Traversing HIP-aware NATs and Firewalls: Problem Statement and Requirements

1
Traversing HIP-aware NATs and Firewalls Problem
Statement and Requirements

• ltdraft-tschofenig-hiprg-hip-natfw-traversal-03.txt
  gt
• Hannes Tschofenig, Murugaraj Shanmugam

2
Acknowledgments

• The authors would like to thank
• Aarthi Nagarajan
• Vesa Torvinen
• Jochen Grimminger and
• Jukka Ylitalo
• for their contributions to this document.

3
Timeline
Indiv-03
Indiv-01
Indiv-02
Indiv-00
DraftRevisions
HIPRGPresentations
IETF-61
IETF-62
IETF-63
IETF-64
4
Assumptions, Requirements and Goals

• Assumption of this work Middlebox is HIP aware
• HIP aware NAT/FWs needs to
• Intercept HIP messages (Discovery part)
• Base exchange
• Readdressing messages
• Establish soft state to (Signaling part)
• Build a packet filter
• Establish a NAT binding
• Authorize the requesting HIP nodes before
  creating a NAT binding or FW pinhole andprovide
  DoS attack resistance for signaling to the
  middlebox (Security part)

5
Interception at Network Address Translation

• Nice property of the NAT All HIP messages flow
  through it.
• Interception of SPI in I2 and R2 Construct
  FlowID with IP and SPI
• Needs to work for base exchange and also for
  re-addressing exchange
• State changes at NAT need to be secure to prevent
  DoS attacks

I1
I1
Initiator
Responder
NAT
Intercept HIT,IP
R1
R1
I2
I2
Intercept SPI
R2
R2
6
Interception at Firewalls

• Routing asymmetry might cause problems in some
  cases
• Firewalls need to learn the correct SPI values.
• Data traffic
• I ? R SPI(R)
• I ? R SPI(I)

7
Authorization at NAT

• Identity or non-identity based authorization
• Non-identity based authorization would be
  convenient since
• The Host Identity might change
• Host Identities might be ephemeral
• Authorization is likely to be required for
  outside-to-inside firewall traversal

8
Next Steps

• Reflect Call-Home Presentations
• Is the research group interested in this
  document?

9
Questions?