HIP Working Group M. Komu, Ed. Internet-Draft HIIT Intended status:Standards TrackExperimental S. Schuetz Expires:September 6, 2007January 7, 2008 M. Stiemerling NECL. Eggert Nokia A. Pathak IIT Kanpur March 5,July 6, 2007 HIP Extensions for the Traversal of Network Address Translatorsdraft-ietf-hip-nat-traversal-01draft-ietf-hip-nat-traversal-02 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire onSeptember 6, 2007.January 7, 2008. Copyright Notice Copyright (C) The IETF Trust (2007). AbstractThis document specifies extensions toThe Host Identity Protocol (HIP)to support traversal of Network Address Translator (NAT) middleboxes. The traversal mechanism tunnelsprovides a new namespace that can be used for uniquely identifying hosts in public and also in private address realms. Usually, HIP control and data trafficover UDP and enablescannot traverse Network Address Translators (NATs), that hinders general deployment. This document specifies NAT traversal extensions for HIP. As HIPinitiators which MAY be behind NATsis located between network and transport layer, the extensions also provide general-purpose NAT traversal support for all high-layer networking applications that run over HIP. The basic design concepts for these extensions have been adopted from the Interactive Connectivity Establishment (ICE) protocol tocontact HIP responders which MAY be behind another NAT.HIP. Using the specified extensions, two HIP-capable hosts are able to communicate with each other even when they are in different private address realms. Table of Contents 1.IntroductionTerminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2.Detecting NATsIntroduction . . . . . . . . . . . . . . . . . . . . . . . .4. 3 3. HIP Across NATs . . . . . . . . . . . . . . . . . . . . . . . 5 3.1.Packet Formats .Port Number Selection . . . . . . . . . . . . . . . . . . 6 3.2. Relay Registration and NAT Detection . . .5 3.1.1. Control Traffic. . . . . . . . 6 3.3. Base Exchange via Relay . . . . . . . . . . .6 3.1.2. Control Channel Keep-Alives. . . . . . 8 3.4. Base Exchange without a Relay . . . . . . .6 3.1.3. Data Traffic. . . . . . . 10 3.5. Connectivity Tests . . . . . . . . . . . . . .6 3.1.4. FROM_NAT Parameter. . . . . . 11 3.6. Selecting an Address Pair . . . . . . . . . . . .7 3.1.5. VIA_RVS_NAT Parameter. . . . 13 3.7. Mobility . . . . . . . . . . . .8 3.2. UDP Encapsulation/Decapsulation of IPsec BEET-Mode ESP. .8 3.2.1. UDP Encapsulation of IPsec BEET-Mode ESP. . . . . . .8 3.2.2. UDP Decapsulation of IPsec BEET-Mode ESP. . . . 14 3.8. NAT Keepalives . . .10 3.3. Initiator Behind NAT. . . . . . . . . . . . . . . . . . .10 3.3.1. NAT Traversal15 3.9. Closing of HIPControl TrafficAssociations . . . . . . . . .11 3.3.2.. . . . . . 16 3.10. Communication with HIP Hosts without NAT Traversalof HIP Data TrafficSupport . . . . . . . . . .13 3.3.3. Use of the Rendezvous Service when only the Initiator is Behind NAT. . . . . . . . . . . . . . .15 3.4. Responder Behind NAT16 4. Packet Formats . . . . . . . . . . . . . . . . . . . .17 3.4.1. Rendezvous Client Registration From Behind NAT. . . . 173.4.2. NAT Traversal of4.1. HIP ControlTrafficPackets . . . . . . . . .18 3.4.3. NAT Traversal of HIP Data Traffic. . . . . . . . . .20 3.5. Both Hosts Behind NAT17 4.2. Control Channel Keep-Alives . . . . . . . . . . . . . . . 18 4.3. RELAY_FROM, RELAY_TO and RELAY_VIA Parameters . . .22 3.5.1. NAT Traversal of HIP Control Traffic. . . 18 4.4. LOCATOR Parameter . . . . . .22 3.5.2. NAT Traversal of HIP Data Traffic. . . . . . . . . .25 3.6. NAT Keep-Alives. . . . 19 4.5. RELAY_HMAC . . . . . . . . . . . . . . . . .26 3.7. HIP Mobility. . . . . . . 20 4.6. Registration Types . . . . . . . . . . . . . . . . .27 3.8. HIP Multihoming. . . 20 4.7. ESP Data Packets . . . . . . . . . . . . . . . . . . .29 3.9.. . 21 4.8. UDP Encapsulation/Decapsulation of IPsec BEET-Mode ESP . . 21 5. Firewall Traversal . . . . . . . . . . . . . . . . . . . .29 4.. . 23 6. Security Considerations . . . . . . . . . . . . . . . . . . .30 4.1.23 6.1. A Difference to RFC3948 . . . . . . . . . . . . . . . . .30 4.2. Rendezvous and Responder23 6.2. Privacy Considerations . . . . . . . . . . . . .30 5.. . . . . 24 6.3. Opportunistic Mode . . . . . . . . . . . . . . . . . . . . 24 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . .30 6. Acknowledgements25 8. Acknowlegements . . . . . . . . . . . . . . . . . . . . . . .30 7.25 9. References . . . . . . . . . . . . . . . . . . . . . . . . . .31 7.1.26 9.1. Normative References . . . . . . . . . . . . . . . . . . .31 7.2.26 9.2. Informative References . . . . . . . . . . . . . . . . . .3227 Appendix A. Differences to ICE . . . . . . . . . . . . . . . . . 28 Appendix B. Document Revision History . . . . . . . . . . . . . .3329 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . .3329 Intellectual Property and Copyright Statements . . . . . . . . . .3531 1. Terminology In general, this document borrows the terminology from [I-D.ietf-hip-base] and [RFC4423]. Additional terms are defined in the table below." These draft e.g. define "Initiator" and "Responder" +---------------------+---------------------------------------------+ | Term | Explanation | +---------------------+---------------------------------------------+ | Rendezvous server | A host that forwards I1 packets to the | | | Responder | | HIP Relay | A host that forwards all HIP control | | | packets between an Initiator and Responder | | ESP Relay | A host that forwards ESP traffic between | | | two HIP-enabled hosts | | Locator | A routable IPv4 or IPv6 address | | Transport locator | Transport layer port and the corresponding | | | IPv4/v6 address | | Unreflexive locator | An IPv4 or IPv6 address of a network | | | interface of a host | | Relay reflexive | A translated transport locator of a host as | | transport locator | observed by a relay | | Peer reflexive | A translated transport locator of a host as | | transport locator | observed by its peer | | Leased transport | Transport locator of an ESP relay | | locator | | +---------------------+---------------------------------------------+ Table 1: Terminology 2. Introduction The Host Identity Protocol (HIP) describes a new communication mechanism for Internet hosts [RFC4423]. It introduces a new namespace and protocol layer between the network and transport layers that decouples the identifier and locator roles to supporte.g.mobility and multihoming in the Internet architecture. HIP also secures application layer communications using IPsec ESP [I-D.ietf-hip-esp]. The HIP protocol [I-D.ietf-hip-base] cannot operate acrossNetwork Address Translator (NAT) middleboxes,legacy NAT middleboxes as described in [I-D.irtf-hiprg-nat]. This document specifieshowmechanisms that allow HIPcanto traverse throughlegacysuch NAT middleboxes that arenot awareneither HIP-aware nor ESP-aware, without manual configuration of the NAT middleboxes. HIPor ESP. The mechanisms defined in this document do not assumeintroduces a new namespace for hosts that decouples theNAT middleboxesidentity of a host from its location [RFC4423]. The namespace consists of Host Identifiers which arereconfigured, as long as they allow UDP traffic.public keys. Theusehosts create the corresponding private keys by themselves which makes identity theft more difficult. The new namespace of HIPin NAT traversalhasalsosome additional benefitsprovided bywhen thenew namespace.extensions defined in this document are used. First, it is possible to address hosts behind a single NAT middlebox in a relatively simple way. The NAT middlebox translates the locators, but the Host Identifiersand ESP SPIsremain thesame.same and can be used for uniquely identifying a host inside the private address realm. Second, multiple services on different hosts can share the same transport layer port number behind a single legacy NAT. There is no multiplexing issue as long as theseserviceshosts have different HostIdentifiers.Identifiers and UDP encapsulation is used for traversing the legacy NAT. Several differentflavorstypes of NATs exist [RFC2663]. This document describes HIP extensions for the traversal of both Network Address Translator (NAT) and Network Address and Port Translator (NAPT) middleboxes.ItThe document generally uses the term NAT to refer to both types of middleboxes, unless it needs to distinguish between the two types. Three basiccasesscenarios exist for NAT traversal. In the first case, only theinitiatorInitiator of a HIP base exchange is located behind a NAT. In the second case, only theresponderResponder of a HIP base exchange is located behind a NAT. The respective peerhostis assumed to be located at a publicly reachable address in both cases. In the third case, bothpartiespeers are located behind(different)(possible different) NATs.This document describes extensions forAll of thefirst caseuse cases are addressed inSection 3.3, forthesecond casedraft inSection 3.4a unified method that has been adopted from Interactive Connectivity Establishment (ICE) protocol [I-D.ietf-mmusic-ice] andin Section 3.5 foradapted to HIP. Legacy NAT devices do not operate consistently although thethird case.behavior for new NAT devices has been unified in [RFC4787]. Themechanisms described here also cover useHIP protocol extensions in this document make as little assumptions as possible of the behavior ofrendezvous server from NATted environments. The rendezvous server MUST be used whentheresponder is behind aNATbecause otherwise successfuldevices so that NAT traversalcannot be guaranteed. The rendezvous server MUST be located in a publicly addressable location. Cascading of multiplewill work even with legacy NATenabled rendezvous servers is not possible, although there may be other kind of rendezvous servers ondevices in thepath.most general sense. TheNAT middleboxes MUST support address independent mapping inpurpose of thecase whereextensions is to allow two HIP-enabled hosts to communicate with each other even if one or both communicating hosts arebehind NAT devices. Otherwise,in private address realms. With someother external relaying mechanism MUST be used. Endpoint independent filteringlegacy NAT devices, connecting two hosts behind different address realms isnot required in anyimpossible without relaying all traffic through a third party host [I-D.ietf-behave-p2p-state]. As a consequence, the relay host introduces additional hops between the hosts and can become a point of network congestion. In thecases. The NAT categories are defined in [I-D.srisuresh-behave-p2p-state]. The mechanismsextensions described in thisdocument are based on encapsulating bothdocument, thecontrol and data traffic in UDP in order to traverse NAT(s). The data traffic is assumedpeers try tobe ESP. Other typesavoid the use of a relay for data trafficare outand only make use ofscope forit when necessary. Hosts that always get a public addresses can use the rendezvous services as described in [I-D.ietf-hip-rvs]. Hosts that can be located in private-address realms may use a transport-layer based relay service as defined in this document.The responder listens at a fixed UDP port number for incomingBoth rendezvous and relay services forward HIP controlpackets. The port number can be manually configured topackets, but theNAT to allow passing incoming trafficmain difference is that the rendezvous service forwards only the initial I1 packet of the base exchange while all other HIP control packets are sent directlytobetween thehost behindcommunicating hosts. In contrast, the relay service relays all HIP control packets because p2p-unfriendly NAT(port forwarding).devices drop the packets otherwise [I-D.ietf-behave-p2p-state]. Thebenefit of suchpeers use the control channel to communicate their current locators to each other to find aconfiguration is that it does not require any rendezvous serverdirect path for carrying ESP encapsulated data traffic. A direct path between thehost behind the NAT. Although this document does not prevent such configurations, it is outhosts enables efficient delivery ofscope becausedata traffic without relaying oftwo drawbacks. First, it allows only a single responder behind the NAT box. Second, manual configurationESP packets throughseveral NAT devices may be difficult or administratively prohibited.an intermediary ESP relay. Themobility and multihoming mechanisms of HIP [I-D.ietf-hip-mm], allow HIPdirect path is searched using connectivity tests. The basis for the connectivity tests is ICE [I-D.ietf-mmusic-ice]. Two hosts communicate their transport locator (a port and an IP address) tochange network location during the lifetime ofeach other in aHIP association. Consequently, hosts needbase exchange. The local locators are paired with peer locators and the pairs are prioritized according tostarttheir proximity. The locator pairs are tested sequentially in priority order using return routability tests [I-D.ietf-hip-mm]. Both sides participate in theproposed NAT traversal mechanisms afterconnectivity tests. The tests also determine whether transport layer encapsulation is required or not. As amobility event relocates oneresult, the hosts either detect that no transport locator pairs are working, orboth peers behindestablish aNAT. They maynumber of working locator pairs and select a single pair to be used for communication. The same connectivity tests are alsostop using the proposed mechanisms if they both moveused in situations when a mobile host moves topublicly addressable locations.a different network. The mobile host communicates its new location to the corresponding node through the relay server of its peer and starts the connectivity tests. