Traversing HIP-aware NATs and Firewalls: Problem Statement and Requirements - PowerPoint PPT Presentation

About This Presentation
Title:

Traversing HIP-aware NATs and Firewalls: Problem Statement and Requirements

Description:

Traversing HIP-aware NATs and Firewalls: Problem Statement and Requirements Hannes Tschofenig, Murugaraj Shanmugam – PowerPoint PPT presentation

Number of Views:36
Avg rating:3.0/5.0
Slides: 10
Provided by: HannesTs2
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: Traversing HIP-aware NATs and Firewalls: Problem Statement and Requirements


1
Traversing HIP-aware NATs and Firewalls Problem
Statement and Requirements
  • ltdraft-tschofenig-hiprg-hip-natfw-traversal-03.txt
    gt
  • Hannes Tschofenig, Murugaraj Shanmugam

2
Acknowledgments
  • The authors would like to thank
  • Aarthi Nagarajan
  • Vesa Torvinen
  • Jochen Grimminger and
  • Jukka Ylitalo
  • for their contributions to this document.

3
Timeline
Indiv-03
Indiv-01
Indiv-02
Indiv-00
DraftRevisions
HIPRGPresentations
IETF-61
IETF-62
IETF-63
IETF-64
4
Assumptions, Requirements and Goals
  • Assumption of this work Middlebox is HIP aware
  • HIP aware NAT/FWs needs to
  • Intercept HIP messages (Discovery part)
  • Base exchange
  • Readdressing messages
  • Establish soft state to (Signaling part)
  • Build a packet filter
  • Establish a NAT binding
  • Authorize the requesting HIP nodes before
    creating a NAT binding or FW pinhole andprovide
    DoS attack resistance for signaling to the
    middlebox (Security part)

5
Interception at Network Address Translation
  • Nice property of the NAT All HIP messages flow
    through it.
  • Interception of SPI in I2 and R2 Construct
    FlowID with IP and SPI
  • Needs to work for base exchange and also for
    re-addressing exchange
  • State changes at NAT need to be secure to prevent
    DoS attacks

I1
I1
Initiator
Responder
NAT
Intercept HIT,IP
R1
R1
I2
I2
Intercept SPI
R2
R2
6
Interception at Firewalls
  • Routing asymmetry might cause problems in some
    cases
  • Firewalls need to learn the correct SPI values.
  • Data traffic
  • I ? R SPI(R)
  • I ? R SPI(I)



7
Authorization at NAT
  • Identity or non-identity based authorization
  • Non-identity based authorization would be
    convenient since
  • The Host Identity might change
  • Host Identities might be ephemeral
  • Authorization is likely to be required for
    outside-to-inside firewall traversal

8
Next Steps
  • Reflect Call-Home Presentations
  • Is the research group interested in this
    document?

9
Questions?
Write a Comment
User Comments (0)
About PowerShow.com