Presentation is loading. Please wait.

Presentation is loading. Please wait.

RSIP Address Sharing with End-to-End Security Mike Borella, 3Com Corp. Gabriel Montenegro, Sun Microsystems March 2000.

Similar presentations


Presentation on theme: "RSIP Address Sharing with End-to-End Security Mike Borella, 3Com Corp. Gabriel Montenegro, Sun Microsystems March 2000."— Presentation transcript:

1 RSIP Address Sharing with End-to-End Security Mike Borella, 3Com Corp. Gabriel Montenegro, Sun Microsystems March 2000

2 Realm Specific IP page 2 Where is the Network Edge?  Yesterday: –Corporations –Universities  Today: –Homes –Cell phones, PDAs  Tomorrow: –Everywhere  Hotels  Airports  Conference centers  “Gas stations on the Information Superhighway”

3 Realm Specific IP page 3 The Expansion of the Edge has Accelerated the IP Address Shortage  About 4 billion total, but... –Heavy allocation to North America and Europe –Many unused (old Class A blocks) –Limited by routing architecture (prefixes, CIDR) –Conservative allocation policies  Typically must demonstrate both need and usage  Heterogeneity implies that address space usage count is intractable! –Perhaps as many as 50% unallocated –Given current growth trends, these wouldn’t last long on the open market

4 Realm Specific IP page 4 The Solution So Far… Network Address Translation (NAT)  Multiple hosts share one address –NAT router re-writes packet headers to same public IP –Application proxies for protocols that transmit addresses and ports  On the down side... –Difficult to maintain and manage –Breaks IPSEC -> no VPNs –Doesn’t work well with many next-generation protocols  mobile IP, multicast, RSVP, etc.  Nonetheless, very widespread deployment

5 Realm Specific IP page 5 NAT in a Nutshell 10.0.0.4 10.0.0.1149.112.240.55 NAT Router

6 Realm Specific IP page 6 NAT Needs ALGs for Address and Port Content in the Payload FTP control packet from private host arriving at NAT router Figure out protocol, look into packet, translate addresses and ports, change TCP sequence number, maintain running delta for lifetime of connection…yuck! Source IP address (10.0.0.4) Destination IP address (192.156.136.22) Destination TCP port (21) Source TCP port (1025) Payload (IP = 10.0.0.4, Port = 1026) IP Header TCP Header

7 Realm Specific IP page 7 Realm Specific IP (RSIP)  RSIP goals –Alternative to NAT on same network architecture –less computation at router –No need for ALGs –IPSEC integration possible  Use header tuples (e.g., ports, SPIs) to extend IP address space –IP addresses and tuples from the public routing realm are leased by private hosts –Assignments are made such that incoming packets can always be demultiplexed properly

8 Realm Specific IP page 8 RSIP in a Nutshell 10.0.0.4 10.0.0.1149.112.240.55 RSIP Router Local SRC IP 192.156.136.221192 DST IPAssigned PortDST Port 10.0.0.480 Assigned IP 149.112.240.55

9 Realm Specific IP page 9 RSIP vs. NAT  Similarities –Demultiplex on tuples (e.g., addresses, port numbers) –Mapping kept by server/router  Differences –NAT: Router modifies packets, host oblivious –RSIP: Host asks router how to make packets “Internet ready” –NAT: No modifications to host, protocol support in router –RSIP: Host modified but no protocol support required in router

10 Realm Specific IP page 10 RSIP Protocol  Lightweight negotiation between RSIP servers and hosts of arbitrary parameters –“Network” and “control” resources –Vendor-specific parameters –Error reporting –Transport agnostic  may be TCP or UDP (we use port 4455)  Message and parameter formats allow extensibility beyond our specification –E.g., IPSEC SPIs, ISAKMP cookies, PPTP call IDs, etc.

11 Realm Specific IP page 11 Registration 10.0.0.4 10.0.0.1149.112.240.55 RSIP Server REGISTRATION_REQUEST REGISTRATION_RESPONSE (client ID = 2, flow policy = local micro, remote macro)

12 Realm Specific IP page 12 Assignment 10.0.0.4 10.0.0.1149.112.240.55 RSIP Server ASSIGN_REQUEST_RSAP-IP (client ID = 2, local addr = X, local port = X, remote addr = 128.153.4.3, remote port = X) ASSIGN_RESPONSE_RSAP-IP (client ID = 2, bind ID = 1, local addr = 149.112.240.55, local port = 12345, remote addr = 128.153.4.3, remote port = X, lease = 3600, tunnel = IPIP)

13 Realm Specific IP page 13 IPSEC  Two related, but independent modules: –Secure encapsulation and transport (ESP, AH)  Rather straightforward –Secure key exchange (IKE, ISAKMP, OAKLEY)  Rather complicated

14 Realm Specific IP page 14 IPSEC Encapsulation and Transport

15 Realm Specific IP page 15 RSIP with IPSEC  ESP encrypts all ports: can’t use them to demultiplex! –Use SPI instead –Additional negotiation: ASSIGN_REQUEST_RSIPSEC  IPSEC client module must: –Use ephemeral IKE source port  Otherwise I-Cookie routing necessary - more negotiation  Using default IKE port may cause rekeying problems –Acquire SPI values from RSIP module

16 Realm Specific IP page 16 Remote Access from Airport Kiosk Internet Airport LAN NAT Router Corporate Network Mobile Client

17 Realm Specific IP page 17 Secure VPN Enabled by RSIP Internet Airport LAN RSIP Router Corporate Network Mobile Client w/ RSIP Secure Virtual Tunnel

18 Realm Specific IP page 18 RSIP and IPv6?  Part of a dual-stack transition mechanism?

19 Realm Specific IP page 19 Current Status in the IETF  draft-ietf-nat-rsip-protocol-06.txt  draft-ietf-nat-rsip-framework-04.txt  draft-ietf-nat-rsip-ipsec-03.txt  draft-ietf-nat-rsip-slp-00.txt  draft-ietf-dhc-nextserver-02.txt


Download ppt "RSIP Address Sharing with End-to-End Security Mike Borella, 3Com Corp. Gabriel Montenegro, Sun Microsystems March 2000."

Similar presentations


Ads by Google