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].2. Detecting3. HIP Across NATsIn order to know whether to use theThis section describes NAT traversalmechanisms,between two HIPhosts need to detect the presence and type of NAT middleboxes along the path to their peer hosts. This document does not describe any newend-hosts. A successful NATdetection mechanism but rather assumes thattraversal requires at least theNAT is detected using some external mechanism. Hence, no special HIP parameters are requiredResponder located inHIP control messages to detect NATs. The NAT detection MUST occur prior toabase exchange, after node movement and priorprivate address realm to register tosending UPDATE messages. For example, STUN [RFC3489] offersageneric mechanism for detecting both the presence and typerelay server. The use ofa NAT. In STUN,thehost contacts a STUN server thatrelay is optional when the Responder isalwayslocatedatin apublicly reachable address.public address realm without rendezvous server. TheSTUN server replies back and provides information on the NAT presence and type. A limitation of STUN is that it cannot detect whether the responderbase exchange isbehind the same NAT as the initiator. This can lead to an unoptimal routerelayed through thepublic address of the NAT, especially in combinationrelay server. Next, therendezvous extensions that are described later in this document. Inhosts test theworst case,reachability between theNAT may not be abledifferent locators toforward the traffic unless it supports "hairpin translation" as described in [I-D.srisuresh-behave-p2p-state]. To guarantee connectivity behind the same NAT, the initiator MUST detect the hairpin support of the NAT as described in [I-D.ietf-behave-nat-behavior-discovery]. If the NAT supports hairpinning, the initiator uses the UDP encapsulation procedures described in the following sections. If the NAT doesconstruct a direct route. When a direct route is notsupport hairpinning,possible, theinitiator SHOULD broadcast a single I1 packet without UDP encapsulationhosts resort to ESP relays. When locators of a host change, thelocal network. The responder MUST processhosts test reachability of locators again and select theI1 according to [I-D.ietf-hip-base]. However,"optimal" locator. End-hosts can tear down HIP associations using theinitiator MUST continue withCLOSE mechanism through the relay. 3.1. Port Number Selection This document defines only UDP encapsulationmechanisms described in the following sections because the responder may actually be located in a different network. HIP-aware NATs are not in the scope of this document. In the future, itfor HIP and ESP packets. Further extensions maybe possible to use somedefine bindings for other transport protocols. The RECOMMENDED transport protocolthatislaunched in parallel with e.g. STUN to detect the presence of HIP aware NATs. When the pathUDP. It is RECOMMENDED that an Initiator selects a random port number between theinitiator and responder consists of HIP aware NATs, the extensions defined in this document SHOULD NOT be used. 3. HIP Across NATs The HIPephemeral port ranged 49152-65535 for initiating a base exchangeas defined in [I-D.ietf-hip-base] works well in public networks.even for registration. However,this does not work with some legacy NATs thatthe allocated port MUST be maintained until all of the corresponding Host Associations arenot able to multiplex HIPclosed. Alternatively, a host MAY also use a single fixed port for initiating all outgoing connections. A relay orESP traffic. Asaresult, such NATs just drop HIP control traffic and/or ESP data traffic. AsResponder without asolutionrelay MUST listen at transport port HIPPORT forthis, we propose UDP encapsulation ofincoming UDP-encapsulated HIP control packets. 3.2. Relay Registration anddata traffic using a specific scheme describedNAT Detection HIP rendezvous servers are used inthis document. The scheme also allows hosts behind NATs to act as servers. [RFC3948] describes UDP encapsulation of transportnon-NATted environments andtunnel mode ESP packets. This document describes a similar mechanism for BEET mode ESP packets [I-D.nikander-esp-beet-mode]. 3.1. Packet Formatsits use is described in [I-D.ietf-hip-rvs]. This section defines theUDP-encapsulation packet format foranother types middleboxes, called HIPbase exchangeandcontrol traffic, IPsecESPBEET-mode traffic and NAT keep-alive. 3.1.1. Control Traffic 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~Relays, which are used in NATted environments. A HIPHeader and Parameters ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1: Format forrelay forwards UDP-encapsulatedHIP controltraffic, and in future extensions, a relay may also forward TCP-encapsulated traffic.Figure 1 shows howA single relay may forward only HIP controlpackets are encapsulated within UDP.packets, ESP traffic or both. Aminimal UDP packet carries a complete HIP packet in its payload. Contents of the UDP source and destination ports are described below. The UDP length and checksum field MUST be computedhost acting asdescribed in [RFC0768]. The HIP header and parameter follow the conventions [I-D.ietf-hip-base] with the exception that the HIP header checksum MUST be zero. The HIP headers checksum is zero for two reasons. First, the UDP header contains alreadyachecksum. Second, the checksum definition in [I-D.ietf-hip-base] includes the IP addressesResponder inthe checksum calculation which is not applicable ona private address realm SHOULD use a HIPunaware NAT devices. 3.1.2. Control Channel Keep-Alives The keep-aliverelay forcontrol channel are basically UDP encapsulated NOTIFY packets [I-D.ietf-hip-base]. The NOTIFY packets MAY contain HIP parameters. TheNATtraversal mechanisms encapsulate these NOTIFY packets withintraversal. It is RECOMMENDED that thepayload of UDP packets. 3.1.3. Data Traffic 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ ESP Header ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: Format for UDP-encapsulated IPsec ESP BEET-mode traffic. Figure 2 shows how IPsecResponder uses also an ESPBEET-moderelay to guarantee successful NAT traversal with p2p-unfriendly NAT devices. A relay MUST NOT forward any packetsare encapsulated within UDP. Again,to aminimal UDP packet carrieshost that has not successfully registered to theESP packet in its payload.relay. Thecontents ofregistration process follows theUDP source and destination ports are describedgeneric registration extensions defined inlater sections.[I-D.ietf-hip-registration]. TheUDP length and checksum field MUST be computed as describedregistration process is illustrated in[RFC0768]. 3.1.4. FROM_NAT Parameter 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | | Address | | | |Figure 1. Relay Relay Client Server |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+1. I1 |UDP Port+------------------------------------------------------->| |Padding|+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type [ TBD by IANA (63998 = 2^16 - 2^11 + 2^9 - 2) ] Length 18 Address An IPv6 address or an IPv4 address in IPv4-in-IPv6 format. UDP Port A UDP port number Figure 3: Format for the FROM_NAT Parameter Figure 3 shows FROM_NAT parameter. The use of this parameter is described in the following sections. 3.1.5. VIA_RVS_NAT Parameter 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|Type2. R1(LOCATOR,REG_INFO(RELAY_UDP_HIP,RELAY_UDP_ESP)) |Length|<-------------------------------------------------------+ |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+| | 3. I2(LOCATOR,REG_REQ(RELAY_UDP_HIP,RELAY_UDP_ESP)) |Address+------------------------------------------------------->| | | | 4. R2(REG_RES(RELAY_UDP_HIP,RELAY_UDP_ESP),REG_FROM) | |<-------------------------------------------------------| |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+|UDP Port|Padding5. Connectivity tests |+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type [ TBD by IANA (64002 = 2^16 - 2^11 + 2^9 + 2) ] Length 16 Address An IPv6 address or an IPv4-in-IPv6 format IPv4 address UDP Port A UDP port|<------------------------------------------------------>| Figure4: Format for1: Example registration to a relay In theVIA_RVS_NAT Parameter Figure 4 shows VIA_RVS_NAT parameter. The parameterabove figure, the end-host isused for diagnostic purposes, similarlyreferred to asVIA_RVS parameter in [I-D.ietf-hip-rvs].a relay client and the relay middlebox as a relay server. Theexact use of this parameterregistration is piggybacked to a base exchange, but it can be done also using HIP UPDATE control packets as described inlater sections. 3.2. UDP Encapsulation/Decapsulation of IPsec BEET-Mode ESP [RFC3948] describes UDP encapsulation of[I-D.ietf-hip-registration]. In step 1, theIPsec ESP transport and tunnel mode. This section describesrelay client starts theUDP encapsulation ofregistration procedure by sending an I1 packet over theBEET mode. 3.2.1. UDP Encapsulation of IPsec BEET-Mode ESP Duringtransport layer. The port selection was explained in section Section 3.1. In step 2, theHIP base exchange,Responder lists thetwo peers exchange parameters that enable them to define a pair of IPsec ESP security associations (SAs), as described in [I-D.ietf-hip-esp]. When two peers perform a UDP-encapsulated base exchange, they MUST define a pair of IPsec SAsservices thatresultit supports inUDP-encapsulated BEET-mode ESP data traffic.the R1 packet. Themanagement of encryption and authentication protocols and security parameter indices (SPIs) is defined in [I-D.ietf-hip-esp]. Additional SA parameters, such as IP addresses and UDP ports, MUST be defined according to this section. Two SAs MUST be defined on each host for one HIP association; onesupport foroutgoing dataHIP-over-UDP relaying is denoted by RELAY_UDP_HIP value andanother onethe support forincoming data. The BEET mode provides limited tunnel mode semantics withoutESP-over-UDP relaying is denoted by a RELAY_UDP_ESP value in theregular tunnel mode overhead. [I-D.nikander-esp-beet-mode]REG_INFO parameter. In step 3, theBEET mode, transport-layer checksums in the payload data are based onInitiator selects theHITs. The packet MUST then undergo BEET-mode ESP cryptographic processing as definedservices it registers to and lists them inSection 5.3 of [I-D.nikander-esp-beet-mode]. Next,theresulting BEET-mode packet is UDP encapsulated. ForREG_REQ parameter. In thispurpose, a UDP header MUST be inserted betweenexample, theIPInitiator registers both to HIP and ESPheader. The source and destination ports are filled in. The UDP checksum MUST be calculated based on the outer addresses (locators) of the IPsec security association. The other fields ofrelay services. In step 4, theUDP header are computed as described in [RFC0768]. The resulting UDP packet MUST then undergo BEET IP header processing as defined in Section 5.4 of [I-D.nikander-esp-beet-mode]. Figure 5 illustratesrelay server concludes theBEET-mode UDP encapsulationregistration procedurefor a TCP packet. ORIGINAL TCP PACKET: +------------------------------------------+ | inner IPv6 hdr | ext hdrs | | | | with HITs | if present | TCP | Data | +------------------------------------------+ PACKET AFTER BEET-MODE ESP PROCESSING: +----------------------------------------------------------+ | inner IPv6 hdr | ESP | dest | | | ESP | ESP | |withHITs | hdr | opts.| TCP | Data | Trailer | ICV | +----------------------------------------------------------+ |<------- encryption -------->| |<----------- integrity ----------->| FINAL PACKET AFTER BEET_MODE IP HEADER PROCESSING: +------------------------------------------------------------+ | outer IPv4 | UDP | ESP | dest | | | ESP | ESP | | hdr | hdr | hdr | opts.| TCP | Data | Trailer | ICV | +------------------------------------------------------------+ |<------- encryption -------->| |<----------- integrity ----------->| Figure 5: UDP Encapsulation ofanIPsec BEET-mode ESP packet containing a TCP segment. 