1 / 8

MIPv6 Firewall Traversal Design Considerations

MIPv6 Firewall Traversal Design Considerations. Prepared by Hannes Tschofenig, Qiu Ying, Xiaoming Fu, Niklas Steinleitner, Gabor Bajko. RFC 4487. RFC 4487 describes scenarios where the Mobile Node is in a Network Protected by Firewall(s)

betha
Télécharger la présentation

MIPv6 Firewall Traversal Design Considerations

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. MIPv6 Firewall TraversalDesign Considerations Prepared by Hannes Tschofenig, Qiu Ying, Xiaoming Fu, Niklas Steinleitner, Gabor Bajko

  2. RFC 4487 • RFC 4487 describes scenarios where • the Mobile Node is in a Network Protected by Firewall(s) • the Correspondent Node is in a Network Protected by Firewall(s) • the HA is in a Network Protected by Firewall(s) • the MN moves to a Network Protected by Firewall(s) • MIPv6 Signaling Messages • BUHA = {Src=CoA, Dst=HA, HoA, ... } • HoTI = {Src=HoA, Dst=CN, rH} • HoT = {Src=CN, Dst=HoA, rH, …} • CoTI = {Src=CoA, Dst=CN, rC} • CoT ={Src=CN, Dst=CoA, rC, …} • BUCN = {Src=CoA, Dst=CN, HoA, …} • BACN = {CN, CoA, HoA, …}

  3. Scenario (1/2) • Provide solutions for specific scenario vs. solution(s) for all scenarios? Mobile Node is in a Network Protected by Firewall(s) Correspondent Node is in a Network Protected by Firewall(s)

  4. Scenario (2/2) • Provide solutions for specific scenario vs. solution(s) for all scenarios? Home Agent is in a Network Protected by Firewall(s) • MN moves to a Network Protected by Firewall(s)

  5. Selected Problem Problems with Return Routability Test

  6. Design Considerations • In-band Signaling vs. Out-of-band signaling • Out-of-band signaling: MIPv6 alike protocol mechanisms vs. another protocol • Which protocol? • Do firewalls cooperate (i.e., MIPv6 aware)? • If the firewall is MIPv6 aware then security questions need to be answered with regard to authorization of state establishment. • Examples: CGA, hash of PK, hash chains, authorization tokens, etc.

  7. State-of-the-Art • Firewall detection procedure: • draft-miao-mip6-ft-02.txt • Solution for CN behind a firewall: • draft-bajko-mip6-rrtfw-01.txt • Protocol between FW and MN that is triggered by incoming data packets: • draft-zhang-mip6-fsup-01.txt • Transferring packet filter rules between HA and MAP (HMIP) secured using IKE: • draft-qui-mobile-firewall-02.txt • Solution for all scenarios: • draft-thiruvengadam-nsis-mip6-fw-05.txt • Solution to compile traceable addresses • draft-qiu-mip6-friendly-firewall-01 • STUN/TURN/ICE and Midcom idea shows up periodically • Related work can be found in HIPRG (see draft-tschofenig-hiprg-hip-natfw-traversal-05.txt, HIP NATFW paper or SPINAT). • Custom solution in MOBIKE to perform connectivity tests (for NAT only)

  8. Next Steps • Decide on the solution scope • Form a design team to investigate the details

More Related