Post on 14-Jan-2016
description
MIPv6 Firewall TraversalDesign Considerations
Prepared by Hannes Tschofenig, Qiu Ying, Xiaoming Fu, Niklas
Steinleitner, Gabor Bajko
RFC 4487
• RFC 4487 describes scenarios where – the Mobile Node is in a Network Protected by
Firewall(s) – the Correspondent Node is in a Network Protected by
Firewall(s) – the HA is in a Network Protected by Firewall(s) – the MN moves to a Network Protected by Firewall(s)
• MIPv6 Signaling Messages– BUHA = {Src=CoA, Dst=HA, HoA, ... }– HoTI = {Src=HoA, Dst=CN, rH}– HoT = {Src=CN, Dst=HoA, rH, …}– CoTI = {Src=CoA, Dst=CN, rC}– CoT ={Src=CN, Dst=CoA, rC, …}– BUCN = {Src=CoA, Dst=CN, HoA, …}– BACN = {CN, CoA, HoA, …}
Scenario (1/2)
• Provide solutions for specific scenario vs. solution(s) for all scenarios?
Mobile Node is in a Network Protected by Firewall(s)
Mobile NodeFirewallCorrespondent Node
Home Agent
Correspondent NodeFirewallMobile Node
Home Agent
Correspondent Node is in a Network Protected by Firewall(s)
Scenario (2/2)
Correspondent NodeFirewall
Mobile Node
Home Agent
Home Agent is in a Network Protected by Firewall(s)
• Provide solutions for specific scenario vs. solution(s) for all scenarios?
MN moves to a Network Protected by Firewall(s)
Correspondent NodeFirewall
Mobile Node
Home Agent
Mobile Node
Selected Problem
Home AgentFirewall
Mobile Node
Correspondent Node
HoTI (HoA)
CoTI (CoA)
HoTI (HoA)
X
Problems with Return Routability Test
Design Considerations
• In-band Signaling vs. Out-of-band signaling– Out-of-band signaling: MIPv6 alike protocol
mechanisms vs. another protocol– Which protocol?
• Do firewalls cooperate (i.e., MIPv6 aware)? • If the firewall is MIPv6 aware then security
questions need to be answered with regard to authorization of state establishment. – Examples: CGA, hash of PK, hash chains,
authorization tokens, etc.
State-of-the-Art• Firewall detection procedure:
– draft-miao-mip6-ft-02.txt• Solution for CN behind a firewall:
– draft-bajko-mip6-rrtfw-01.txt• Protocol between FW and MN that is triggered by incoming data packets:
– draft-zhang-mip6-fsup-01.txt• Transferring packet filter rules between HA and MAP (HMIP) secured using
IKE:– draft-qui-mobile-firewall-02.txt
• Solution for all scenarios:– draft-thiruvengadam-nsis-mip6-fw-05.txt
• Solution to compile traceable addresses– draft-qiu-mip6-friendly-firewall-01
• STUN/TURN/ICE and Midcom idea shows up periodically• Related work can be found in HIPRG (see draft-tschofenig-hiprg-hip-natfw-
traversal-05.txt, HIP NATFW paper or SPINAT). • Custom solution in MOBIKE to perform connectivity tests (for NAT only)