3.2.2. UDP Decapsulation of IPsec BEET-Mode ESP An incoming UDP-encapsulated IPsec BEET-mode ESPR2 packetis decapsulated as follows. First, if the UDP checksum is invalid, thenand acknowledges thepacket MUST be dropped. Then,registered services in thepacket MUST be verified as definedREG_RES parameter. The relay may also denote unsuccessful registrations in[I-D.nikander-esp-beet-mode]. If verified,theESP data containedREG_FAILED parameter in R2. After thepayload ofregistration, theUDP packethosts MUSTbe decryptedsend periodically NAT keepalive packets to each other asdescribeddefined later in[I-D.nikander-esp-beet-mode].this document. In step 5, the client and server handle connectivity tests. TheNAT traversal methodsprocedure is described inthis section are based on connection reversal and UDP hole punching similar to [I-D.ietf-behave-nat-udp]. However,a later section. When themethods in this section are adapted for HIP purposes, especially withESP relay registration was successful, therendezvousrelay serverin mind. 3.3. Initiator Behind NAT This section discusses mechanismsuses the source IP address and port of the R2 packet (HIPPORT) toreach a HIP responder located in publicly addressable network by a HIP initiator that is located behind a NAT. The section describes alsorelay ESP traffic with thecase whereclient. This address-port pair of theresponderrelay isusingreferred to as arendezvous service. Table 1 lists some short-hand notations used"leased transport locator" in thissection. For simplicity,document. As theports mangled by NAT are presented as exampleportnumbers (11111, 22222, etc) instead of symbolic ones. In the examples, we assume thatnumber may be shared by multiple clients, theNAT(s) timeout afterESP relay MUST multiplex theI1-R1 exchange over UDP because of e.g large RTT or high puzzle difficulty. In such a case,ESP traffic based on SPIs and not theNAT dropsjust therelated UDP port state andportnumbers change for the I2-R2 exchange. +------------------+------------------------------------------------+ | Notation | Explanation | +------------------+------------------------------------------------+ | HIT-I | Initiator's HIT | | HIT-R | Responder's HIT | | IP-I | Initiator's IP address | | IP-R | Responder's IP address | | IP-RVS | IP address ofnumber. The R2 packet also includes an REG_FROM parameter that indicates theresponder's rendezvous | | | server | | IP-NAT-I | Public IPtransport locator of theNAT ofclient as observed by theinitiator | | IP-NAT-R | Public IPserver. The transport locator may be translated by a number oftheNATofmiddleboxes between theresponder | | UDP(50500,11111) | UDP packet with source port 50500client and| | | destination port 11111 | | UDP(11111,22222) | Example port numbers mangled by a NAT | | UDP(44444,22222) | Port 44444 is used throughouttheexamplesserver. This locator is referred to| | | denote the NAT mangled source port of I2as| | | received by the rendezvous server duringthe| | | registration | +------------------+------------------------------------------------+ Table 1: Notations Used"relay reflexive transport locator" later inThis Section 3.3.1. NAT Traversal ofthis document. A single server can provide multiple HIPControl Traffic This section describesmiddlebox services or thedetails of enabling NAT traversal forservices can be distributed among multiple servers. The difference between a HIPcontrol traffic for the base exchange [I-D.ietf-hip-base] through UDP encapsulation forrendezvous server [I-D.ietf-hip-rvs] and a HIP relay server depends on thecaseregistration. The rendezvous server processing rules apply when theinitiator of the association is located behindResponder has registered to aNAT andmiddlebox with theresponder is located in a publicly addressable network. UDP-encapsulated HIP control traffic MUST useRVS registration type. Correspondingly, thepacket formats describedmiddlebox applies the relay extensions defined inSection 3.1.this document when the Responder has registered using the relay registration types. Whensending UDP- encapsulated HIP control traffic,aHIP implementation MUST zero the HIP header checksum before calculatingsingle server provides both rendezvous and relay services, they are multiplexed depending on theUDP checksum.absence or presence of transport layer encapsulation. ThereceiverRelay Client MUSTonly verifyinclude a LOCATOR parameter in I2 which lists all of thecorrectnesslocators of theUDP checksum andInitiator. The Relay Server MUSTNOT verifyinclude a LOCATOR parameter in R1, but it is RECOMMENDED that thechecksumLOCATOR parameter includes only the source transport LOCATOR of R1 as theHIP header.only locator. Theinitiator of a UDP-encapsulated HIP base exchange MUST usecase when the Relay Server includes more locators may require IP header conversion between IPv4 and IPv6, insertion, or removal of, UDPdestination port 50500header and fragmentation handling. Multiple locators in R1 is left forall control packets it sends.further experimentation. 3.3. Base Exchange via Relay It is RECOMMENDEDto use 50500 asthat thesource port as well, butInitiator sends animplementation MAY use a (randomly selected) unoccupied source port. If it uses a random source port, it MUST listen for and accept arriving HIP control/ESP Data packets on this port untilI1 packet over thecorresponding HIP association is torn down. The random source porttransport layer when it isRECOMMENDEDdestined tobe in the rangean IPv4 address of thedynamic and private ports (49152-65535). Using a random source port, instead of a fixed one, enablesResponder. Respectively, the Responder MUST respond tohave multiple clients behindaNAT middlebox that supports only address translation but no port translation. This is referred to as port overloading in [I-D.ietf-behave-nat-udp].such I1 packet with an R1 packet over the transport layer and using the same transport protocol. Theresponderrest ofa UDP-encapsulated HIPthe baseexchangeexchange, I2 and R2, MUSTuse 50500 asalso be sent over thesource port for all UDP-encapsulated control packets it sends. The source address for alltransport layer. However, thepackets thattransport layer encapsulation can be unnecessary when there are no NATs between theresponder sends MUSTInitiator and Responder. This will be detected in thesame asconnectivity tests described in theIPnext section. When the Initiator has an IPv6 addresson which responder receives packets from initiator. The responderand it has discovered only an IPv6 address for the peer, it MUSTrespond to any arriving UDP- encapsulated control message using UDP encapsulation as well. Hostssend it directly over IP. In such a case, the Initiator MUSTprocess UDP-encapsulated base exchange messages equivalently to non-encapsulated messages, i.e., according tofollow the procedures described in [I-D.ietf-hip-base].The remainder of this section clarifies this process through an example whichOtherwise, it isillustrated in Figure 6. It shows an initiator with the private address IP-I behind a NAT. The NAT hasRECOMMENDED that thepublic IP addressInitiator proceeds asNAT. The responder isshown ina publicly addressable location IP-R. +---+ +---+ +---+Figure 2. I Relay R ||----(1)--->| |---------------(2)-------------->|1. I1 | | +------------------------------->| 2. I1(RELAY_FROM) | |N+--------------------------->| | | | ||<---(4)----| A |<--------------(3)---------------|| 3. R1(LOCATOR,RELAY_TO) |I| 4. R1(LOCATOR,RELAY_TO) |<---------------------------+ |<-------------------------------+ |T| |R| ||----(5)--->| - |---------------(6)-------------->|5. I2(LOCATOR) | | +------------------------------->| | |I| 6. I2(LOCATOR,RELAY_FROM) | | +--------------------------->| | | | ||<---(8)----| |<--------------(7)---------------||+---+ +---+ +---+ 1. IP(IP-I, IP-R) UDP(50500, 50500) I1(HIT-I, HIT-R) 2. IP(IP-NAT-I, IP-R) UDP(11111, 50500) I1(HIT-I, HIT-R) 3. IP(IP-R, IP-NAT-I) UDP(50500, 11111) R1(HIT-R, HIT-I) 4. IP(IP-R, IP-I) UDP(50500, 50500) R1(HIT-R, HIT-I) 5. IP(IP-I, IP-R) UDP(50500, 50500) I2(HIT-I, HIT-R) 6. IP(IP-NAT-I, IP-R) UDP(22222, 50500) I2(HIT-I, HIT-R)7.IP(IP-R, IP-NAT-I) UDP(50500, 22222) R2(HIT-R, HIT-I)R2(RELAY_TO) | | 8.IP(IP-R, IP-I) UDP(50500, 50500) R2(HIT-R, HIT-I)R2(RELAY_TO) |<---------------------------+ |<-------------------------------+ | | | | Figure6: Example of a UDP-encapsulated HIP base exchange (initiator behind a NAT, responder in2: Base Exchange via apublicly addressable location). Before beginning the base exchange,relay In step 1 of theinitiator detects that it is behind a NAT through some external mechanism, e.g. STUN. The initiator startsfigure, thebase exchange by sending a UDP-encapsulated I1 packet toInitiator discovers theresponder. According toHIT of therules specified above,Responder and thesource IPIPv4 address ofthisthe relay of the Responder. The Initiator sends an I1 packetis IP-I and its source UDP port is 50500. It is addressedover the transport layer toIP-R on port 50500. The NAT in Figure 6 forwardstheI1 but substitutesHIT of the Responder. The port selection was explained in Section 3.1. The source addressIP-I with its own public address IP-NAT-I andis one of thesource UDP port 50500 with 11111. Whenroutable addresses of theresponderhost is called "unreflexive locators" inFigure 6this document. In step 2, the relay receives theUDP-encapsulatedI1 packeton UDPat port50500, it decapsulatesHIPPORT. If thepacket anddestination HIT belongs to a registered Responder, the relay processes thedecapsulated packet according to [I-D.ietf-hip-base].packet. Otherwise, the relay MUST drop the packet. Theresponder replies back withrelay MUST append aUDP-encapsulated R1 using the addresses and port information of I1. Thus,RELAY_FROM parameter to theR1I1 packetis destined towhich preserves the transport sourceIPaddress andUDPport of theI1, i.e., IP address IP-NAT-I and port 11111.Initiator. TheNAT receivesrelay protects the I1and substitutes the destination of thispacket with RELAY_HMAC as described in [I-D.ietf-hip-rvs], except that theinitiator address (IP-I) and port information (50500).parameter type is different. Theinitiator receives a UDP-encapsulated R1 packet from the responder, decapsulates and processes it according to [I-D.ietf-hip-base]. When it responds with a UDP-encapsulated I2 packet, it usesrelay MUST change thesame IP source and destination addresses and UDPtransport source to and destinationports that itof the packet to match the values the Responder usedfor sendingwhen registering to thecorresponding I1 packet,relay, i.e., thepacket is addressed from IP-I port 50500 to IP-R port 50500. The NAT again substitutesreverse of thesource information. For illustration purposes,R2 used in theNAT state times out and it chooses a different source port (22222) forregistration. The relay MUST recalculate theI2 than fortransport checksum and forwards theI1 (11111). When a responder receives a UDP-encapsulated I2packetdestinedtoUDP port 50500, it MUST usetheUDP source port contained in this packet for further HIP communications withResponder. In step 3, theinitiator. It then processesResponder receives theI2I1 packet at the transport layer. The Responder MUST process it according to the rules in [I-D.ietf-hip-base].When it responds with an R2 message, it UDP-encapsulatesIn addition, themessage, usingResponder MUST validate theUDP source port ofRELAY_HMAC according to [I-D.ietf-hip-rvs] and drop theI2packetasif thedestination UDP port, and sends it tovalidation fails. The Responder replies with an R1 packet that MUST contain a LOCATOR parameter that lists thesource IP addresslocators of theI2 packet, i.e., it sendsResponder. The locator list consists of unreflexive, reflexive and leased transport locators of theR2Responder. The R1 packetfrom IP-R port 50500 to IP-NAT-I port 22222.also contains a RELAY_TO parameter. TheNAT again replaces the destinationRELAY_TO parameter contains same informationin the R2 with IP-I port 50500 Usually,as theI1-R1 and I2-R2 exchanges occur fast enough forRELAY_FROM parameter, i.e., Initiator transport locator, but theNAT state to persist. This means thattype of theNAT usesparameter is different. The RELAY_TO parameter is not integrity protected by thesame port forsignature of theI1-R1 exchangeR1 totranslate as the I2-R2 exchange. However,allow pre- created R1 packets at thehost MUST handle evenResponder. In step 4, thecase whererelay receives theNAT state times out betweenR1 packet. The relay MUST drop thetwo exchanges andpacket if theI1 and I2 arrive from different UDPsourceports and/or IP addresses, as illustrated in Figure 6. 3.3.2. NAT Traversal of HIP Data Traffic This section describes the details of enabling NAT traversal of HIP data traffic. As described in Section 3, HIP data traffic is carried in UDP-encapsulated IPsec BEET-mode ESP packets. 3.3.2.1. IPsec BEET-Mode Security AssociationsHIT belongs to an unregistered host. Theinitiator MUST use UDP destination port 50500 for all UDP- encapsulated ESP packets it sends. It MAY also use port 50500 as source port or itrelay MAYuse a random source port. If it uses a random source port, it MUST listen for and accept arriving UDP-encapsulated ESP packets on this port untilverify thecorresponding HIP association is torn down. The respondersignature ofa UDP-encapsulated IPsec BEET-mode ESP exchange MUST use 50500 asthesource port for all UDP-encapsulated ESP packetsR1 packet and drop itsends. The destination port is the port from whichwhen therespondersignature isreceiving UDP encapsulated ESP data frominvalid. Otherwise, theinitiator. Bothrelay changes theinitiatordestination transport header to match RELAY_TO information, recalculates transport checksum and forwards theresponder of a HIP association MUST define BEET modepacket. In step 5, the Initiator receives the R1 packet and processes it accordingly to [I-D.ietf-hip-base]. It replies withUDP encapsulation asan I2 packet that has theIPsec mode forsame transport locator as R1, but theSA after a successful base exchange. The innersourceaddress MUST be the local HIT used during base exchangeandthe innerdestinationaddress MUST beports are swapped. The I2 contains a LOCATOR parameter containing theHITlisting unreflexive, reflexive and leased transport locators of thepeer. The other parts ofInitiator In step 6, theSA are described in individual sections. 