| < draft-ietf-mip6-firewalls-03.txt | draft-ietf-mip6-firewalls-04.txt > | |||
|---|---|---|---|---|
| MIP6 F. Le | MIP6 F. Le | |||
| Internet-Draft CMU | Internet-Draft CMU | |||
| Expires: April 20, 2006 S. Faccin | Expires: July 29, 2006 S. Faccin | |||
| B. Patil | B. Patil | |||
| Nokia | Nokia | |||
| H. Tschofenig | H. Tschofenig | |||
| Siemens | Siemens | |||
| October 17, 2005 | January 25, 2006 | |||
| Mobile IPv6 and Firewalls: Problem statement | Mobile IPv6 and Firewalls: Problem statement | |||
| draft-ietf-mip6-firewalls-03.txt | draft-ietf-mip6-firewalls-04.txt | |||
| Status of this Memo | Status of this Memo | |||
| By submitting this Internet-Draft, each author represents that any | By submitting this Internet-Draft, each author represents that any | |||
| applicable patent or other IPR claims of which he or she is aware | applicable patent or other IPR claims of which he or she is aware | |||
| have been or will be disclosed, and any of which he or she becomes | have been or will be disclosed, and any of which he or she becomes | |||
| aware will be disclosed, in accordance with Section 6 of BCP 79. | aware will be disclosed, in accordance with Section 6 of BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF), its areas, and its working groups. Note that | Task Force (IETF), its areas, and its working groups. Note that | |||
| skipping to change at page 1, line 38 ¶ | skipping to change at page 1, line 38 ¶ | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| The list of current Internet-Drafts can be accessed at | The list of current Internet-Drafts can be accessed at | |||
| http://www.ietf.org/ietf/1id-abstracts.txt. | http://www.ietf.org/ietf/1id-abstracts.txt. | |||
| The list of Internet-Draft Shadow Directories can be accessed at | The list of Internet-Draft Shadow Directories can be accessed at | |||
| http://www.ietf.org/shadow.html. | http://www.ietf.org/shadow.html. | |||
| This Internet-Draft will expire on April 20, 2006. | This Internet-Draft will expire on July 29, 2006. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (C) The Internet Society (2005). | Copyright (C) The Internet Society (2006). | |||
| Abstract | Abstract | |||
| Network elements such as firewalls are an integral aspect of a | Network elements such as firewalls are an integral aspect of a | |||
| majority of IP networks today, given the state of security in the | majority of IP networks today, given the state of security in the | |||
| Internet, threats, and vulnerabilities to data networks. Current IP | Internet, threats, and vulnerabilities to data networks. Current IP | |||
| networks are predominantly based on IPv4 technology and hence | networks are predominantly based on IPv4 technology and hence | |||
| firewalls have been designed for these networks. Deployment of IPv6 | firewalls have been designed for these networks. Deployment of IPv6 | |||
| networks is currently progressing, albeit at a slower pace. | networks is currently progressing, albeit at a slower pace. | |||
| Firewalls for IPv6 networks are still maturing and in development. | Firewalls for IPv6 networks are still maturing and in development. | |||
| skipping to change at page 2, line 20 ¶ | skipping to change at page 2, line 20 ¶ | |||
| firewalls available for IPv6 networks do not support Mobile IPv6. | firewalls available for IPv6 networks do not support Mobile IPv6. | |||
| Unless firewalls are aware of Mobile IPv6 protocol details, these | Unless firewalls are aware of Mobile IPv6 protocol details, these | |||
| security devices will interfere in the smooth operation of the | security devices will interfere in the smooth operation of the | |||
| protocol and can be a detriment to deployment. This document | protocol and can be a detriment to deployment. This document | |||
| captures the issues that may arise in the deployment of IPv6 networks | captures the issues that may arise in the deployment of IPv6 networks | |||
| when they support Mobile IPv6 and firewalls. | when they support Mobile IPv6 and firewalls. | |||
| The issues are not only applicable to firewalls protecting enterprise | The issues are not only applicable to firewalls protecting enterprise | |||
| networks, but are also applicable in 3G mobile networks such as GPRS/ | networks, but are also applicable in 3G mobile networks such as GPRS/ | |||
