Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 - PowerPoint PPT Presentation

About This Presentation
Title:

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01

Description:

The Mobility Support in IPv6 (Mobile IPv6) is now an RFC 3775 ... The problems stem from the fact that in Mobile IPv6 ... The Mobile IPv6 has been designed to ... – PowerPoint PPT presentation

Number of Views:81
Avg rating:3.0/5.0
Slides: 11
Provided by: ietf
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01


1
Mobile IPv6 - NSIS Interaction for Firewall
traversal draft-thiruvengadam-nsis-mip6-fw-01
  • S. Thiruvengadam
  • Hannes Tschofenig
  • Franck Le

2
Introduction of the problemMIPv6 Firewalls
  • The Mobility Support in IPv6 (Mobile IPv6) is now
    an RFC 3775
  • However, firewalls which are an integral part of
    most IP networks deployed today, can cause
    several deployment problems
  • The MIP6 WG has recognized the problem and the
    issues are described in draft-ietf-mip6-firewalls-
    00.txt

3
Summary of the Problems
  • The problems stem from the fact that in Mobile
    IPv6
  • several IP addresses can be used Home IP
    Address,
  • Care of Address,
  • Home Agents IP address
  • packets can take different forms tunneled
    (reverse tunneling), not tunneled
    (route optimization)
  • incoming requests, with different format from
    traffic, need to reach the communicating end
    points Care of Test init, Home Test Init,
    Binding Update
  • -gt incoming and outgoing packets differ from the
    states in the firewalls
  • -gt Packets dropped

4
Illustration of some of the problems
SIP Proxy
Home Agent
Firewall
Public Internet
Node B
Network protected by a firewall
Mobile Node A
5
Why NSIS?
  • The Mobile IPv6 has been designed to be an end to
    end protocol
  • The communicating end points are the only
    entities that
  • Have knowledge of the HoA, Home Agent IP address,
    CoA
  • Know the mode being used, and format of the
    packets
  • Know the characteristics of the pinholes that
    need to be present (e.g. for incoming packets)
  • NSIS defining a signaling protocol to allow
    endpoints to configure firewalls thus appears as
    a well suited solution

6
NSIS as a solution
  • The draft-thiruvengadam-nsis-mip6-fw-01 attempts
    to analyze how NSIS could solve the identified
    problems
  • Mobile IPv6 - NSIS Interaction for Firewall
    traversal
  • New features need to be supported by the
    NAT-FW-NSLP protocol
  • Ability for the Data Receiver to initiate the
    signaling
  • Ability to discover the presence and the
    characteristics of firewalls
  • Ability to create several states in the firewall
    per request

7
Ability for the Data Receiver to initiate the
signaling
  • 1. - The MIPv6 case identifies need for Data
    Receiver to be able to initiate the signaling
  • - The scenarios are further described in the
    draft
  • 2. - Actually, the requirement is not specific to
    MIPv6
  • - NSIS assumes that firewalls will allow NSIS
    messages from external network
  • - However, this can lead to DoS attacks
    operators may be reluctant
  • - Data Receiver may have to pay for the incoming
    traffic
  • -gt Overbilling attacks
  • 3. - Data Receiver may want to restrict the type
    of incoming traffic
  • -gt Ability for Data Receiver to initiate
    signaling is needed
  • Data Receiver may want to restrict incoming
    traffic

Data Receiver
Firewall
Data Sender
8
Ability to discover the presence and the
characteristics of firewalls
  • 1. - MIPv6 requires IPsec
  • - However IPsec and FW do not work well
    together
  • - There are some solutions e.g. UDP
    encapsulation
  • - But need to know the presence of FW
  • 2. - MIPv6 requires the Return Routability Test
    to be executed before Route Optimization can be
    used
  • - Firewalls may prevent RRT messages to reach
    the nodes
  • - There can be some solutions
  • - But again, the nodes have to know that they
    are behind a firewall
  • 3. - Currently no protocol to discover the
    presence, and characteristics of FW

9
Ability to create several states in the firewall
per request
  • Many states need to be created in the firewalls
  • Route Optimization
  • Reverse Tunneling
  • Home Test Init messages
  • Care of Test Init messages
  • Binding Updates
  • IPsec traffic between MN and HA
  • Allowing several states to be created per request
    would
  • Reduce the time delay
  • Reduce the overhead, especially for cellular
    networks

10
Next steps
  • Feedback?
  • Can the requirements be addressed by the NAT FW
    NSLP?
Write a Comment
User Comments (0)
About PowerShow.com