3.3.2.1.1. Security Associations atrelay receives theInitiatorI2 packet. Theinitiator ofrelay appends aUDP-encapsulated base exchange defines its outbound SARELAY_FROM and a RELAY_HMAC to the I2 packet asshowninTable 2 +--------------+----------------------------------------------------+ | Field | Value | +--------------+----------------------------------------------------+ | Outer src | The local IP address from whichthebase exchange | | address | packets were transmitted | | Outer dst | The peer IP address to which base exchange packets | | address | were transmitted | | UDP src port | The port number as chosen forsecond step. In step 7, the Responder receives the I2 packet and processes it according to [I-D.ietf-hip-base]. It replies with an R2 packet and includes a RELAY_TO parameter as inbase | | | exchange | | UDP dst port | Port 50500 | +--------------+----------------------------------------------------+ Table 2: Outbound SA at initiatorstep three. Theinitiator of a UDP-encapsulated base exchange defines its inbound SARELAY_TO parameter is protected by the HMAC. In step 8, the relay processes the R2 asshowndescribed inTable 3 +--------------+----------------------------------------------------+ | Field | Value | +--------------+----------------------------------------------------+ | Outer src |step four. Thepeer IP addressrelay forwards the packet towhich base exchange packets | | address | were transmitted | | Outer dst | The local IP address from whichthebase exchange | |Responder. 3.4. Base Exchange without a Relay A host that has a publicly addressable, fixed IP address| packets were transmitted | | UDP src port | Port 50500 | | UDP dst port | Initiator MUST useMAY exclude registration to a Relay. As theUDP source port it uses in | | |Relay is not present, theoutbound SA here | +--------------+----------------------------------------------------+ Table 3: Inbound SA at initiator 3.3.2.1.2. Security Associationshost MUST listen atthe Responder The responder of aHIPPORT for transport-encapsulated HIP and ESP packets. An UDP-encapsulated base exchangedefines its outbound SA shownwith such an host does not have the RELAY_TO and RELAY_FROM parameters present. Connectivity tests MUST be handled as defined inTable 4. +-------------+-----------------------------------------------------+ | Field | Value | +-------------+-----------------------------------------------------+ | Outer src | The local IP address from whichthe following section before any ESP traffic is allowed. 3.5. Connectivity Tests The base exchange| | address | packets were transmitted | | Outer dst | Peer IP addressis completed with an R2 packet. Then, the state of theI2 packet received during | | address |HIP associations at both peers is ESTABLISHED, but thebase exchange | | UDP src | Port 50500 | | port | | | UDP dst | Source UDP portpeers MUST NOT allow any ESP traffic until the connectivity tests described in the next section are performed successfully. All of theI2 packet received fromlocators, except the| | port | initiator during base exchange | +-------------+-----------------------------------------------------+ Table 4: Outbound SA at Responder Similarly,relay address, are in UNVERIFIED state. In theresponder ofconnectivity tests, the hosts test connectivity between different locator pairs in order to find aUDP-encapsulated base exchange defines its inbound SA as shownworking one. The connectivity tests are illustrated inTable 5 +-------------+-----------------------------------------------------+ | Field | Value | +-------------+-----------------------------------------------------+Figure 3. In this example, both hosts are behind NATs. I Relay R |Outer src2. R2(RELAY_TO) |Source IP address of the I2 packet received from1. R2(RELAY_TO) | +<------------------------------+-------------------------------+ |address|the initiator during base exchange| 3. UPDATE(ECHO_REQUEST,FROM_PEER) NAT-R:DROP| +------------------------------------------------------------->X| |Outer dst|The local IP address from which the base exchange| 4. UPDATE(ECHO_REQUEST,FROM_PEER) |address|<--------------------------------------------------------------+ |packets were transmitted| |UDP src5. UPDATE(ECHO_RESP,TO_PEER) |Source UDP port of the I2 packet received from the+-------------------------------------------------------------->+ | |port|initiator during base exchange6. UPDATE(ECHO_REQUEST,FROM_PEER) | +-------------------------------------------------------------->| |UDP dst|Port 50500| 7. UPDATE(ECHO_RESP,TO_PEER) |port|<--------------------------------------------------------------+ | |+-------------+-----------------------------------------------------+ Table 5: Inbound SA at responder 3.3.3. Use of the Rendezvous Service when only the Initiator is Behind NATFigure 3: Connectivity tests Therendezvousconnectivity tests are handled as the mobility extensionsfor HIP without NAT traversal have beendefined in[I-D.ietf-hip-rvs]. This section addresses only the scenario where a NATted HIP node uses the rendezvous service[I-D.ietf-hip-mm] and are therefore subject tocontact another HIP node in a publicly addressable network. Figure 7 illustratesthemechanism describedsame processing rules. The packets include ESP_INFO, SEQ, ACK, HMAC, SIGNATURE parameters that are omitted in thissection. A rendezvous server MUST listen on UDP port 50500section forincoming UDP encapsulated I1 packets. However,simplicity. The differences to the mobility extensions are described in thisspecific case with only the initiator behind NAT,section. In steps 1 and 2, therendezvous server MUST NOT relayR2 packet is relayed from theI1 packets. Instead,Responder through therendezvous server repliesRelay to theinitiator with a NOTIFY message that includesResponder. After this, both hosts start connectivity tests using theresponder's locatorreturn routability tests defined ina VIA_RVS parameter.[I-D.ietf-hip-mm]. Therendezvous server can differentiate this scenarioreturn routability tests are used to probe for connectivity between each locator pair obtained from theothers because the I1 arrives UDP encapsulated, but the responder has registered without UDP encapsulation. Upon receiving the NOTIFY with thelocal and peer locatorsofobtained during base exchange. The return routability tests are also used as a UDP hole punching mechanism. The tests are carried in certain order which determined by theresponder throughpriorization algorithm defined in theNAT,next section. As an example, let's consider theinitiator MUST sendcase where hosts are testing each others outermost NAT addresses, i.e., relay reflexive transport locators. In step 3, host I sends anI1UPDATE message containing an ECHO_REQUEST to theresponder. However, it MUST continue retransmissions using the RVS location.R. Thisis mandatory because NOTIFY messages are not protected with signatures and can be forged bywill punch arogue host. Whenhole theinitiator receives an R1 throughNAT of I, but theNAT,NAT of R drops theresponder verifiesmessage because theintegrityNAT ofthe packet and repliesR has no state withan I2. The responder should be aware that the I2 may arrive from a different port than the I1.I. Insuch a case, the responder should send the R2 tostep 4, R starts also reachability detection by sending an UPDATE with ECHO_REQUEST. This traverses thesource portNAT ofI2. +---+ +---+ +-------+ +---+ | |----(1)--->| |---------------(2)-->| | | | | | | | | RVS R | | | | |<---(4)----| |<--------------(3)---| | | | | | | | +-------+ | | | | | N | | | | |----(5)--->| A |---------------(6)-------------->| | |I| | T | | R | | |<---(8)----| - |<--------------(7)---------------| | | | | T | | | | |----(9)--->| |---------------(10)------------->| | | | | | | | | |<---(11)---| |<--------------(12)--------------| | +---+ +---+ +---+ 1. IP(IP-I, IP-RVS) UDP(50500, 50500) I1(HIT-I, HIT-R) 2. IP(IP-NAT-I, IP-RVS) UDP(11111, 50500) I1(HIT-I, HIT-R)successfully because Initiator had already punched an hole into its NAT in step 3.IP(IP-RVS, IP-NAT-I) UDP(50500, 11111) NOTIFY(HIT-R, HIT-I, VIA_RVS(IP-R)) 4. IP(IP-RVS, IP-I) UDP(50500, 50500) NOTIFY(HIT-R, HIT-I, VIA_RVS(IP-R))The Responder replies using ECHO_RESPONSE in step 5.IP(IP-I, IP-R) UDP(50500, 50500) I1(HIT-I, HIT-R) 6. IP(IP-NAT-I, IP-R) UDP(22222, 50500) I1(HIT-I, HIT-R) 7. IP(IP-R, IP-NAT-I) UDP(50500, 22222) R1(HIT-R, HIT-I) 8. IP(IP-R, IP-I) UDP(50500, 50500) R1(HIT-R, HIT-I) 9. IP(IP-I, IP-R) UDP(50500, 50500) I2(HIT-I, HIT-R) 10. IP(IP-NAT-I, IP-R) UDP(33333, 50500) I2(HIT-I, HIT-R) 11. IP(IP-R, IP-NAT-I) UDP(50500, 33333) R2(HIT-R, HIT-I) 12. IP(IP-R, IP-I) UDP(50500, 50500) R2(HIT-R, HIT-I) Figure 7: Example of a UDP-encapsulated HIP base exchange via RVS (initiator behind a NAT, responder and RVS onUpon receiving the ECHO_RESPONSE, thepublic Internet). 3.4.ResponderBehind NAT This section discusses mechanismstransitions the address pair toreachVERIFIED state. In step 6, host I starts aHIP responder that is located behindnew return routability test either due to aNAT. This section assumes thatretransmission timer or as a reaction to UPDATE with ECHO_REQUEST received from R. In step 7, host R receives and sends a response to I. Upon receiving theinitiator is located on publicly addressable network. The initiator contactsresponse, host R transitions theresponder through an RVS server. 3.4.1. Rendezvous Client Registration From Behind NATlocator pair being tested to VERIFIED state. All locators in UNVERIFIED state MUST be retransmitted RTIME times. Therendezvous client registration [I-D.ietf-hip-rvs] describes the case when rendezvous client is presentretransmission packets MUST be paced Ta ms apart as defined inpublicly addressable network. This section defines an extension to[I-D.ietf-mmusic-ice]. The retransmission are ordered in a sequence determined by therendezvous client registration forpriority of thecase whentransport locator pairs, as described in therendezvous client has detected that it is behind a NAT.next section. Theprocess insource address of theNAT caseUPDATE messages containing ECHO_REQUEST parameter isidentical toalways an unreflexive IPv4 locator of thecase without NAT, except that UDP encapsulation is used.host. Theregistrationdestination locator isillustrated in Figure 8. A node behind a NAT MUST first register totheRVS when itpeer's unreflexive, reflexive or leased transport locator, depending on which address isgoing to act as a responderbeing tested forsome other nodes. The node (i.e. rendezvous client) performs a base exchange withreachability. Implementations may add RTT measurement information to theRVS over UDP as described in Section 3.3 by sending I1 UDP encapsulated and 50500 as destination port number. RVS sends REG_INFOECHO_REQUEST parameter inR1 to which rendezvous client replies with REG_REQ paramter in I2. Both I1 and R1 are sent using UDP-encapsulation. If RVS grants serviceaddition to a nonce. The UPDATE messages carrying ECHO_REQUEST include a FROM_PEER parameter. The sender of therendezvous client, itUPDATE MUSTstorecopy the sourceIPaddressand source port numberof theI2 UDP packet that it had received fromUPDATE to therendezvous client during base exchange.FROM_PEER parameter. When the peer receives the UPDATE, it responds with an UPDATE containing and a ECHO_REQUEST and TO_PEER parameters. The TO_PEER parameter MUST contain the sourceIPaddressbelongs toof theNATUPDATE redundantly. The reason from the FROM_PEER and TO_PEER parameters is that it is possible to learn new addresses using them. When there is p2p-unfriendly NAT between thesourcepeers, it may cause translate port numberisof theNAT mangled port. RVS then replies with REG_RESP in R2 over UDP. IfUPDATE packets to something that has not been communicated through theregistration process resultsrelay before. Such an addresses are called "peer reflexive transport locators" ina successful REG_RESP,this document. The FROM_PEER and TO_PEER parameters can be used for detecting peer reflexive locators. The learned locators are added to therendezvous client MUST send NAT keepalives (Section 3.1.2)connectivity tests. UPDATE packets destined tokeepthemapping inunreflexive locators are sent directly over IP. UPDATE packets destined for reflexive peer, relay and leased locators are sent transport layer encapsulated. Hosts proceed sequentially through theNAT withlocator pairs in theRVS open. The NAT keepalives sent from rendezvous client toorder described in theRVSnext section. A host MUSThave the same source port astransition theI2 packet. Whenstate of transport locator pairs verified by theRVS receives an I1 packet from a HIP node to be relayedreturn routability tests to thesuccessfully registered rendezvous client behind NAT, RVSACTIVE state. Keepalive mechanisms described in later sections MUSTrelay the I1 over UDP withbe applied to refresh thedestinationportasstate in NAT devices for locators in theone stored during registration. The RVSACTIVE state. A host MUST alsozeroesset up theHIP header checksumSecurity Associations for the inbound ESP traffic for such locators. The selection of a default outbound SA is defined in theI1.next section. 