Hi Marco, In I-D: draft-ietf-mext-mip6-tls we do propose the use of UDP encapsulation for signaling and traffic between the MN and HA. This would make the processing and firewall rules simpler (UDP port) as you mentioned in your email.
-Raj On 11/28/11 2:15 AM, "ext Marc Lampo" <[email protected]> wrote: >Hello, > >Looking at the list archive, I see no comments on these drafts, published >October 17th. >Nor do I find any traces of discussions on IETF-82. > >However, from a security point of view, I do have a remark. >In both drafts, the "Security Considerations" state : >(quoting extracts) >... "recommends a liberal setting of firewall rules" ... >... "some malicious traffic may be permitted" ... >... "allow the initiation of Denial of Service attacks against Mobile IPv6 >capable nodes" ... > >Is this acceptable ? >Being concerned with security, I'd say that these statements as "Security >Considerations" >might lead to the conclusion that these mobility extensions cannot be >used, in practice ?! > >We hear that mobile networks might be the first to be IPv6 only (if there >aren't already such networks around) > --> IPv6 only in mobile nets : the target for Mobility Extensions >We see that more and more banks offer clients for smartphones for Internet >banking > --> the "correspondent node" might very well be in some bank's DMZ > >??? if they, bank security admins, will accept to setup security devices > in such a way that "firewall rules are liberal" > and "potentially allow that DOS attacks are started" ??? > >It is my impression that, to put mobility information so "deep" in the >stack > - as "extension header" with IPPROTO_NONE in the next header field - >implies that security infrastructure will need quite some CPU resources >to work its way through them. >Wouldn't it have been wiser to assign a (UDP ?) portnumber to the Mobility >"application" ? > > >Kind regards, > > > >Marc Lampo >Security Officer > > EURid > Woluwelaan 150 > 1831 Diegem - Belgium > [email protected] > http://www.eurid.eu >_______________________________________________ >MEXT mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/mext _______________________________________________ MEXT mailing list [email protected] https://www.ietf.org/mailman/listinfo/mext
