MIPv6 Firewall TraversalDesign Considerations

Prepared by Hannes Tschofenig, Qiu Ying, Xiaoming Fu, Niklas

Steinleitner, Gabor Bajko

RFC 4487

• RFC 4487 describes scenarios where – the Mobile Node is in a Network Protected by

Firewall(s) – the Correspondent Node is in a Network Protected by

Firewall(s) – the HA is in a Network Protected by Firewall(s) – the MN moves to a Network Protected by Firewall(s)

• MIPv6 Signaling Messages– BUHA = {Src=CoA, Dst=HA, HoA, ... }– HoTI = {Src=HoA, Dst=CN, rH}– HoT = {Src=CN, Dst=HoA, rH, …}– CoTI = {Src=CoA, Dst=CN, rC}– CoT ={Src=CN, Dst=CoA, rC, …}– BUCN = {Src=CoA, Dst=CN, HoA, …}– BACN = {CN, CoA, HoA, …}

Scenario (1/2)

• Provide solutions for specific scenario vs. solution(s) for all scenarios?

Mobile Node is in a Network Protected by Firewall(s)

Mobile NodeFirewallCorrespondent Node

Home Agent

Correspondent NodeFirewallMobile Node

Home Agent

Correspondent Node is in a Network Protected by Firewall(s)

Scenario (2/2)

Correspondent NodeFirewall

Mobile Node

Home Agent

Home Agent is in a Network Protected by Firewall(s)

• Provide solutions for specific scenario vs. solution(s) for all scenarios?

MN moves to a Network Protected by Firewall(s)

Correspondent NodeFirewall

Mobile Node

Home Agent

Mobile Node

Selected Problem

Home AgentFirewall

Mobile Node

Correspondent Node

HoTI (HoA)

CoTI (CoA)

HoTI (HoA)

X

Problems with Return Routability Test

Design Considerations

• In-band Signaling vs. Out-of-band signaling– Out-of-band signaling: MIPv6 alike protocol

mechanisms vs. another protocol– Which protocol?

• Do firewalls cooperate (i.e., MIPv6 aware)? • If the firewall is MIPv6 aware then security

questions need to be answered with regard to authorization of state establishment. – Examples: CGA, hash of PK, hash chains,

authorization tokens, etc.

State-of-the-Art• Firewall detection procedure:

– draft-miao-mip6-ft-02.txt• Solution for CN behind a firewall:

– draft-bajko-mip6-rrtfw-01.txt• Protocol between FW and MN that is triggered by incoming data packets:

– draft-zhang-mip6-fsup-01.txt• Transferring packet filter rules between HA and MAP (HMIP) secured using

IKE:– draft-qui-mobile-firewall-02.txt

• Solution for all scenarios:– draft-thiruvengadam-nsis-mip6-fw-05.txt

• Solution to compile traceable addresses– draft-qiu-mip6-friendly-firewall-01

• STUN/TURN/ICE and Midcom idea shows up periodically• Related work can be found in HIPRG (see draft-tschofenig-hiprg-hip-natfw-

traversal-05.txt, HIP NATFW paper or SPINAT). • Custom solution in MOBIKE to perform connectivity tests (for NAT only)

Next Steps

• Decide on the solution scope

• Form a design team to investigate the details