| UMTS and cdma2000 networks. | UMTS and CDMA 2000 networks. | |||
| The goal of this Internet draft is to highlight the issues with | The goal of this Internet draft is to highlight the issues with | |||
| firewalls and Mobile IPv6 and act as an enabler for further | firewalls and Mobile IPv6 and act as an enabler for further | |||
| discussion. Issues identified here can be solved by developing | discussion. Issues identified here can be solved by developing | |||
| appropriate solutions in the MIP6 WG. | appropriate solutions in the MIP6 WG. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| skipping to change at page 6, line 21 ¶ | skipping to change at page 6, line 21 ¶ | |||
| o CoA: Care of Address | o CoA: Care of Address | |||
| o CoTI: Care of Test Init | o CoTI: Care of Test Init | |||
| o HA: Home Agent | o HA: Home Agent | |||
| o HoA: Home Address | o HoA: Home Address | |||
| o HoTI: Home Test Init | o HoTI: Home Test Init | |||
| o HoT: Home Test | ||||
| o MN: Mobile Node | o MN: Mobile Node | |||
| o RO: Route Optimization | o RO: Route Optimization | |||
| o RRT: Return Routability Test | o RRT: Return Routability Test | |||
| 4. Overview of firewalls | 4. Overview of firewalls | |||
| The following section provides a brief overview of firewalls. It is | The following section provides a brief overview of firewalls. It is | |||
| intended as background information so that issues with the Mobile | intended as background information so that issues with the Mobile | |||
| skipping to change at page 8, line 8 ¶ | skipping to change at page 8, line 8 ¶ | |||
| external networks reaches the firewall, it searches the packet's | external networks reaches the firewall, it searches the packet's | |||
| source IP address, destination IP address, Protocol type, source port | source IP address, destination IP address, Protocol type, source port | |||
| number and destination port number in its state table to see if the | number and destination port number in its state table to see if the | |||
| packet matches the characteristics of a request sent previously. If | packet matches the characteristics of a request sent previously. If | |||
| so, the firewall lets the packet pass. Otherwise, the packet is | so, the firewall lets the packet pass. Otherwise, the packet is | |||
| dropped since it was not requested from inside the network. | dropped since it was not requested from inside the network. | |||
| The firewall removes the state table entries either when the TCP | The firewall removes the state table entries either when the TCP | |||
| close session negotiation packets are routed through, or after some | close session negotiation packets are routed through, or after some | |||
| configurable timeout period. This ensures that dropped connections | configurable timeout period. This ensures that dropped connections | |||
| do not leave holes in the table. | do not leave holes open in the firewall. | |||
| For UDP, similar state is created. However, since UDP is | For UDP, similar state is created. However, since UDP is | |||
| connectionless and the protocol does not have an indication of the | connectionless and the protocol does not have an indication of the | |||
| beginning nor the end of a session, the state is based only on | beginning nor the end of a session, the state is based only on | |||
| timers. | timers. | |||
| 5. Analysis of various scenarios involving MIP6 nodes and firewalls | 5. Analysis of various scenarios involving MIP6 nodes and firewalls | |||
| The following section describes various scenarios involving MIP6 | The following section describes various scenarios involving MIP6 | |||
| nodes and firewalls and also presents the issues related to each | nodes and firewalls and also presents the issues related to each | |||
| skipping to change at page 9, line 27 ¶ | skipping to change at page 9, line 27 ¶ | |||
| protected by firewall(s) | protected by firewall(s) | |||
| o Section 5.2 analyzes the issues when the CN is in a network | o Section 5.2 analyzes the issues when the CN is in a network | |||
| protected by firewall(s) | protected by firewall(s) | |||
| o Section 5.3 analyzes the issues when the HA is in a network | o Section 5.3 analyzes the issues when the HA is in a network | |||
| protected by firewall(s) | protected by firewall(s) | |||
