1 / 11

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04. S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner Xiaoming Fu. Overview. Problems of MIPv6 and Firewalls NSIS as Solution Draft Updates Open Issues Next Steps.

xia
Télécharger la présentation

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Mobile IPv6 - NSIS Interaction for Firewall traversaldraft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner Xiaoming Fu

  2. Overview • Problems of MIPv6 and Firewalls • NSIS as Solution • Draft Updates • Open Issues • Next Steps

  3. Problem of MIPv6 and Firewalls • Firewalls can cause several deployment problems • different based on FW placements • Problem statement in RFC 4478 • Additionally: draft-bajko-nsis-fw-reqs-04.txt

  4. Overview of the Problems • Binding Updates packets are IPsec protected • Packets can be tunneled (or reverse tunneling) or not tunneled (route optimization) • Several address are used • Incoming packets does not match existing states in the FWs, because of different addresses (BU, CoTI, HoTI) • Unsolved packets are dropped • Some packets might be dropped, preventing MIPv6 to perform well in presence of FWs

  5. Why NSIS? • Mobile IPv6 maintains entries for moving packets from a host to another host (in roaming scenarios) • The endpoints are the only entities that • Have knowledge of the HoA, Home Agent address, CoA • Know the mode being used, and format of packets • Know the characteristics of the required pinholes • The NAT/FW NSLP allow endpoints to configure FWs • Allow data receiver to initiate the signaling (REA) • Allow to create several states per request • Support the required filter parameter

  6. NSIS as Solution • The draft-thiruvengadam-nsis-mip6-fw-04 “Mobile IPv6 - NSIS Interaction for Firewall traversal” show how NSIS could solve the problems

  7. Draft Updates • Adapt draft to current version of NAT/FW NSLP draft and supported features • Simplified protocol operation • Reduce request latency

  8. Necessity of detecting of the FW presence? • Many states need to be created in the firewalls • Route Optimization • Reverse Tunneling • Home Test Init messages • Care of Test Init messages • Binding Updates • IPsec traffic between MN and HA • Enabling a detection feature would • Allow several states to be created per request • Reduce the time delay: reduce MIP6/NSIS interaction • Reduce the overhead, especially for cellular networks

  9. NATFW NSLP with MIP6 • Example in a FW in MN’s access network (BT case): • MN uses CREATE to allow: • - binding update messages (src: CoA, dst: HA) {BU} • - HoTI messages (src: CoA, dst: HA) {RO} • if uplink firewall, for data traffic from MN (src: MN, dst: *) • MN uses REA to allow:- HoT messages (src: HA dst: CoA) {RO} • if CN is DS • * for data traffic from HA to MN • (src: HA, dst: CoA) {BT} • * for data traffic from HA to MN • (src: HA, dst: CoA) {TR} • * for data traffic from CN to MN (src: CN, dst: CoA, SP: data application port, DP: data application port) {RO} HA MN CN

  10. Open Issues • Multiple rules for different patterns in single signaling messages possible? • Detailed interaction with MIPv6 • Authorization and authentication issues • May rely on an AAA infrastructure • Triangle Routing case useful?

  11. Next Steps • Detailed interaction with MIPv6 operations • Authorization using AAA • Inputs, comments and suggestions appreciated!

More Related