1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

Slides:

Advertisements

Similar presentations

Security Issues In Mobile IP

Advertisements

Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?

Mobile IPv6: An Overview Dr Martin Dunmore, Lancaster University.

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

MIP Extensions: FMIP & HMIP

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

Spring 2004 Mobile IPv6 School of Electronics and Information Kyung Hee University Choong Seon HONG

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.

1 Dual Stack Support in Mobile IPv6 for Hosts and Routers OR IPv4 traversal for Mobile IPv6 ! draft-ietf-mip6-nemo-v4traversal-00 H. Soliman, G. Tsirtsis,

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

1 © 2005 Nokia mobike-transport.ppt/ MOBIKE Transport mode usage and issues Mohan Parthasarathy.

Mobile IP Overview: Standard IP Standard IP Evolution of Mobile IP Evolution of Mobile IP How it works How it works Problems Assoc. with it Problems Assoc.

MOBILITY SUPPORT IN IPv6

Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;

1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?

NSIS NATFW NSLP: A Network Firewall Control Protocol draft-ietf-nsis-nslp-natfw-08.txt IETF NSIS Working Group January 2006 M. Stiemerling, H. Tschofenig,

1 MIPv6 CN-Targeted Location Privacy and Optimized Routing draft-weniger-mobopts-mip6-cnlocpriv-01 IETF #68, Prague, March 2007.

1 Sideseadmed (IRT0040) loeng 5/2010 Avo

NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)

NEMO Requirements and Mailing List Discussions/Conclusions T.J. Kniveton - Nokia Pascal Thubert - Cisco IETF 54 – July 14, 2002 Yokohama, Japan.

1 Julien Laganier MEXT WG, IETF-79, Nov Authorizing MIPv6 Binding Update with Cryptographically Generated Addresses

Draft-ietf-mobileip-vpn-problem-solution-02 Sami Vaarala Netseal.

IP Address Location Privacy and Mobile IPv6 draft-koodli-mip6-location-privacy-00.txt draft-koodli-mip6-location-privacy-solutions-00.txt.

MOBILE IP GROUP NAME: CLUSTER SEMINAR PRESENTED BY : SEMINAR PRESENTED BY : SANTOSH THOMAS SANTOSH THOMAS STUDENT NO: STUDENT NO:

0 NAT/Firewall NSLP Activities IETF 60th - August 2nd 2004 Cedric Aoun, Martin Stiemerling, Hannes Tschofenig.

AAA and Mobile IPv6 Franck Le AAA WG - IETF55. Why Diameter support for Mobile IPv6? Mobile IPv6 is a routing protocol and does not deal with issues related.

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

1 Mobility Support in IPv6 (MIPv6) Chun-Chuan Yang Dept. Computer Science & Info. Eng. National Chi Nan University.

Introduction to Mobile IPv6

PMIPv6 Route Optimization Protocol draft-qin-mipshop-pmipro-00.txt Alice Qin Andy Huang Wenson Wu Behcet Sarikaya.

07/03/ nd IETF – Minneapolis Mobile IPv6 WG meeting PF_KEY Extension as an Interface between Mobile IPv6 and IPsec/IKE Shinta Sugimoto Francis Dupont.

Santhosh Rajathayalan ( ) Senthil Kumar Sevugan ( )

Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.

Mobile IP 순천향대학교 정보기술공학부 이 상 정 VoIP 특론 순천향대학교 정보기술공학부 이 상 정 2 References  Tutorial: Mobile IP

Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin

1 © NOKIA FILENAMs.PPT/ DATE / NN Requirements for Firewall Configuration Protocol March 10 th, 2005 Gabor Bajko Franck Le Michael Paddon Trevor Plestid.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt Guidelines for Firewall Administrators Mobile IPv6 Suresh Krishnan, Niklas Steinleitner, Ying Qiu, Gabor.

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

1 Route Optimization and Location Privacy using Tunneling Agents (ROTA) draft-weniger-rota-01 Kilian Weniger, Takashi Aramaki IETF #64, Nov 2005.

An Introduction to Mobile IPv4

Network Mobility (NEMO) Advanced Internet 2004 Fall

1 Mobility for IPv6 [MIP6] November 12 th, 2004 IETF61.

Slide title In CAPITALS 50 pt Slide subtitle 32 pt Guidelines for Firewall Vendors Mobile IPv6 Suresh Krishnan, Yaron Sheffer, Niklas Steinleitner, Gabor.

NSIS NAT/Firewall Signaling NSIS Interim Meeting Romsey/UK, June 2004 Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

IP Address Location Privacy and Mobile IPv6: Problem Statement draft-irtf-mobopts-location-privacy-PS-00.txt Rajeev Koodli.

Service Flows Distribution and Handoff Technique based on MIPv6 draft-liu-dmm-flows-distribution-and-handoff-00

Slide title In CAPITALS 50 pt Slide subtitle 32 pt Flow Distribution Rule Language for Multi-Access Nodes draft-larsson-mext-flow-distribution-rules-01.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials draft-bajko-nsis-fw-reqs-01 Gábor Bajkó IETF Interim May 2005.

