with a one-time token challenge (I suppose that's the cookie option you have
already there).
Also, I doubt the assumption of DHCP is right. At least, in the typical v6cpe
case, I don't quite expect alls routers and all clients to have it - many
will stick to ND-based autoconf.
--
Rémi Denis-Courmont
http://www.remlab.net/