MIPv6 Firewall Traversal Design Considerations
description
Transcript of MIPv6 Firewall Traversal Design Considerations
MIPv6 Firewall TraversalDesign Considerations
Prepared by Hannes Tschofenig, Qiu Ying, Xiaoming Fu, Niklas
Steinleitner, Gabor Bajko
RFC 4487
• RFC 4487 describes scenarios where – the Mobile Node is in a Network Protected by
Firewall(s) – the Correspondent Node is in a Network Protected by
Firewall(s) – the HA is in a Network Protected by Firewall(s) – the MN moves to a Network Protected by Firewall(s)
• MIPv6 Signaling Messages– BUHA = {Src=CoA, Dst=HA, HoA, ... }– HoTI = {Src=HoA, Dst=CN, rH}– HoT = {Src=CN, Dst=HoA, rH, …}– CoTI = {Src=CoA, Dst=CN, rC}– CoT ={Src=CN, Dst=CoA, rC, …}– BUCN = {Src=CoA, Dst=CN, HoA, …}– BACN = {CN, CoA, HoA, …}
Scenario (1/2)
• Provide solutions for specific scenario vs. solution(s) for all scenarios?
Mobile Node is in a Network Protected by Firewall(s)
Mobile NodeFirewallCorrespondent Node
Home Agent
Correspondent NodeFirewallMobile Node
Home Agent
Correspondent Node is in a Network Protected by Firewall(s)
Scenario (2/2)
Correspondent NodeFirewall
Mobile Node
Home Agent
Home Agent is in a Network Protected by Firewall(s)
• Provide solutions for specific scenario vs. solution(s) for all scenarios?
MN moves to a Network Protected by Firewall(s)
Correspondent NodeFirewall
Mobile Node
Home Agent
Mobile Node
Selected Problem
Home AgentFirewall
Mobile Node
Correspondent Node
HoTI (HoA)
CoTI (CoA)
HoTI (HoA)
X
Problems with Return Routability Test
Design Considerations
• In-band Signaling vs. Out-of-band signaling– Out-of-band signaling: MIPv6 alike protocol
mechanisms vs. another protocol– Which protocol?
• Do firewalls cooperate (i.e., MIPv6 aware)? • If the firewall is MIPv6 aware then security
questions need to be answered with regard to authorization of state establishment. – Examples: CGA, hash of PK, hash chains,
authorization tokens, etc.
State-of-the-Art• Firewall detection procedure:
– draft-miao-mip6-ft-02.txt• Solution for CN behind a firewall:
– draft-bajko-mip6-rrtfw-01.txt• Protocol between FW and MN that is triggered by incoming data packets:
– draft-zhang-mip6-fsup-01.txt• Transferring packet filter rules between HA and MAP (HMIP) secured using
IKE:– draft-qui-mobile-firewall-02.txt
• Solution for all scenarios:– draft-thiruvengadam-nsis-mip6-fw-05.txt
• Solution to compile traceable addresses– draft-qiu-mip6-friendly-firewall-01
• STUN/TURN/ICE and Midcom idea shows up periodically• Related work can be found in HIPRG (see draft-tschofenig-hiprg-hip-natfw-
traversal-05.txt, HIP NATFW paper or SPINAT). • Custom solution in MOBIKE to perform connectivity tests (for NAT only)