3.6. Selecting an Address Pair Thisprocess is explainedsection describes priority ordering of connectivity tests and locators pair selection based on ICE [I-D.ietf-mmusic-ice]. As part of the priority calculation, each locator has a preference based on its type. The values for these preferences are shown inSection 3.4.2. +---+ +---+ +---+ | |----(1)--->| |---------------(2)-------------->| | | | | N | |Table 2. +-----------------------------------+------------+ | Locator Type ||<---(4)----| A |<--------------(3)---------------|Preference | +-----------------------------------+------------+ |IThe preferred locator | 127 |T| Unreflexive locator |R126 | ||----(5)--->| - |---------------(6)-------------->| |Peer reflexive transport locator | 120 | |IRelay reflexive transport locator | 100 | | Leased transport locator ||<---(8)----| |<--------------(7)---------------|0 |+---+ +---+ +---+ Initiator = Rendezvous client, Responder = Rendezvous server 1. IP(IP-I, IP-R) UDP(50500, 50500) I1(HIT-I, HIT-R) 2. IP(IP-NAT-I, IP-R) UDP(33333, 50500) I1(HIT-I, HIT-R) 3. IP(IP-R, IP-NAT-I) UDP(50500, 33333) R1(HIT-R, HIT-I, REG_INFO) 4. IP(IP-R, IP-I) UDP(50500, 50500) R1(HIT-R, HIT-I, REG_INFO) 5. IP(IP-I, IP-R) UDP(50500, 50500) I2(HIT-I, HIT-R, REG_REQ) 6. IP(IP-NAT-I, IP-R) UDP(44444, 50500) I2(HIT-I, HIT-R, REG_REQ) 7. IP(IP-R, IP-NAT-I) UDP(50500, 44444) R2(HIT-R, HIT-I, REG_RES) 8. IP(IP-R, IP-I) UDP(50500, 50500) R2(HIT-R, HIT-I, REG_RES) Figure 8: Rendezvous NAT Client Registration 3.4.2. NAT Traversal+-----------------------------------+------------+ Table 2: Locator Type Preferences In addition to the "type" priority, the priority ofHIP Control Traffic This section describesa locator is also affected by thedetails"local" priority. A (multihoming) host may have multiple locators ofenabling NAT traversalsame type and SHOULD assign a unique local priority forbase exchange packets [I-D.ietf-hip-base] through UDP encapsulation,each locator. Hosts preferring IPv6 communication can assign higher local preferences for IPv6 locators than for unreflexive IPv4 locators. ECHO_REQUEST parameters may include RTT calculation information that an implementation may use to increase thecase when the HIP initiator islocal priority. A host SHOULD calculate locator priority based onpublicly addressable network andtheHIP responder is behind NAT. The process is illustratedlocal and type priorities as shown in Figure9. Before the HIP base exchange starts, the responder of the HIP base exchange4. The locator priority MUSThave completed a successful rendezvous client registration usingalways be included in thescheme definedtype 3 locator fields in LOCATOR parameters as described in section Section3.4.1. The initiator of the HIP base exchange sends4.4. Locator priority = (2^24) * (type preference) + (2^8) * (local preference) Figure 4: Locator priority A host SHOULD calculate aplain I1 packet (without UDP encapsulation) to the RVSpriority for each locator pair asdescribedshown in[I-D.ietf-hip-rvs]. In this case, the rendezvous server detects thatFigure 5. I and R denote theI1 is not UDP encapsulated, butpriorities of locators of Initiator and Responder. The use of therendezvous client has registered using UDP encapsulation. To relaysame formula at both ends gives more guarantees that theI1 packet, RVS MUST zeropeers prefer shortest paths between them. It also converges theHIP header checksum fromselection of theI1 packet. RVS MUST addlocator pair towards aFROM parameter, as described in [I-D.ietf-hip-rvs], which contains the IP addresssymmetric pair instead ofHIP initiator.an asymmetric pair even though it is not completely guaranteed. TheFROM parameterreasoning for the formula isintegrity protected by a RVS_HMAC parameter asdescribed in[I-D.ietf-hip-rvs]. RVS replaces[I-D.ietf-mmusic-ice]. Pair priority = 2^32 * MIN(I,R) + 2 * MAX(I,R) + (I > R ? 1 : 0) Figure 5: Pair priority After reachability tests, both hosts SHOULD assign thedestination IPtransport addressinpair with theIP headerhighest pair priority as their default outgoing SA for ESP. 3.7. Mobility When one of thepacket with IP thathosts changes its locators, ithad stored during the rendezvous client registration (which is the IP addresshas to notify its peers of theoutermost NAT behind which rendezvous clientaddress change. This islocated). It MUST then encapsulate the I1 packet within UDP. The source porthandled as described in theUDP header MUST be 50500 andconnectivity tests in Section 3.5 with thedestination port MUST beexception that thesameUPDATE with parameter LOCATOR is used as thesource port number (44444)trigger to start connectivity tests instead of theI2R2. The UPDATE packetwhich it had stored during the registration process. RVS then recomputes the IP header checksumcontains a LOCATOR parameter listing unreflexive, reflexive andsendsleased transport locators of thepacket. +-------+ | | +----->| RVS +-----+ +----+ +---+ | | | |Initiator. This is illustrated in Figure 6. Mobile Relay Corresponding Node | Node |+---+||---(1)---+ +-------+ +----(2)--->| |---(3)--->|| | 1. UPDATE(LOCATOR) | 2. UPDATE(LOCATOR,RELAY_TO) |N+-------------------------------+------------------------------>| | | | 3. UPDATE(ECHO_REQUEST,FROM_PEER) NAT: DROP| +------------------------------------------------------------->X| ||<------------------(5)--------------------| A |<--(4)----|| |I4. UPDATE(ECHO_REQUEST,FROM_PEER) | |<--------------------------------------------------------------+ |T| |R5. UPDATE(ECHO_RESP,TO_PEER) | |-------------------------------------------------------------->| ||-------------------(6)------------------->| - |---(7)--->|| | 6. UPDATE(ECHO_REQUEST,FROM_PEER) | |<--------------------------------------------------------------| |R| | 7. UPDATE(ECHO_RESP,TO_PEER) | |-------------------------------------------------------------->| ||<------------------(9)--------------------| |<--(8)----||+---+ +----+ +---+ 1. IP(IP-I, IP-RVS) I1(HIT-I, HIT-R) 2. IP(IP-RVS, IP-NAT-R) UDP(50500, 44444) I1(HIT-I, HIT-R, FROM:IP-I, RVS_HMAC) 3. IP(IP-RVS, IP-R) UDP(50500, 50500) I1(HIT-I, HIT-R, FROM:IP-I, RVS_HMAC) 4. IP(IP-R, IP-I) UDP(50500, 50500) R1(HIT-R, HIT-I, VIA_RVS_NAT(IP-FVS, 50500)) 5. IP(IP-NAT-R, IP-I) UDP(44444, 50500) R1(HIT-R, HIT-I, VIA_RVS_NAT(IP-FVS, 50500) 6. IP(IP-I, IP-NAT-R) UDP(50500, 44444) I2(HIT-I, HIT-R) 7. IP(IP-I, IP-R) UDP(50500, 50500) I2(HIT-I, HIT-R) 8. IP(IP-R, IP-I) UDP(50500, 50500) R2(HIT-R, HIT-I) 9. IP(IP-NAT-R, IP-I) UDP(44444, 50500) R2(HIT-R, HIT-I)Figure9: UDP-encapsulated HIP base exchange (initiator on public Internet, responder behind6: Handover When aNAT). The relayed I1 packet travelsmobile host moves fromRVSa private address realm to another, it can obtain theNAT. The NAT changessame locator on both networks. To denote that thedestination IP address ofnew locator requires reachability detection, theUDP encapsulated I1 packet,mobile host MUST use a new SPI for the new locator. A host can also use the UPDATE mechanism can also be used for switching to a more optimal path after connectivity tests. In the connectivity tests, the host may implement RTT measurements within ECHO_REQUEST and ECHO_RESPONSE messages. In some cases thedestination port number inresult of theUDP header. The responder acceptsRTT measurements may indicate that another locator pair is more optimal than thepacketlocator pair resulting from theRVSconnectivity andprocesses it according to [I-D.ietf-hip-rvs]. The resulting R1 must be encapsulated within UDP. The responder MAY appendpriority tests. In such aVIA_RVS_NAT parameter tocase, themessage, which containshost MAY send UPDATE with LOCATOR parameter with theIP address ofoptimal locator with therendezvous andpreferred bit on. This gives theporthighest priority for therendezvous servermost optimal locator and will be usedfor relayingif theI1. The RECOMMENDED source portconnectivity tests succeed. 3.8. NAT Keepalives A NAT can delete the mapping state after a timeout when there is50500 andno traffic refreshing thedestination port numberstate. For this reason, both hosts MUSTbe 50500. The destination addresssend keep-alives to each other for all locators pairs that are in theIP headerACTIVE state. Keepalives MUST bethe samesent every 20 seconds for UDP. The keepalive is a NOTIFY packet without parameters. The keep-alives MAY also be used to implement failure detection between end-hosts asthe one specifiedinthe FROM parameter of the relayed I1 packet.[I-D.oliva-hiprg-reap4hip] (XX FIXME: this needs still more details). Theinitiator MUST listen on port 50500 and it receives the UDP encapsulated R1. After verifying thebasic idea is to keep track of HIPpacket, it concludes that the respondercontrol and ESP packets received over a transport port. When there isbehindno HIP or ESP traffic (not even keep-alives) arriving during aNAT becausecertain time period, thepacket was UDP encapsulated.host switches to an alternative locator pair. Theinitiator processeshost transitions theR1 control packet accordingdefault locator pair to[I-D.ietf-hip-base] and replies using I2 that is UDP encapsulated. The addresses and ports are derived fromthereceived R1. The NAT translatesUNVERIFIED state andforwardsreplaces theUDP encapsulated I2 packetcurrently default SA to correspond to theresponder.ACTIVE locator pair with the highest priority. Theresulting R2host may also try to send an UPDATE packet with the LOCATOR parameter after a certain time period if connectivity is still broken. End-host may alsoUDP encapsulated usingused theaddresskeep-alives to detect loss of connectivity with relay server. When this occurs, the end-host can register to a new relay andport information fromreplace thereceived I2 packet. 3.4.3. NAT TraversalIP address ofHIP Data Traffic Afterthe old relay server with asuccessful base exchange, bothnew one in DNS or DHT. 3.9. Closing oftheHIPnodes have communicated all the necessary information to establish UDP- encapsulated BEET mode Security Associations. The following section describes inbound and outbound security associations at initiator and responder. 3.4.3.1. SecurityAssociationsat the Initiator The initiator ofA host closes abase exchange defines its outbound SAHIP association asshowndescribed inTable 6 +--------------+----------------------------------------------------+ | Field | Value | +--------------+----------------------------------------------------+ | Outer src | The local IP address from which[I-D.ietf-hip-base] except that thebase exchange | | address |CLOSE and CLOSE_ACK packetswere transmitted | | Outer dst | The peer IP address from which R2 packet was | | address | received during base exchange | | UDP src port | Port 50500 | | UDP dst port | Source port of incoming R2 packet during base | | | exchange | +--------------+----------------------------------------------------+ Table 6: Outbound SA at initiator The initiator of a base exchange defines its inbound SAare sent over transport layer and through the relay asshownillustrated inTable 7 +--------------+----------------------------------------------------+ | Field | Value | +--------------+----------------------------------------------------+ | Outer src |Figure 7. Hosts MUST transition the corresponding locator pairs to the DEPRECATED state after a successful CLOSE-CLOSE_ACK exchange. Thepeer IP address from which R2 packet was | | address | received during base exchangecorresponding inbound and outbound SAs must be deleted on such occasion. I Relay R | 1. CLOSE |Outer dst|The local IP address from which the base exchange+---------------------------->| 2. CLOSE | |address+-------------------------------->| |packets were transmitted| |UDP src port|Source port of incoming R2 packet during base| 3. CLOSE_ACK | |exchange4. CLOSE_ACK |<--------------------------------+ |<----------------------------+ | |UDP dst port|Port 50500|+--------------+----------------------------------------------------+ TableFigure 7:Inbound SA at initiator 3.4.3.2. Security Associations at the Responder The responderClosing of aUDP-encapsulated base exchange defines its outbound SA shown in Table 8. +--------------+----------------------------------------------------+ | Field | Value | +--------------+----------------------------------------------------+ | Outer src |HIP association Thelocal IP addresshosts may also use the CLOSE mechanism to remove redundant SAs remaining fromwhichthebase exchange | | address | packets were transmitted | | Outer dst | The peer IP as that used during base exchange | | address | | | UDP src port | The as source port chosen during base exchange | | UDP dst port | Port 50500 | +--------------+----------------------------------------------------+ Table 8: Outbound SA at Responder Similarly,connectivity tests. However, theresponder of a UDP-encapsulated base exchange defines its inbound SA as shown in Table 9 +--------------+----------------------------------------------------+ | Field | Value | +--------------+----------------------------------------------------+ | Outer src | Source peer IP address as usedremoval can prolong the recovery inbase exchange | | address | | | Outer dst | The local IP address from whichthebase exchange | | address | packets were transmitted | | UDP src port | Port 50500 | | UDP dst port | The as source port chosen during base exchange | +--------------+----------------------------------------------------+ Table 9: Inbound SA at responder 3.5. Bothevent of connectivity failures. 