Hello folks,
Erik Nordmark wrote: > > My point was that even though firewall would not know, if we have > > enforcement of the "host-check" rule [cf. Pekka's mail for its decoding], > > in all nodes _receiving_ the routing header, this would be a distributed way > > of enforcing the conditions we discuss. > > Yes, if you make all hosts and routers inside the firewall have that check > you'd be fine. The same care is going to be required for routing headers as would be for more general encapsulation in this regard. For routing headers, all that is required is to check that the home address is the next intermediate routing point after the care-of address. If these addresses were inserted into a longer sequence of intermediate routing points, the same check would be sufficient _for the purposes of Mobile IPv6_! The other parts of the routing path in the routing header would have to be checked according to the rules of whatever policy was used to build up the other parts of the routing path. The exact same careful checking would be required if encapsulation were used instead. In this way, no crippling of the utility of the routing header would result. On the other hand, I hope that my point can be understood that all such uses will require care to avoid unwanted vulnerabilities. Just like with encapsulation! > Two issues: > 1. the firewall might not want to trust all the internal hosts and routers > to be correctly configured with such a rule. > 2. I think this would prevent using routing headers for their general use > for traffic that is local to the domain inside the firewall. I think it's crucial that hosts using routing headers for care-of address redirection are themselves responsible for doing the check, and not to rely on the firewall. It's not the job of the firewall. And if encapsulation were in use, it would definitely not be the job of the firewall. I don't see why this is considered to be a relevant issue. Regards, Charlie P. -------------------------------------------------------------------- IETF IPng Working Group Mailing List IPng Home Page: http://playground.sun.com/ipng FTP archive: ftp://playground.sun.com/pub/ipng Direct all administrative requests to [EMAIL PROTECTED] --------------------------------------------------------------------
