Issue 2869: Traversal algorithm not sufficient (firewall-rtf) Source: (, ) Nature: Uncategorized Issue Severity: Summary: Summary: Description: There may be some network topologies where the traversal algorithm is not sufficient for a firewall to find a server. This is due to an unstated assumption that all addresses within the outermost inbound firewall are addressable from the outermost inbound firewall. Consider for example the following topology: |-----*Firewall B*-----Network B Internet ------*Firewall A*---------- | |-----*Firewall C*-----Network C | Service Network (DMZ) Assume that the addresses on the service network are globally routable addresses, Network B uses RFC 1597 addresses and Network C uses RFC 1597 addresses. This topology could be possible, say for a government agency that has sub-agencies that share some resources (service network) but maintain separately administrated networks. In this case the outermost inbound firewall for a server on Network B or C is Firewall A. However, when new target is invoked on Firewall A, it won"t know from the host address whether to open a connection to Firewall B or Firewall C. Proposed Solution: There are several possible solutions to this problem: 1) Explicitly state the assumption described in the description section 2) Mandate that implementations allow for the configuration of the next inbound firewalls 3) Mandate that servers on Network B or C in such configurations use Firewall B or C as the outermost inbound firewall. There may be other solutions to this problem. These were the ones that immediately presented themselves. Resolution: Revised Text: Actions taken: August 24, 1999: received issue Discussion: End of Annotations:===== From: "Niebuhr, Brian" To: "'firewall-rtf@omg.org'" Subject: Issue 9 Date: Tue, 24 Aug 1999 23:06:27 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2448.0) Content-Type: text/plain; charset="iso-8859-1" X-UIDL: 770bc2d29040376ce1fcfb702a9e57ff Issue 9 See also issue 7 See also issue 8 Description: There may be some network topologies where the traversal algorithm is not sufficient for a firewall to find a server. This is due to an unstated assumption that all addresses within the outermost inbound firewall are addressable from the outermost inbound firewall. Consider for example the following topology: |-----*Firewall B*-----Network B Internet ------*Firewall A*---------- | |-----*Firewall C*-----Network C | Service Network (DMZ) Assume that the addresses on the service network are globally routable addresses, Network B uses RFC 1597 addresses and Network C uses RFC 1597 addresses. This topology could be possible, say for a government agency that has sub-agencies that share some resources (service network) but maintain separately administrated networks. In this case the outermost inbound firewall for a server on Network B or C is Firewall A. However, when new target is invoked on Firewall A, it won't know from the host address whether to open a connection to Firewall B or Firewall C. Proposed Solution: There are several possible solutions to this problem: 1) Explicitly state the assumption described in the description section 2) Mandate that implementations allow for the configuration of the next inbound firewalls 3) Mandate that servers on Network B or C in such configurations use Firewall B or C as the outermost inbound firewall. There may be other solutions to this problem. These were the ones that immediately presented themselves.