Transcript MIDCOM-1
Middlebox Communication Framework and Requirements Jiri Kuthan Jonathan Rosenberg GMD-Fokus dynamicsoft [email protected] [email protected] December 2000, 49th IETF, MidCom BOF Outline Background transparency loss ALGs embedded in intermediate network devices Suggestion: decomposition of intermediate network devices Driver: co-existence of firewalls, NATs, NAT-PTs with applications using session control protocols Missing piece: protocol between ALGs and intermediate network devices Conclusions 49th IETF Meeting draft-kuthan-midcom-framework-00.txt 2 Background: ALGs Loss of Transparency (RFC2775) ALGs are one of the mechanisms that assist applications in traversing network realms (IPv4, IPv6, NAT, FW, ...) ALGs are embedded maintainability not very good (numerous application protocols, V1, V2, V3, ...) application-awareness is likely to affect performance neither end-2-end nor hop-by-hop security supported Decomposition desired: ALGs stay but not in network devices Case study: firewall/NAT traversal of applications relying on session control 49th IETF Meeting draft-kuthan-midcom-framework-00.txt 3 Ultimately Secure Firewall Installation Instructions: For best effect install the firewall between the CPU unit and the wall outlet. Place the jaws of the firewall across the power cord, and bear down firmly. Be sure to wear rubber gloves while installing the firewall or assign the task to a junior system manager. If the firewall is installed properly, all the lights on the CPU will turn dark and the fans will grow quiet. This indicates that the system has entered a secure state. For Internet use install the firewall between the demarc of the T1 to the Internet. Place the jaws of the firewall across the T1 line lead, and bear down firmly. When your Internet service provider's network operations center calls to inform you that they have lost connectivity to your site, the firewall is correctly installed. (© Marcus Ranum) 49th IETF Meeting draft-kuthan-midcom-framework-00.txt 4 Static Filtering Policy is not Enough Filtering policy in firewalls can be set up anywhere in the range between the ultimate (see previous slide) and completely open firewall (see what Microsoft suggests to enable NetMeeting in networks with firewalls) The problem: all these policies static; they prohibit dynamic conditions such as sessions established using a session control protocol (SIP, H.323, RTSP) Note: such protocols are not a bug, they are a feature needed by many applications 49th IETF Meeting draft-kuthan-midcom-framework-00.txt 5 Application-awareness to Deal with Dynamic Conditions To make firewalls understand dynamic conditions, they need to understand them -> Application Level Gateways firewalls w/ALGs transparent, i.e. no firewall support in enddevices needed Traditional ALGs are embedded Problems: maintainability not very good (numerous application protocols, V1, V2, V3, ...) application-awareness is likely to affect performance neither end-2-end nor hop-by-hop security supported 49th IETF Meeting draft-kuthan-midcom-framework-00.txt 6 Suggestion: Decomposition We suggest using externalized ALGs accessing the intermediate network devices such as firewalls/NA(P)Ts/NAT-PTs via a generic control protocol Benefits: intermediate network devices need to speak a single control protocol; ALG may be supplied by third parties easily existing application-awareness (e.g., SIP proxies) may be reused (as opposed to duplicating it in network devices) hop-by-hop security works 49th IETF Meeting draft-kuthan-midcom-framework-00.txt 7 Missing Piece Protocol for communicating control data associated with IP/transport-layer data flows or aggregates of them between intermediate packet processing devices and external controllers: Flow State Control Protocol (FCP) Application-independent Control data: {packet matching expression, pass/drop, packet counter, ...} Extensible (new per-flow state members may be added) Secure Examples: - udp From 193.174.154.10:44444 To 195.113.150.66:55555 Pass - udp From 10.0.0.1:44444 To 195.113.150.66:55555 Modify source_ip=FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 49th IETF Meeting draft-kuthan-midcom-framework-00.txt 8 A MidCom Network +--------+ Administrator-Maintained Zone | App. | | Policy | +---------+ SIP | Server |~~~~~~~~~| SIP +_____________ | +--------+ ________| Proxy | \ | / +---------+.. +----+---------------+ | : FCP +------+-----------+ |_______ | RSTP +----------+ :...........| | Per-Flow | | SIP | ____| RSTP |..............| | State | | | / | Proxy |______________| FCP | Table | |_______ | | +----------+ | unit | -------- | | | | FTP +---------+.............| | ACL | | | | _____|FTP Proxy|_____________+------+-----------+ |_______ | | / +---------+ | Intermediate | | | | -----| Network |------+-----------+ /-----| Device |------+-----------+| data streams // +----+---------------+ +-----------+||----------->----// | |end-devices||------------<----| +-----------+ (RTP, ftp-data, etc.) | Inside | Outside Legend: ---____ .... ~~~~ raw data streams application control protocols FCP policy protocol Summary: We have ... problem statement, which is suboptimal deployability of embedded ALGs that help applications to traverse various realms, such as IPv4, IPv6, networks behind NATs, FWs solution, which is control of per-flow states extensibility, which allows to use the same solution for other purposes related to control of flow processing 49th IETF Meeting draft-kuthan-midcom-framework-00.txt 10 Conclusions FCP makes traversal of applications across different realms easier by making ALGs better deployable. Disclaimer: FCP does not fix loss of transparency; it makes it easier to live with and it may help transition to IPv6. Are we going to form a new WG that will deal with this kind of protocol? 49th IETF Meeting draft-kuthan-midcom-framework-00.txt 11 Information Resources Authors Jiri Kuthan, [email protected] Jonathan Rosenberg, [email protected] Mailing list where FCP has been discussed [email protected] To subscribe, send email to [email protected] with “subscribe foglamps” in the body of message Archive: http://www.fokus.gmd.de/glone/ietf/foglamps/ The requirements and framework I-D: draft-kuthan-midcom-framework-00.txt 49th IETF Meeting draft-kuthan-midcom-framework-00.txt 12