[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: draft-ietf-mobileip-ipv6-09



>Hi,
>I know very little about IPv6 mobility and security issues so correct me
>if am wrong. Please UNICAST me your expert advice.
>
>1> Draft mention that while transmitting packet if corresponding node's
>Binding cache has valid care_of_address entry for mobile node's home
>address then it replaces later by former and append routing header with
>later as last hop. Do the firewall entertain source routing ??

Firewalls *can* do anything they want to (unfortunately) but there
is no reason that it should block packets containing such a routing
header.

>2> Also encapsulated packets from home agent can invade foreign network's
>firewall. Is that acceptable ??

Again, there is no reason that a firewall should block such packets.

>3> While registering primary care_of_address with its home agent mobile
>node sends either an AH [9] or ESP [10] header providing sender
>authentication, data integrity protection, and replay protection, via
>Foreign Agent. Isn't that surrendering your secured data to foreign n/w ?? 

There are no foreign agents in Mobile IPv6 (they were optional in
Mobile IPv4, but in Mobile IPv6, this is a simple IPv6 router).  Also,
the Binding Update is sent from the mobile node to the home agent
using standard IPsec.  I'm not sure what you mean by "surrendering
your secured data" here, but the authentication (and optional
encryption) is done directly between the mobile node and the home agent.
Nothing is shared with the router or anyone else in the foreign network.

>Thanks.
>
>Rajeeb Mishra

					Dave


References: