Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam."— Presentation transcript:

1 1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam Hannes Tschofenig Franck Le

2 2 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Introduction of the problem MIPv6 & Firewalls The Mobility Support in IPv6 (Mobile IPv6) is now an RFC 3775 However, firewalls which are an integral part of most IP networks deployed today, can cause several deployment problems The MIP6 WG has recognized the problem and the issues are described in draft-ietf-mip6-firewalls-00.txt

3 3 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Summary of the Problems The problems stem from the fact that in Mobile IPv6 several IP addresses can be used: Home IP Address, Care of Address, Home Agent’s IP address packets can take different forms: tunneled (reverse tunneling), not tunneled (route optimization) incoming requests, with different format from traffic, need to reach the communicating end points: Care of Test init, Home Test Init, Binding Update -> incoming and outgoing packets differ from the states in the firewalls -> Packets dropped

4 4 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Illustration of some of the problems Network protected by a firewall Public Internet Mobile Node A Node B Home Agent Firewall SIP Proxy 2. SIP INVITE 3. SIP 200 OK 1. SIP INVITE SDP: Home IP Address The MN specifies its HoA in the SDP field so that the communication can be maintained when the MN moves and changes IP address Pinholes are created based on the information from the SDP, I.e. Home IP address Downlink VoIP traffic are sent to A’s HoA Downlink VoIP are sent (IP in IP) from HA to MN’S CoA – not matching FW state: PACKETS DROPPED X X Uplink VoIP sent (IP in IP) from CoA to HA’s IP address, not matching FW state: PACKETS DROPPED

5 5 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Why NSIS? The Mobile IPv6 has been designed to be an end to end protocol The communicating end points are the only entities that Have knowledge of the HoA, Home Agent IP address, CoA Know the mode being used, and format of the packets Know the characteristics of the pinholes that need to be present (e.g. for incoming packets) NSIS defining a signaling protocol to allow endpoints to configure firewalls thus appears as a well suited solution

6 6 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 NSIS as a solution The draft-thiruvengadam-nsis-mip6-fw-01 attempts to analyze how NSIS could solve the identified problems “Mobile IPv6 - NSIS Interaction for Firewall traversal” New features need to be supported by the NAT-FW-NSLP protocol Ability for the Data Receiver to initiate the signaling Ability to discover the presence and the characteristics of firewalls Ability to create several states in the firewall per request

7 7 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Ability for the Data Receiver to initiate the signaling 1.-The MIPv6 case identifies need for Data Receiver to be able to initiate the signaling -The scenarios are further described in the draft 2.-Actually, the requirement is not specific to MIPv6 -NSIS assumes that firewalls will allow NSIS messages from external network -However, this can lead to DoS attacks: operators may be reluctant -Data Receiver may have to pay for the incoming traffic -> Overbilling attacks 3.-Data Receiver may want to restrict the type of incoming traffic -> Ability for Data Receiver to initiate signaling is needed Data Receiver may want to restrict incoming traffic DoS User may be charged for traffic Data Receiver to install packet filters in the firewalls Data Receiver to initiate the signaling Data Receiver Data Sender Firewall

8 8 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Ability to discover the presence and the characteristics of firewalls 1.-MIPv6 requires IPsec - However IPsec and FW do not work well together -There are some solutions e.g. UDP encapsulation -But need to know the presence of FW 2.-MIPv6 requires the Return Routability Test to be executed before RouteOptimization can be used -Firewalls may prevent RRT messages to reach the nodes -There can be some solutions -But again, the nodes have to know that they are behind a firewall 3.-Currently no protocol to discover the presence, and characteristics of FW

9 9 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Ability to create several states in the firewall per request Many states need to be created in the firewalls Route Optimization Reverse Tunneling Home Test Init messages Care of Test Init messages Binding Updates IPsec traffic between MN and HA Allowing several states to be created per request would Reduce the time delay Reduce the overhead, especially for cellular networks

10 10 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Next steps Feedback? Can the requirements be addressed by the NAT FW NSLP?

Download ppt "1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam."

Similar presentations

Security Issues In Mobile IP

Security Issues In Mobile IP
Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?

Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?
Mobile IPv6: An Overview Dr Martin Dunmore, Lancaster University.

Mobile IPv6: An Overview Dr Martin Dunmore, Lancaster University.
1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.
MIP Extensions: FMIP & HMIP

MIP Extensions: FMIP & HMIP
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.

Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
Spring 2004 Mobile IPv6 School of Electronics and Information Kyung Hee University Choong Seon HONG

Spring 2004 Mobile IPv6 School of Electronics and Information Kyung Hee University Choong Seon HONG
Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.
1 Dual Stack Support in Mobile IPv6 for Hosts and Routers OR IPv4 traversal for Mobile IPv6 ! draft-ietf-mip6-nemo-v4traversal-00 H. Soliman, G. Tsirtsis,

1 Dual Stack Support in Mobile IPv6 for Hosts and Routers OR IPv4 traversal for Mobile IPv6 ! draft-ietf-mip6-nemo-v4traversal-00 H. Soliman, G. Tsirtsis,
NISNet Winter School Finse 2008 1 Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology

NISNet Winter School Finse Internet & Web Security Case Study 2: Mobile IPv6 security Dieter Gollmann Hamburg University of Technology
1 © 2005 Nokia mobike-transport.ppt/2005-11-09 MOBIKE Transport mode usage and issues Mohan Parthasarathy.

1 © 2005 Nokia mobike-transport.ppt/ MOBIKE Transport mode usage and issues Mohan Parthasarathy.
Mobile IP Overview: Standard IP Standard IP Evolution of Mobile IP Evolution of Mobile IP How it works How it works Problems Assoc. with it Problems Assoc.

Mobile IP Overview: Standard IP Standard IP Evolution of Mobile IP Evolution of Mobile IP How it works How it works Problems Assoc. with it Problems Assoc.
MOBILITY SUPPORT IN IPv6

MOBILITY SUPPORT IN IPv6
Mobile IP.

Mobile IP.
Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.

Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;

Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;
1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?

1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?

Similar presentations

Ads by Google