RE: Firewall control

["Hesham Soliman" <Hesham@elevatemobile.com>]

 > > We've submitted the draft below. I requested a slot from 
 > Fred to discuss
 > > this in Vancouver. I look forward to your input on this.
 > 
 > I really think, that for any practical matter, right to 
 > control the firewall 
 > should be granted if:
 > - you are behind the firewall and "own" the IP address,
 > - the request is allowed by local firewall policy.

=> Agreed.

 > 
 > I really question the point of asymetric cryptography here. 
 > It is going to be 
 > a pain to deploy. And lets face it, neither the end device, 
 > nor the firewall 
 > want to do public key operation. It's not exactly "cheap" in 
 > term of CPU.

=> Asymetric crypto is only needed for one message exchange. If it is an
issue
for future exchanges one can always derive a secret key for those exchanges.
But we don't really have evidence (yet) that this is a huge issue. If it is
an issue, it would be easy to avoid it after the initial
authentication/authorisation step.

 > 
 > Easy to deploy, safe and operational security: use simple 
 > return-path check, 
 > with a one-time token challenge (I suppose that's the cookie 
 > option you have 
 > already there).
 > 
 > 
 > Also, I doubt the assumption of DHCP is right. At least, in 
 > the typical v6cpe 
 > case, I don't quite expect alls routers and all clients to 
 > have it - many 
 > will stick to ND-based autoconf.

=> We did have an RA option there but never had time to add it. Also, the
authors at the time discussed it and we thought that so far DHCP is the
choice for configuring services, so we stuck with that. However, I think if
the community prefers an RA option then this wouldn't be a big hurdle. But I
do think it's important to keep DHCP as an option.

Hesham

 > 
 > -- 
 > Rémi Denis-Courmont
 > http://www.remlab.net/
 >