A Scheme of Mobile Firewall in Mobile IPv6
draft-qiu-mip6-mobile-firewall-02

Abstract

More and more activities rely on mobile devices. It is an important issue on how to protect mobile users engaged in mobile services. Unfortunately, the conventional firewalls are inappropriate for mobile networks. Furthermore, with a conventional firewall, an administrator of mobile nodes is unable to monitor / control dynamically the mobile nodes' activities when the mobile nodes roam. In this draft, we introduce a new concept of mobile personal firewall and propose a concrete scheme that matches the mobile environment and exploits the mobile network facilities. When a mobile node (MN) roams into a foreign network managed by a mobility anchor point (MAP), the home agent (HA) will authorize the MAP to serve as a security proxy. The HA will negotiate with the MAP on the security association and then transfer to the MAP the defined security rules that will be applied on all communications to the MN. According to HMIPv6 protocol, all packets to MN will go through MAP. Therefore, the MAP has the ability of filtering packets. The MAP could also send the MN's traffic logs to the HA. The MN's administrator could dynamically monitor the MN's activities by retrieving the MN's traffic logs through the HA. If necessary, the MN's administrator could update the security rules so that the MN's activities could be controlled dynamically. All the operations are transparent to the MN, and the MN will be served in a way specified by its administrator no matter where it roams.

Authors

Ying Qiu

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)