Hi Fernando, > -----Original Message----- > From: Fernando Gont [mailto:[email protected]] > Sent: Thursday, January 05, 2012 1:20 PM > To: Templin, Fred L > Cc: Brian E Carpenter; [email protected] > Subject: Re: Fragmentation-related security issues > > On 01/05/2012 02:33 PM, Templin, Fred L wrote: > > SEAL provides a new signalling mechanism called "SCMP" > > which is intended to traverse firewalls that might block > > ICMP messages. SCMP messages include a message signature > > that the source node can use to determine whether the > > packet-in-error corresponds to a packet the node actually > > sent. Under what reasonable circumstances could even a > > paranoid firewall block that? > > "SEAL? We're not using it, so let's block it"
SEAL can be (con)seal(ed) within any outer layers of encapsulation. For example, it can appear as an IP protocol number, a TCP/UDP port number, or even buried within additional layers of encapsulation involving, e.g., TLS/SSL, IPsec, etc. I think the LISP team is counting on being able to ship things around within a simple outer IP/UDP encapsulation, so SEAL should be equally deployable (or not) within such an encapsulation. > [Without knowing about SEAL or its packets' syntax] > > Bottom-line is that unless you're protocol cannot easily be > distinguished from some widely-deployed/widely-used protocol, it's > probably going to be blocked. That's why e.g. firewall-friendly > protocols tend to run over HTTP. SEAL can do that, too... > P.S.: I'm just the messenger... Right - no one is blaming you. Fred [email protected] > Thanks, > -- > Fernando Gont > SI6 Networks > e-mail: [email protected] > PGP Fingerprint: 6666 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 > > > > -------------------------------------------------------------------- IETF IPv6 working group mailing list [email protected] Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