3.10. Communication with HIP HostsBehindwithout NATThis section describes the detailsTraversal Support The UDP encapsulation ofenabling NAT traversal forHIPcontroland ESPdata traffic, such as the base exchange [I-D.ietf-hip-base], throughcontrol packets has not been defined in any other IETF document and legacy hosts drop all UDPencapsulation, for the case when theencapsulated HIPinitiatorandthe HIP responder are both behind two separate NATs. The limitationESP traffic. Processing ofthis approach is thatunknown locator types terminates theNAT middlebox MUST support endpoint independent mapping [I-D.srisuresh-behave-p2p-state]. The registration and rendezvous relay are handled similarly as described in Section 3.3.3 and Section 3.4.1. Now that both hosts are behind NATs, bothbase exchange or UPDATE. As such, theinitiator (Section 3.3) and responder (Section 3.4) mechanismsextensions defined in this document arecombined here. There is one exception though; the initiator doesnotretransmit an I1 but rathercompletely backwards compatible and require aNOTIFY message. 3.5.1. NAT Traversalminimal support in implementations. A minimal implementation MUST provide UDP encapsulation of HIPControl Traffic Before an initiator can start the base exchange,and ESP packets. In such a case, theresponderminimal NAT traversal implementation MUSThave completed a successful rendezvous client registration with its RVS usingsilently discard themechanism described in Section 3.4.1. The initiatorprocessing ofthe HIP base exchange starts the base exchange by sending a UDP encapsulated I1 packettype 3 locators toRVS.allow communication with implementations supporting NAT traversal defined in this document. TheUDP packet MUST have destination port number 50500 and the initiator is RECOMMENDED to use 50500 as source port number. RVSminimal implementation MUSTlisten onsupport UDPport 50500. RVS MUST accept the packet as described in Section 3.3.3. As there has been a successful rendezvous client registration between the responder and the RVS as described in Section 3.4.1, the RVS knowskeepalives to refresh state of theport numberNAT(s). Hosts that conform tobe used[I-D.ietf-hip-mm] respond tocommunicateUPDATE messages containing an ECHO_REQUEST with an UPDATE message containing an ECHO_RESPONSE. This completes theresponder throughconnectivity tests for theNAT. RVS MUST add a FROM_NAT parameter tohost supporting theI1 packet. The FROM_NAT parameter containsextensions defined in this document. As long as thesource addressimplementation supports UDP encapsulation ofthe I1 packet, whichHIP control packets, this requires no changes. The Relay extensions defined in this document do not work with minimalistic implementations. When there iseffectivelya Relay between theaddress ofhosts, both theoutermost NAT ofInitiator and Responder MUST support theinitiator.extensions defined in this document. TheRVS copies the source portpresence of RELAY_TO and RELAY_FROM parameters denotes theUDP encapsulated I1 packet into the port number fieldprecence ofthe FROM_NAT parameter. The FROM_NAT parameter is integrity protected bya relay. 4. Packet Formats This section defines anRVS_HMAC as described in [I-D.ietf-hip-rvs]. It MUST replace the destination IP address of the I1UDP-encapsulation packetby the one it had stored earlier during rendezvous client registration. It MUST replace source IP address of I1format for HIP base exchange and control traffic, IPsec ESP BEET-mode traffic and NAT keep-alive packets. 4.1. HIP Control Packets 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Source Port | Destination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Length | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | ~ HIP Header and Parameters ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 8: Format for UDP-encapsulated HIP control packets Figure 8 shows how HIP control packets are encapsulated within UDP. A minimal UDP packetwithcarries a complete HIP packet in itsown address. UDP source portpayload. Contents of therelayed I1 packet MUST be 50500UDP source and destinationportports are described below. The UDP length and checksum field MUST bethe samecomputed asone it had stored during the client rendezvous registration. It MUST recompute the IPdescribed in [RFC0768]. The HIP headerchecksum. Upon receivingand parameter follow theVIA_RVS_NAT parameter,conventions [I-D.ietf-hip-base] with theinitiator sends NOTIFY message without any contents toexception that theresponder, which responderHIP header checksum MUSTignore. This punches a hole to the NAT of the initiator. The responder receives the I1 relayed by the RVS. The responder acts as described in Section 3.4.2 by replying with an R1.be zero. TheR1 punches a hole to the responder's NATHIP header checksum is zero for two reasons. First, theinitiator. The R1 makes it to the initiator because the initiatorUDP header contains alreadypunchedaholechecksum. Second, the checksum definition inits own NAT with[I-D.ietf-hip-base] includes theempty NOTIFY message forIP addresses in theresponder.checksum calculation. Theinitiator and responder complete the restNATs unaware of HIP cannot recompute thebase exchange with I2 and R2.HIP checksum after changing IP addresses. 4.2. Control Channel Keep-Alives The keep-alive for control channel are UDP encapsulated NOTIFY packets [I-D.ietf-hip-base]. The NOTIFY packets MAY contain HIP parameters. The NATstate may timeout in case the R1 cookie was relatively large or in case the RTT is large. For this reason, the initiator MUST refreshtraversal mechanisms encapsulate these NOTIFY packets within thestatepayload ofthe NATs by resending empty NOTIFY messages until it receives an R2. +---+ +----+ +-------+ +----+ +---+ | +--(1)-->| +---(2)-->+ | | | | |UDP packets. 4.3. RELAY_FROM, RELAY_TO and RELAY_VIA Parameters 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |RVS-R| Address | | | | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Port ||<--(3a)--+ +---(3b)---->|Padding | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type [ TBD by IANA: RELAY_FROM: (63998 = 2^16 - 2^11 + 2^9 - 2) RELAY_TO: (64002 = 2^16 - 2^11 + 2^9 + 2) RELAY_VIA: (64006 = 2^16 - 2^11 + 2^9 + 6) ] <!-- AG: those are not described? TO_PEER: (64010 = 2^16 - 2^11 + 2^9 + 10) REG_FROM: (64010 = 2^16 - 2^11 + 2^9 + 12) ] --> Length 18 Address An IPv6 address or an IPv4 address in IPv4-in-IPv6 format. Port Transport port number Figure 9: Format for the RELAY_FROM, RELAY_TO and RELAY_VIA parameters Figure 9 shows the format of RELAY_FROM, RELAY_TO and RELAY_VIA parameters. 4.4. LOCATOR Parameter The generic LOCATOR parameter format is the same as in [I-D.ietf-hip-mm]. However, presenting transport locators requires a new locator type. The generic and NAT specific locator parameters are illustrated in Figure 10. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Traffic Type | Locator Type |+-------+Locator Length | Reserved |P| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Locator Lifetime | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Locator ||<-(4a)--+ N| |N +--(4b)->|| | | |A+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . . . . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Traffic Type |ALoc Type = 2 | Locator Length | Reserved |P| +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Locator Lifetime |I +--(5a)->| T+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Transport Port |T |<-(5b)--+ RTransp. Proto | Kind | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Priority |- |<-(6b)------------------(6a)->| -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | SPI | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Locator ||<-(7b)--+ I| |R +--(7a)->|| | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 10: Locator parameter The individual fields in the LOCATOR parameter are described in Table 3. +------------+----------+-------------------------------------------+ | Field | Value(s) | Purpose | +------------+----------+-------------------------------------------+ | Type | 193 | Parameter type |+--(8)-->| +--------------(9)------------>| +--(10)->|| Length | Variable | Length in octets, excluding Type and | | | | Length fields, and excluding padding. | | Traffic ||<-(13)--+ |<-------------(12)------------+ |<-(11)--+0-2 |+---+ +----+ +----+ +---+ 1. IP(IP-I, IP-RVS) UDP(50500, 50500) I1(HIT-I, HIT-R) 2. IP(IP-NAT-I, IP-RVS) UDP(11111, 50500) I1(HIT-I, HIT-R) 3a. IP(IP-RVS, IP-NAT-I) UDP(50500, 11111) NOTIFY(HIT-R, HIT-I, VIA_RVS_NAT(IP-NAT-R, 44444) 3b. IP(IP-RVS, IP-NAT-R) UDP(50500, 44444) I1(HIT-I, HIT-R, FROM_NAT:[IP-NAT-I,11111], RVS_HMAC) 4a. IP(IP-RVS-R, IP-I) UDP(50500, 50500) NOTIFY(HIT-R, HIT-I, VIA_RVS_NAT(IP-NAT-R, 44444) 4b. IP(IP-RVS, IP-R) UDP(50500, 50500) I1(HIT-I, HIT-R, FROM_NAT:[NAT-I,11111], RVS_HMAC) 5a. IP(IP-I, IP-NAT-R) UDP(50500, 44444) NOTIFY(HIT-I, HIT-R) 5b. IP(IP-R, IP-NAT-I) UDP(50500, 11111) R1(HIT-R, HIT-I, VIA_RVS_NAT(IP-FVS, 50500)) 6a. IP(IP-NAT-I, IP-NAT-R) UDP(11111, 44444) NOTIFY(HIT-I, HIT-R) 6b. IP(IP-NAT-R, IP-NAT-I) UDP(44444, 11111) R1(HIT-R, HIT-I, VIA_RVS_NAT(IP-FVS, 50500)) 7a. IP(IP-NAT-I, IP-NAT-R) UDP(11111, 50500) NOTIFY(HIT-I, HIT-R) 7b. IP(IP-NAT-R, IP-NAT-I) UDP(44444, 50500) R1(HIT-R, HIT-I, VIA_RVS_NAT(IP-FVS, 50500)) 8-10. I2(HIT-I, HIT-R), details similarly as in the cases before 11-13 R2(HIT-R, HIT-I), details similarly as in the cases before Figure 10: UDP-encapsulated HIP base exchange (initiator and responder behind a NAT, RVS on public IP). The UDP hole punching is applicable only in the case when the NAT devices on the path support address independent mapping [I-D.srisuresh-behave-p2p-state]. After the initiator has received a VIA_RVS_NAT parameter2 for unreflexive andhas been in I1_SENT stateleased, 1 fora policy specific period, the initiator MAY transition to E-FAILED state. Alternatively, it is RECOMMENED to switch to an externalrelaybased protocol mechanism. 3.5.2. NAT Traversal of HIP Data Traffic After a successful base exchange, both the HIP nodes have all the parameters with them to establish UDP BEET mode Security Association. The following section describes inbound and outbound security associations at initiator and responder. 3.5.2.1. Security Associations at the Initiator The initiator of a base exchange defines its outbound SA as shown in Table 10 +--------------+----------------------------------------------------+|Field|ValueType |+--------------+----------------------------------------------------+|Outer src | The local IP address from which the base exchangereflexive | |addressLocator |packets were transmitted3 | Transport locator |Outer dst|The peer IP address from which R2 packet wasType | |address|received during base exchange| Locator |UDP src port19 |The asLength of theport number chosen to send I2 during | | | base exchangeLocator field in 4-octet | |UDP dst port | Source port of incoming R2 packet during base |Length | |exchangeunits |+--------------+----------------------------------------------------+ Table 10: Outbound SA at initiator The initiator of a base exchange defines its inbound SA as shown in Table 11 +--------------+----------------------------------------------------+|FieldReserved |Value0 |+--------------+----------------------------------------------------+Reserved for future extensions |Outer src|The peer IP address from which R2 packet wasPreferred | 0 |addressUsually zero for type 3 locators |received during base exchange| (P) bit |Outer dst|The local IP address from which the base exchange| |addressLocator |packets were transmittedVariable | Locator lifetime in seconds |UDP src port|Source port of incoming R2 packet during baseLifetime | | |exchange| Transport |UDP dst portVariable |The as the port number chosen to send I2 duringZero for unreflexive and greater than | | Port |base exchange|+--------------+----------------------------------------------------+ Table 11: Inbound SA at initiator 3.5.2.2. Security Associations at the Responder The responder of a UDP-encapsulated base exchange defines its outbound SA shown in Table 12. +--------------+----------------------------------------------------+zero otherwise |Field|ValueTransport |+--------------+----------------------------------------------------+0 |Outer srcZero for UDP |The local IP address from which the base exchange| Protocol |address|packets were transmitted| |Outer dstKind |The peer IP as that used during base exchangeVariable | 0 for unreflexive, 1 for relay reflexive, |address| | |UDP src port2 for leased |The as source port chosen send R2 during base| Priority | Variable |exchangeLocator preference, see Section 3.6 | |UDP dst portSPI |The as source port number of I2 packet during baseVariable | 0 for relay reflexive, otherwise greater | |exchange|+--------------+----------------------------------------------------+ Table 12: Outbound SA at Responder Similarly, the responder of a UDP-encapsulated base exchange defines its inbound SA as shown in Table 13 +--------------+----------------------------------------------------+|Fieldthan zero |Value|+--------------+----------------------------------------------------+Locator |Outer srcVariable |Source peer IPAn IPv6 addressas used in base exchange |or an IPv4-in-IPv6 format |address| | |Outer dstIPv4 address[RFC2373] | +------------+----------+-------------------------------------------+ Table 3: Fields of the locator parameter 4.5. RELAY_HMAC Thelocal IP address from whichRELAY_HMAC parameter value has thebase exchange |TLV type 65520 (2^16 - 2^5 + 2^4). It has the same semantics as RVS_HMAC [I-D.ietf-hip-rvs]. 4.6. Registration Types The REG_INFO, REQ_REQ, REG_RESP and REG_FAILED parameters contains values for relay registration. The value for RELAY_UDP_HIP is 2. The value for RELAY_UDP_ESP is 3. 4.7. ESP Data Packets 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |addressSource Port |packets were transmittedDestination Port | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |UDP src portLength |The as source Port received from I2 during baseChecksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |exchange~ ESP Header ~ | | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 11: Format for UDP-encapsulated IPsec ESP BEET-mode traffic Figure 11 shows how IPsec ESP BEET-mode packets are encapsulated within UDP. Again, a minimal UDPdst port |packet carries the ESP packet in its payload. Theascontents of the UDP sourceport used to send R2 during base | | | exchange | +--------------+----------------------------------------------------+ Table 13: Inbound SA at responder 3.6. NAT Keep-Alives Typically, NATs cache an established bindingandtime it out if they have not used it to relay traffic for a given perioddestination ports are described in later sections. The UDP length and checksum field MUST be computed as described in [RFC0768]. 4.8. UDP Encapsulation/Decapsulation oftime.IPsec BEET-Mode ESP [RFC3948] describes UDP encapsulation of the IPsec ESP transport and tunnel mode. Thistimeout is different for different NAT implementations. The BEHAVE working group is discussing recommendations for standardized timeout values. To prevent NAT bindings that supportsection describes thetraversalUDP encapsulation ofUDP- encapsulated HIP traffic from timing out during times when there is no control or data traffic, HIP hosts SHOULD send periodic keep-alive messages. Typically, only outgoing traffic refreshes the NAT port state for security reasons. Consequently, both hosts SHOULD send periodic keep-alives forthe BEET mode. 4.8.1. UDPchannelEncapsulation ofall their establishedIPsec BEET-Mode ESP During the HIPassociations ifbase exchange, thechannel has been idle fortwo peers exchange parameters that enable them to define aspecific periodpair oftime. For theIPsec ESP security associations (SAs), as described in [I-D.ietf-hip-esp]. When two peers perform a UDP-encapsulated base exchange, they MUST define a pair of IPsec SAs that produces UDP-encapsulated BEET-mode ESP data traffic. The management of encryption/authentication protocols and security parameter indices (SPIs) is defined in [I-D.ietf-hip-esp]. Additional SA parameters, such as IP addresses and UDPchannel, keep-alivesports, MUST beUDP-encapsulateddefined according to this section. Two SAs MUST be defined on each host for one HIPNOTIFY packetsassociation; one for outgoing data and another one for incoming data. The BEET mode provides limited tunnel mode semantics without the regular tunnel mode overhead [I-D.nikander-esp-beet-mode]. In the BEET mode, transport-layer checksums in the payload data are based on the HITs. The packet MUST then undergo BEET-mode ESP cryptographic processing as defined in Section3.1.2. The packets5.3 of [I-D.nikander-esp-beet-mode]. Next, the resulting BEET-mode packet is UDP encapsulated. For this purpose, a UDP header MUSTusebe inserted between thesameIP and ESP header. The source and destination portsand IP addresses as the corresponding UDP tunnel.are filled in. Thedefault keep-alive interval for control channels SHOULDUDP checksum MUST be20 seconds.calculated based on the outer addresses (locators) of the IPsec security association. Thepeer hostother fields of theHIP associationUDP header are computed as described in [RFC0768]. The resulting UDP packet MUSTdiscard the keep-alives. 3.7. HIP Mobility After a successful base exchange, a mobile node can change its network location using the mechanismsthen undergo BEET IP header processing as defined in[I-D.ietf-hip-mm]. This section describes such mobility mechanisms in the presenceSection 5.4 ofNATs. However,[I-D.nikander-esp-beet-mode]. Figure 12 illustrates thedouble jump scenario, where both peers move simultaneously, is excluded. The mobile node can change its location as described in Table 14. +----+---------------------------+----------------------------------+ | No | From network | To network | +----+---------------------------+----------------------------------+ | 1 | Behind NAT | Publicly Addressable Network | | 2BEET-mode UDP encapsulation procedure for a TCP packet. ORIGINAL TCP PACKET: +------------------------------------------+ |Publicly Addressableinner IPv6 hdr |Behind NAText hdrs | | |Network| with HITs | if present |3TCP |Behind NAT-AData |Stays behind NAT-A, but+------------------------------------------+ PACKET AFTER BEET-MODE ESP PROCESSING: +----------------------------------------------------------+ | inner IPv6 hdr | ESP | dest |different IP| |4ESP |Behind NAT-AESP |Behind NAT-B| with HITs |5hdr |Publicly Addressableopts.| TCP |Publicly Addressable NetworkData | Trailer | ICV |Network+----------------------------------------------------------+ |<------- encryption -------->| |<----------- integrity ----------->| FINAL PACKET AFTER BEET_MODE IP HEADER PROCESSING: +------------------------------------------------------------+ | outer IPv4 |+----+---------------------------+----------------------------------+ Table 14: End host mobility scenarios The corresponding peer node can be located as follows Table 15 +----+------------------------------------------+UDP |NoESP |Peer Node networkdest |+----+------------------------------------------+|A|Publicly Addressable Network With RVSESP | ESP |B|Publicly Addressable Network Without RVShdr | hdr |Chdr |Behind NAT With RVSopts.| TCP | Data |DTrailer |Behind NAT Without RVSICV |+----+------------------------------------------+ Table 15: Peer host Network Scenarios The NAT traversal mechanisms may not work when the corresponding node is behind a NAT without RVS (case D), except when the mobile node stays behind the same cone NAT (case 3D). When a mobile node changes its location, it SHOULD detect the presence+------------------------------------------------------------+ |<------- encryption -------->| |<----------- integrity ----------->| Figure 12: UDP encapsulation ofNATs along the new paths to its corresponding nodes using some external mechanism before sending any UPDATE messages. If no NAT was detected in such a case, it SHOULD sendanUPDATE to its corresponding nodes withoutIPsec BEET-mode ESP packet containing a TCP segment 4.8.2. UDPencapsulation. The mobile node MUST send the UPDATEDecapsulation of IPsec BEET-Mode ESP An incoming UDP-encapsulated IPsec BEET-mode ESP packetthrough the corresponding node's RVSis decapsulated as follows. First, ifit uses one, in addition to sending it tothecorresponding node directly. The mobile node encapsulates the UPDATE packet withinUDPonly when itchecksum isbehind a NAT. The corresponding node MUST reply using UDP wheninvalid, then the packetwas encapsulated within UDP, or without UDP when the UDP header was not present in the UPDATE packet. The rendezvous server relays the UPDATE similarly to I1. The rendezvous serverMUSTadd FROM parameter when it gets an UPDATE packet without UDP encapsulation, or a FROM_NAT parameter whenbe dropped. Then, theUPDATEpacketit receives is UDP encapsulated andMUST be verified as defined inboth cases protect the packet with a HMAC parameter. Upon replying to the UPDATE, the corresponding node MUST add a VIA_RVS (or VIA_RVS_NAT) parameter to the reply. The mobile node MUST leave out the NATted locators from[I-D.nikander-esp-beet-mode]. If verified, theLOCATOR parameter. This MUST be done before applying HMAC and SIGNATURE to an R1, I2 or UPDATE packet. Thus,ESP data contained in theLOCATOR parameter consists onlypayload of thetype and length fields when the mobile node has only NATted addresses. When the mobile node has e.g. a single IPv6 address and one NATted address, the LOCATOR parameter consists of single locator. TheUDPheader along with its port number conveys the NATted locator to the peer. 3.8. HIP Multihoming Multiple security associations can exists between the same hosts. They may be connected through several paths, some of which may include a NAT and others may not. Implementations that support multihomingpacket MUSTsupport concurrent HIP associations between the same host pairbe decrypted as described ina way that allows some of them to use UDP encapsulation while others are not UDP encapsulated. 3.9.[I-D.nikander-esp-beet-mode]. 5. Firewall Traversal This section describes firewall traversal issues separately from NAT issues. When theinitiatorInitiator or theresponderResponder of a HIP association is behind a firewall, additional issues arise.When the initiator is behind a firewall, theThe NAT traversal mechanisms described in Section 3depend onrequire that theability to initiate communication viafirewall - stateful or not - allows UDP traffic. At the minimum, successful firewall control packet traversal requires that the host behind the firewall is allowed todestination port 50500 from arbitrary source ports and to receive UDP response traffic fromcommunicate packets with a HIP relay (or a Responder without Relay) that is listening on UDP port HIPPORT. Successful ESP data packet traversal requires the same for the ESP relay. For unrelayed traffic, the destination port HIPPORT should be open at the firewall to all hosts behind thechosen source port.firewall. Most firewall implementations support "UDP connection tracking", i.e., after a host behind a firewall has initiatedaUDP communication to the public Internet, the firewall relays UDP response traffic in the return direction. If no such return traffic arrives for a specific period of time, the firewall stops relaying the given IP address and port pair. The mechanisms described in Section 3 already enable traversal of such firewalls, if thekeep- alivekeep-alive interval used is less than the refresh interval of the firewall. When the Initiator is behind a firewall, the NAT traversal mechanisms described in Section 3 depend on the ability to initiate communication via UDP to the destination port HIPPORT from arbitrary source ports and to receive UDP response traffic from that port to the chosen source port. If theinitiatorInitiator is behind a firewall that does not support "UDP connection tracking", the NAT traversal mechanisms described in Section 3 can still be supported, if the firewall allows permanently inbound UDP traffic from the port50500HIPPORT and destined to arbitrary source IP addresses and UDP ports. When theresponderResponder is behind a firewall, the NAT traversal mechanisms described in Section 3 depend on the ability to send and receive UDP trafficon port 50500originating from HIPPORT of the HIP and ESP relays. When unrelayed traffic is preferred, arbitrary source IP addresses andports. The NAT traversal mechanisms described in Section 3 require that the firewall - stateful or not - allow inbound UDP traffic to port 50500 and allow outbound UDP traffic to arbitrary UDP ports. If necessary for firewall traversal,portsreserved for IKE MAY be used for initiating new connections, but the implementation MUST be able to listen for UDP packets from port 50500. 4.are required. 6. Security Considerations4.1.6.1. A Difference to RFC3948 Section 5.1 of [RFC3948] describes a security issue for the UDP encapsulationofin the standard IP tunnel mode when two hosts behind different NATs have the same private IP address and initiate communication to the sameresponderResponder in the public Internet. TheresponderResponder cannot distinguish betweenthetwo hosts, because security associations are based on the same inner IP addresses. This issue does not exist with the UDP encapsulation of IPsec BEET mode as described in Section 3, because theresponderResponder usetheHITs to distinguish between different communication instances.4.2. Rendezvous and Responder6.2. Privacy Considerations Therendezvous usageLOCATORs are sent inthis draft has been designedplain text. Alternatively, they could be encrypted. This option was not chosen tofollow the RVS specification [I-D.ietf-hip-rvs] whenallow packet inspection by middleboxes. Plain text locators may be useful for HIP-aware middleboxes in theNAT supports end-point independent filtering. However, as NAT networking presents some additional challenges, itfuture. It isnotpossible that an Initiator or Responder may not want tofollowreveal all of its locators to its peer. For example, a host may not want to reveal theRVS design exactly. Particularly,internal topology of themechanisms described in Figure 7private address realm andSection 3.5.1 require thatit discards unreflexive locators. Such behavior creates non-optimal paths when therendezvous server replies back tohosts are located behind theinitiatorsame NAT. Especially, this could be a problem with amessage which includeslegacy NAT that does not support routing from the private address realm back to itself through the outer addressand portof theresponderNAT.Another design choice would have beenThis scenario is referred torelay alsoas theR1 (and I2 in case of both hosts behind NAT) throughhairpin problem [I-D.ietf-behave-p2p-state]. With such a legacy NAT, therendezvous serveronly option left would be todelayuse a leased transport locator from a relay. As a consequence, a host may support locator-based privacy by leaving out theexposurereflexive locators. Using only unreflexive locators can produce suboptimal paths possibly causing congestion. The use of relays can be useful for protection against Denial-of- Service attacks. If a Responder reveals only its HIP and ESP relay addresses to malign Initiators, theresponder NAT addressInitiators can only attack the relays that does not prevent the Responder from initiating new outgoing connections if a path around the relay exists. 6.3. Opportunistic Mode The use of opportunistic HIP is NOT RECOMMENDED andport related information for additional DoS protection. However,its use is not defined in thischoice wasdocument. In opportunistic HIP, the Initiator sends the I1 message with null destination HIT. Private address realms do notselectedhave unique addresses by definition. Therefore, opportunistic mode is subject toreduce round trip time. Asfailure even when there are no attackers present. In aconsequence, the rendezvous client must acceptnormal HIP base exchange, a well-behaving Responder drops therisk of lowered privacy protectionI1 packet whenit registersthe destination HIT does not belong to it. An attacker could respond to theRVS over UDPI1, but the base exchange would eventually fail asdefined in Figure 8. 5.the attacker would fail to prove its ownership of the destination HIT of the I1. 7. IANA Considerations This section is to be interpreted according to [RFC2434]. This draft currently uses a UDP port in the "Dynamic and/or Private Port"range, i.e., 50500.and HIPPORT. Upon publication of this document, IANA is requested to register a UDP port and the RFC editor is requested to change all occurrences of port50500HIPPORT to the port IANA has registered.6. AcknowledgementsThe HIPPORT number 50500 should be used for initial experimentation. This document updates the IANA Registry for HIP Parameters Types by assigning new HIP Parameter Types values for the new HIP Parameters defined in Section 4: o RELAY_FROM (defined in Section 4.3) o RELAY_TO (defined in Section 4.3) o RELAY_VIA (defined in Section 4.3) o RELAY_HMAC (defined in Section 4.5) 8. Acknowlegements The authors would like to thank Lars Eggert, VivienSchmittSchmitt, Abhinav Pathak and Andrei Gurtov forhistheir contributions to previous versions of this draft. Thanks for Philip Matthews on introducing ICE concepts to the authors and for proposing the initial design. Thanks for Jonathan Rosenberg and the rest of the MMUSIC WG folks for the excellent work on ICE. In addition, the authors would like to thank Tobias Heer, Teemu Koponen, Juhana Mattila, Jeffrey M. Ahrenholz, Thomas Henderson, Kristian Slavov, Janne Lindqvist, Pekka Nikander, Lauri Silvennoinen, Jukka Ylitalo,Andrei Gurtov andJuhaHeinanenHeinanen, Joakim Koskela, Samu Varjonen, Dan Wing, Hannes Tschofenig and Jani Hautakorpi for their comments on this document. [I-D.nikander-hip-path] presented some initial ideas for NAT traversal of HIP communication. The idea was based on NAT detection using extra parameters in the base exchange. This documentdescribes significantlytakes a differentmechanisms that, among other differences, use external NAT discovery and do not require encapsulation servers.approach based on ICE. Simon Schuetz and Martin Stiemerling are partly funded by Ambient Networks, a research project supported by the European Commission under its Sixth Framework Program. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of the Ambient Networks project or the European Commission. Miika Komu is workingfor InfraHIP researchin the Networking Research group at Helsinki Institute for Information Technology (HIIT). The InfraHIP projectiswas funded by Tekes, Telia-Sonera, Elisa, Nokia,Thethe Finnish Defence Forces and Ericsson.7.Miika Komu wrote draft-ietf-hip-nat-02 version from scratch based on ICE-related comments from Philip Matthews. 9. References7.1.9.1. Normative References [I-D.ietf-hip-base] Moskowitz, R., "Host Identity Protocol",draft-ietf-hip-base-06draft-ietf-hip-base-08 (work in progress), June2006.2007. [I-D.ietf-hip-esp] Jokela, P., "Using ESP transport format with HIP",draft-ietf-hip-esp-04draft-ietf-hip-esp-06 (work in progress),October 2006.June 2007. [I-D.ietf-hip-mm]Nikander, P.,Henderson, T., "End-Host Mobility and Multihoming with the Host Identity Protocol",draft-ietf-hip-mm-04draft-ietf-hip-mm-05 (work in progress), March 2007. [I-D.ietf-hip-registration] Laganier, J., "Host Identity Protocol (HIP) Registration Extension", draft-ietf-hip-registration-02 (work in progress), June 2006. [I-D.ietf-hip-rvs] Laganier, J. and L. Eggert, "Host Identity Protocol (HIP) Rendezvous Extension", draft-ietf-hip-rvs-05 (work in progress), June 2006. [I-D.ietf-mmusic-ice] Rosenberg, J., "Interactive Connectivity Establishment (ICE): A Protocol for Network Address Translator (NAT) Traversal for Offer/Answer Protocols", draft-ietf-mmusic-ice-16 (work in progress), June 2007. [I-D.nikander-esp-beet-mode] Melen, J. and P. Nikander, "A Bound End-to-End Tunnel (BEET) mode for ESP",draft-nikander-esp-beet-mode-06draft-nikander-esp-beet-mode-07 (work in progress),August 2006.February 2007. [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, August 1980. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC2373] Hinden, R. and S. Deering, "IP Version 6 Addressing Architecture", RFC 2373, July 1998. [RFC2434] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998. [RFC4423] Moskowitz, R. and P. Nikander, "Host Identity Protocol (HIP) Architecture", RFC 4423, May 2006.7.2.9.2. Informative References[I-D.ietf-behave-nat-behavior-discovery] MacDonald, D. and B. Lowekamp, "NAT Behavior Discovery Using STUN", draft-ietf-behave-nat-behavior-discovery-00[I-D.ietf-behave-p2p-state] Srisuresh, P., "State of Peer-to-Peer(P2P) Communication Across Network Address Translators(NATs)", draft-ietf-behave-p2p-state-03 (work in progress),FebruaryJuly 2007.[I-D.ietf-behave-nat-udp] Audet, F. and C. Jennings, "NAT Behavioral Requirements for Unicast UDP", draft-ietf-behave-nat-udp-08 (work in progress), October 2006.[I-D.irtf-hiprg-nat] Stiemerling, M., "NAT and Firewall Traversal Issues of Host Identity Protocol (HIP) Communication",draft-irtf-hiprg-nat-03draft-irtf-hiprg-nat-04 (work in progress),June 2006.March 2007. [I-D.nikander-hip-path] Nikander, P., "Preferred Alternatives for Tunnelling HIP (PATH)", draft-nikander-hip-path-01 (work in progress), March 2006.[I-D.srisuresh-behave-p2p-state] Srisuresh, P., "State of Peer-to-Peer(P2P) Communication Across Network Address Translators(NATs)", draft-srisuresh-behave-p2p-state-04[I-D.oliva-hiprg-reap4hip] Oliva, A. and M. Bagnulo, "Fault tolerance configurations for HIP multihoming", draft-oliva-hiprg-reap4hip-00 (work in progress),September 2006.July 2007. [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, August 1999.[RFC3489] Rosenberg, J., Weinberger, J., Huitema, C., and R. Mahy, "STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs)", RFC 3489, March 2003.[RFC3948] Huttunen, A., Swander, B., Volpe, V., DiBurro, L., and M. Stenberg, "UDP Encapsulation of IPsec ESP Packets", RFC 3948, January 2005. [RFC4787] Audet, F. and C. Jennings, "Network Address Translation (NAT) Behavioral Requirements for Unicast UDP", BCP 127, RFC 4787, January 2007. Appendix A. Differences to ICE The protocol extensions defined in this draft are based on ICE. The extensions are a rough translation of ICE concepts to HIP protocol. The translation preserved certain concepts as they are, but there are subtle differences. This section tries to explain how ICE concepts were mapped to HIP protocol and what are the differences. The terminology for this draft is a hybrid of ICE and HIP terminology. "Agent" was translated to "host" in favour of HIP terminology. Transport address was changed to transport locator. Similarly, address pair is denoted as locator pair. This document does not really talk about "candidate addresses", but just "locators" which may or may not be verified using the return routability tests, in favour of mobility terminology in [I-D.ietf-hip-mm]. Host candidate of ICE became unreflexive locator, server reflexive candidate was mapped to relay reflexive transport locator, peer reflexive candidate was mapped to peer reflexive locator and relayed candidate became leased transport locator. The component, base and foundation terms are not used in the document as there is only a single "media stream" for all (ESP) traffic between two hosts. There is no "lite" version ICE in this document, just full, as the full version is the preferred one also for ICE. One specific scenario defined in this document has some resemblance to the lite ICE. When a Responder is a publicly accessible server with fixed address, it may exclude the use of the relay. In that case, it does not have to handle the RELAY parameters but still has to respond to the connectivity checks. A connectivity check is not a STUN Binding Request. Instead, it is return routability check as defined in [I-D.ietf-hip-mm]. "Triggered check" occurs when a host receives a UPDATE with ECHO_REQUEST and it responds using a ECHO_RESPONSE and sends its own ECHO_REQUEST. A "check list" is effectively a LOCATOR parameter as defined in [I-D.ietf-hip-mm]. The term "ordinary check" is not really used in this document as it HIP packets are retransmitted periodically when the LOCATORs are in UNVERIFIED state. "Valid list" corresponds to locator pairs that have been verified successfully by the return routability tests. The peers trigger the connectivity checks after the base exchange or after a base exchange. The conclusion of the connectivity checks, i.e., selection of the final address pair, differs the most as a result of fitting the ICE nomination algorithm to HIP mobility mechanisms. There is no "controlling agent" and the end-hosts make a local decision on which locator pair to choose. This could lead to asymmetric address pairs, but the priority algorithm guarantees that the address pairs converge. Also, there is are no aggressive and regular nomination modes as a consequence of the lack of controlling agent. ICE uses TLS, usernames and passwords as security mechanisms. HIP has built-in security mechanisms that preferred over the ones that are used in ICE. Appendix B. Document Revision History To be removed upon publication +------------+------------------------------------------------------+ | Revision | Comments | +------------+------------------------------------------------------+ | schmitt-00 | Initial version. | | ietf-00 | Officially adopted as WG item. Solved issues | | | 1-9,11,12 | | ietf-01 | Solved remaining issues except that relaying ESP and | | | mobility were still incomplete. | | ietf-02 | Miika rewrote almost from scratch based on ICE. | | | Editorial corrections from Simon and Andrei. | +------------+------------------------------------------------------+ Authors' Addresses Miika Komu (editor) Helsinki Institute for Information TechnologyTammasaarenkatu 3 HelsinkiMetsanneidonkuja 4 Espoo Finland Phone: +358503841531 Fax: +35896949768 Email: miika@iki.fi URI: http://www.hiit.fi/ Simon Schuetz NEC Network Laboratories Kurfuerstenanlage 36 Heidelberg 69115 Germany Phone: +49 6221 4342 165 Fax: +49 6221 4342 155 Email: simon.schuetz@netlab.nec.de URI: http://www.netlab.nec.de/ Martin Stiemerling NEC Network Laboratories Kurfuerstenanlage 36 Heidelberg 69115 Germany Phone: +49 6221 4342 113 Fax: +49 6221 4342 155 Email: stiemerling@netlab.nec.de URI: http://www.netlab.nec.de/Lars Eggert Nokia Research Center P.O. Box 407 Nokia Group 00045 Finland Phone: +358 50 48 24461 Email: lars.eggert@nokia.com URI: http://research.nokia.com/people/lars_eggert/ Abhinav Pathak IIT Kanpur B204, Hall - 1, IIT Kanpur Kanpur 208016 India Phone: +91 9336 20 1002 Email: abhinav.pathak@hiit.fi URI: http://www.iitk.ac.in/Full Copyright Statement Copyright (C) The IETF Trust (2007). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Intellectual Property The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Acknowledgment Funding for the RFC Editor function is provided by the IETF Administrative Support Activity (IASA).