Lecture 14 Mobile IP. Mobile IP (or MIP) is an Internet Engineering Task Force (IETF) standard communications protocol that is designed to allow mobile.

Mobile IP Aamir Sohail NGN MS(TN) IQRA UNIVERSITY ISLAMABAD.

Mobile IP THE 12 TH MEETING. Mobile IP  Incorporation of mobile users in the network.  Cellular system (e.g., GSM) started with mobility in mind. 

V4 traversal for IPv6 mobility protocols - Scenarios Mip6trans Design Team MIP6 and NEMO WGs, IETF 63.

Introduction Wireless devices offering IP connectivity

RFC 3775 IPv6 Mobility Support

MOBILE IPv6 SECURITY ISSUES

Booting up on the Home Link

Mobile Networking (I) CS 395T - Mobile Computing and Wireless Networks

Mobile IP and Upper Layer Interaction

Mobility in a Dual Stack Internet

Support for Flow bindings in MIPv6 and NEMO

Network Virtualization

Mobile IP Presented by Team : Pegasus Kishore Reddy Yerramreddy Jagannatha Pochimireddy Sampath k Bavipati Spandana Nalluri Vandana Goyal.

Mobility Support in Wireless LAN

Presentation transcript:

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam Hannes Tschofenig Franck Le

2 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Introduction of the problem MIPv6 & Firewalls The Mobility Support in IPv6 (Mobile IPv6) is now an RFC 3775 However, firewalls which are an integral part of most IP networks deployed today, can cause several deployment problems The MIP6 WG has recognized the problem and the issues are described in draft-ietf-mip6-firewalls-00.txt

3 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Summary of the Problems The problems stem from the fact that in Mobile IPv6 several IP addresses can be used: Home IP Address, Care of Address, Home Agent’s IP address packets can take different forms: tunneled (reverse tunneling), not tunneled (route optimization) incoming requests, with different format from traffic, need to reach the communicating end points: Care of Test init, Home Test Init, Binding Update -> incoming and outgoing packets differ from the states in the firewalls -> Packets dropped

4 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Illustration of some of the problems Network protected by a firewall Public Internet Mobile Node A Node B Home Agent Firewall SIP Proxy 2. SIP INVITE 3. SIP 200 OK 1. SIP INVITE SDP: Home IP Address The MN specifies its HoA in the SDP field so that the communication can be maintained when the MN moves and changes IP address Pinholes are created based on the information from the SDP, I.e. Home IP address Downlink VoIP traffic are sent to A’s HoA Downlink VoIP are sent (IP in IP) from HA to MN’S CoA – not matching FW state: PACKETS DROPPED X X Uplink VoIP sent (IP in IP) from CoA to HA’s IP address, not matching FW state: PACKETS DROPPED

5 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Why NSIS? The Mobile IPv6 has been designed to be an end to end protocol The communicating end points are the only entities that Have knowledge of the HoA, Home Agent IP address, CoA Know the mode being used, and format of the packets Know the characteristics of the pinholes that need to be present (e.g. for incoming packets) NSIS defining a signaling protocol to allow endpoints to configure firewalls thus appears as a well suited solution

6 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 NSIS as a solution The draft-thiruvengadam-nsis-mip6-fw-01 attempts to analyze how NSIS could solve the identified problems “Mobile IPv6 - NSIS Interaction for Firewall traversal” New features need to be supported by the NAT-FW-NSLP protocol Ability for the Data Receiver to initiate the signaling Ability to discover the presence and the characteristics of firewalls Ability to create several states in the firewall per request

7 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Ability for the Data Receiver to initiate the signaling 1.-The MIPv6 case identifies need for Data Receiver to be able to initiate the signaling -The scenarios are further described in the draft 2.-Actually, the requirement is not specific to MIPv6 -NSIS assumes that firewalls will allow NSIS messages from external network -However, this can lead to DoS attacks: operators may be reluctant -Data Receiver may have to pay for the incoming traffic -> Overbilling attacks 3.-Data Receiver may want to restrict the type of incoming traffic -> Ability for Data Receiver to initiate signaling is needed Data Receiver may want to restrict incoming traffic DoS User may be charged for traffic Data Receiver to install packet filters in the firewalls Data Receiver to initiate the signaling Data Receiver Data Sender Firewall

8 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Ability to discover the presence and the characteristics of firewalls 1.-MIPv6 requires IPsec - However IPsec and FW do not work well together -There are some solutions e.g. UDP encapsulation -But need to know the presence of FW 2.-MIPv6 requires the Return Routability Test to be executed before RouteOptimization can be used -Firewalls may prevent RRT messages to reach the nodes -There can be some solutions -But again, the nodes have to know that they are behind a firewall 3.-Currently no protocol to discover the presence, and characteristics of FW

9 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Ability to create several states in the firewall per request Many states need to be created in the firewalls Route Optimization Reverse Tunneling Home Test Init messages Care of Test Init messages Binding Updates IPsec traffic between MN and HA Allowing several states to be created per request would Reduce the time delay Reduce the overhead, especially for cellular networks

10 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Next steps Feedback? Can the requirements be addressed by the NAT FW NSLP?