| The MN may also be moving from an external network, to a network | The MN may also be moving from an external network, to a network | |||
| protected by firewall(s). The issues of this case are described in | protected by firewall(s). The issues of this case are described in | |||
| Section 5.3. | Section 5.4. | |||
| Some of the described issues (e.g. Section 5.1 and Section 5.2) may | Some of the described issues (e.g. Section 5.1 and Section 5.2) may | |||
| require modifications to the protocols or to the firewalls, and | require modifications to the protocols or to the firewalls, and | |||
| others (e.g. Section 5.3) may require only appropriate rules and | others (e.g. Section 5.3) may require only appropriate rules and | |||
| configuration to be in place. | configuration to be in place. | |||
| 5.1. Scenario where the Mobile Node is in a network protected by | 5.1. Scenario where the Mobile Node is in a network protected by | |||
| firewall(s) | firewall(s) | |||
| Let's consider a MN A, in a network protected by firewall(s). | Let's consider a MN A, in a network protected by firewall(s). | |||
| skipping to change at page 13, line 38 ¶ | skipping to change at page 13, line 38 ¶ | |||
| via its Home Agent and | via its Home Agent and | |||
| * a Care of Test Init (COTI) message directly to its | * a Care of Test Init (COTI) message directly to its | |||
| Correspondent Node C. | Correspondent Node C. | |||
| The Care of Test Init message is sent using the CoA of B as the | The Care of Test Init message is sent using the CoA of B as the | |||
| source address. Such a packet does not match any entry in the | source address. Such a packet does not match any entry in the | |||
| protecting firewall (2). The CoTi message will thus be dropped by | protecting firewall (2). The CoTi message will thus be dropped by | |||
| the firewall. | the firewall. | |||
| The HoTI is a Mobility Header packet, and the protocol type | The HoTI is a Mobility Header packet, and as the protocol type | |||
| differs from the existing states (2), the HoTI packet will also be | differs from the established state in the firewall (see (2)), the | |||
| dropped. | HoTI packet will also be dropped. | |||
| As a consequence, the RRT cannot be completed and route | As a consequence, the RRT cannot be completed and route | |||
| optimization cannot be applied. Every packet has to go through | optimization cannot be applied. Every packet has to go through | |||
| the node B's Home Agent and tunneled between B's Home Agent and B. | the node B's Home Agent and tunneled between B's Home Agent and B. | |||
| +----------------+ | +----------------+ | |||
| | +----+ HoTI (HoA) +----+ | | +----+ HoTI (HoA) +----+ | |||
| | | FW |X<---------------|HA B| | | | FW |X<---------------|HA B| | |||
| | +----X +----+ | | +----X +----+ | |||
| | +------+ | ^ CoTI & HoTI ^ | | +------+ | ^ CoTI & HoTI ^ | |||
| skipping to change at page 23, line 41 ¶ | skipping to change at page 23, line 41 ¶ | |||
| This document and the information contained herein are provided on an | This document and the information contained herein are provided on an | |||
| "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS | |||
| OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET | |||
| ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, | |||
| INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE | |||
| INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED | |||
| WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. | |||
| Copyright Statement | Copyright Statement | |||
| Copyright (C) The Internet Society (2005). This document is subject | Copyright (C) The Internet Society (2006). This document is subject | |||
| to the rights, licenses and restrictions contained in BCP 78, and | to the rights, licenses and restrictions contained in BCP 78, and | |||
| except as set forth therein, the authors retain all their rights. | except as set forth therein, the authors retain all their rights. | |||
| Acknowledgment | Acknowledgment | |||
| Funding for the RFC Editor function is currently provided by the | Funding for the RFC Editor function is currently provided by the | |||
| Internet Society. | Internet Society. | |||
| End of changes. 11 change blocks. | ||||
| 12 lines changed or deleted | 14 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||