Transcript PPT Version

Mobile IPv6 - NSIS Interaction
for
Firewall traversal
draft-thiruvengadam-nsis-mip6-fw-01
S. Thiruvengadam
Hannes Tschofenig
Franck Le
1
© NOKIA
NSIS MIPv6 FW/ November 8th 2004
Introduction of the problem
MIPv6 & Firewalls
• The Mobility Support in IPv6 (Mobile IPv6) is now an RFC
3775
• However, firewalls which are an integral part of most IP
networks deployed today, can cause several deployment
problems
• The MIP6 WG has recognized the problem and the issues are
described in draft-ietf-mip6-firewalls-00.txt
2
© NOKIA
NSIS MIPv6 FW/ November 8th 2004
Summary of the Problems
• The problems stem from the fact that in Mobile IPv6
•
several IP addresses can be used:
Home IP Address,
Care of Address,
Home Agent’s IP address
•
packets can take different forms: tunneled (reverse tunneling),
not tunneled (route
optimization)
•
incoming requests, with different format from traffic, need to
reach the communicating end points: Care of Test init, Home
Test Init, Binding Update
-> incoming and outgoing packets differ from the states in the
firewalls
3
-> Packets dropped
© NOKIA
NSIS MIPv6 FW/ November 8th 2004
Illustration of some of the problems
The MN specifies
its HoA in the
SDP field so that
the
communication
can be
maintained when
the MN moves
and changes IP
address
SIP Proxy
2. SIP INVITE
3. SIP 200 OK
1. SIP INVITE
SDP: Home IP
Address
Uplink VoIP sent
(IP in IP) from
CoA to HA’s IP
address, not
matching FW
state: PACKETS
DROPPED
Network
protected
by a firewall
Mobile Node A
4
© NOKIA
Home Agent
Downlink
VoIP traffic
are sent to
A’s HoA
NSIS MIPv6 FW/ November 8th 2004
X
X
Firewall
Downlink VoIP are
sent (IP in IP) from
HA to MN’S CoA – not
matching FW state:
PACKETS DROPPED
Public Internet
Node B
Pinholes are created
based on the
information from the
SDP, I.e. Home IP
address
Why NSIS?
• The Mobile IPv6 has been designed to be an end to end protocol
• The communicating end points are the only entities that
•
Have knowledge of the HoA, Home Agent IP address, CoA
•
Know the mode being used, and format of the packets
•
Know the characteristics of the pinholes that need to be
present (e.g. for incoming packets)
• NSIS defining a signaling protocol to allow endpoints to configure
firewalls thus appears as a well suited solution
5
© NOKIA
NSIS MIPv6 FW/ November 8th 2004
NSIS as a solution
• The draft-thiruvengadam-nsis-mip6-fw-01 attempts to analyze
how NSIS could solve the identified problems
•
“Mobile IPv6 - NSIS Interaction for Firewall traversal”
• New features need to be supported by the NAT-FW-NSLP
protocol
6
•
Ability for the Data Receiver to initiate the signaling
•
Ability to discover the presence and the characteristics of
firewalls
•
Ability to create several states in the firewall per request
© NOKIA
NSIS MIPv6 FW/ November 8th 2004
Ability for the Data Receiver to initiate
the signaling
1. - The MIPv6 case identifies need for Data Receiver to be able to initiate the
signaling
- The scenarios are further described in the draft
2. - Actually, the requirement is not specific to MIPv6
- NSIS assumes that firewalls will allow NSIS messages from external
network
- However, this can lead to DoS attacks: operators may be reluctant
Data Receiver
Firewall
- Data Receiver may have to pay for the incoming traffic
-> Overbilling attacks
3. - Data Receiver may want to restrict the type of incoming traffic
->
Ability for Data Receiver to initiate signaling is needed
7
© NOKIA
NSIS MIPv6 FW/ November 8th 2004
Data Sender
Ability to discover the presence and the
characteristics of firewalls
1. - MIPv6 requires IPsec
- However IPsec and FW do not work well together
- There are some solutions e.g. UDP encapsulation
- But need to know the presence of FW
2. - MIPv6 requires the Return Routability Test to be executed
before Route
Optimization can be used
- Firewalls may prevent RRT messages to reach the nodes
- There can be some solutions
- But again, the nodes have to know that they are behind a
firewall
3. - Currently no protocol to discover the presence, and
characteristics
of FW
8
© NOKIA
NSIS MIPv6 FW/ November 8th 2004
Ability to create several states in the
firewall per request
• Many states need to be created in the firewalls
• Route Optimization
• Reverse Tunneling
• Home Test Init messages
• Care of Test Init messages
• Binding Updates
• IPsec traffic between MN and HA
• Allowing several states to be created per request would
• Reduce the time delay
• Reduce the overhead, especially for cellular networks
9
© NOKIA
NSIS MIPv6 FW/ November 8th 2004
Next steps
• Feedback?
• Can the requirements be addressed by the NAT FW NSLP?
10
© NOKIA
NSIS MIPv6 FW/ November 8th 2004