rfc2356.txt

来自「中、英文RFC文档大全打包下载完全版 .」· 文本 代码 · 共 1,347 行 · 第 1/4 页


RFC 2356      Sun's SKIP Firewall Traversal for Mobile IP      June 1998


   This is not a simple rule triggered by a given destination address.
   It must be applied whenever the following conditions are met:

      a)   the mobile node is using a care-of address that does not
           belong to the private network (i.e. the mobile node is
           currently "outside" its private network), and

      b)   either of:

           b1)   the source address of the packet is the mobile node's
                 home address (e.g. this packet's endpoints are
                 dictated by a connection initiated while at home), or

           b2)   the source address of the packet is the care-of
                 address and the destination address belongs to the
                 private network

   Since the above conditions are mobility related, it is best for the
   Mobile IP function in the node to evaluate them, and then request the
   appropriate security services from SKIP.

7.1.1. On the Outside (Public) Network

   The SKIP module must use the firewall destination address and the
   firewall's certificate in order to address and encrypt the packet.
   It encrypts it using SKIP combined with the ESP [6] protocol and
   possibly the AH [7] protocol.

   The SKIP header's source NSID equals 1, indicating that the Master
   Key-ID is the mobile node's home address. Notice that the IP packet's
   source address corresponds to the care-of address -- an address whose
   corresponding public component is unknown to the firewall.

   It is also possible to use Unsigned Diffie-Hellman public components
   [10].  Doing so greatly reduces SKIP's infrastructure requirements,
   because there is no need for a Certificate Authority. Of course, for
   this to be possible the principals' names MUST be securely
   communicated.

   REGISTRATION REQUEST: BETWEEN THE MOBILE NODE AND THE FIREWALL
   +---------------+----------+----+-----+--------------+--------------+
   | IP Hdr (SKIP) | SKIP Hdr | AH | ESP | Inner IP Hdr | Reg. Request |
   +---------------+----------+----+-----+--------------+--------------+

     IP Hdr (SKIP):
        Source          mobile node's care-of address
        Destination     firewall's public (outside) address




Montenegro & Gupta           Informational                     [Page 13]

RFC 2356      Sun's SKIP Firewall Traversal for Mobile IP      June 1998


     SKIP Hdr:
        Source          NSID = 1
                        Master Key-ID = IPv4 address of the mobile node
        Destination     NSID = 0
                        Master Key-ID = none
     Inner IP Hdr:
        Source          mobile node's care-of address
        Destination     home agent's address

7.1.2. On the Inside (Private) Network

   The SKIP Firewall's dynamic packet filtering uses this information to
   establish a dynamic binding between the care-of address and the
   mobile node's permanent home address.

   The destination NSID field in the above packet is zero, prompting the
   firewall to process the SKIP header and recover the internal packet.
   It then delivers the original packet to another outbound interface,
   because it is addressed to the home agent (an address within the
   private network). Assuming secure channel configuration number 4, the
   firewall encrypts the packet using SKIP before forwarding to the home
   agent.

   REGISTRATION REQUEST: BETWEEN THE FIREWALL AND THE HOME AGENT
   +---------------+----------+----+-----+--------------+--------------+
   | IP Hdr (SKIP) | SKIP Hdr | AH | ESP | Inner IP Hdr | Reg. Request |
   +---------------+----------+----+-----+--------------+--------------+

     IP Hdr (SKIP):
        Source          firewall's private (inside) address
        Destination     home agent's address

     SKIP Hdr:
        Source          NSID = 0
                        Master Key-ID = none
        Destination     NSID = 0
                        Master Key-ID = none
     Inner IP Hdr:
        Source          mobile node's care-of address
        Destination     home agent's address

7.2. Registration Reply through the Firewall

   The home agent processes the Registration Request, and composes a
   Registration Reply. Before responding, it examines the care-of
   address reported by the mobile node, and determines whether or not it
   corresponds to an outside address.  If so, the home agent needs to
   send all traffic back through the firewall.  The home agent can



Montenegro & Gupta           Informational                     [Page 14]

RFC 2356      Sun's SKIP Firewall Traversal for Mobile IP      June 1998


   accomplish this by encapsulating the original Registration Reply in a
   SKIP packet destined to the firewall (i.e. we assume secure channel
   configuration number 4).

7.2.1. On the Inside (Private) Network

   The packet from the home agent to the mobile node via the SKIP
   Firewall has the same format as shown above. The relevant fields are:

   REGISTRATION REPLY: BETWEEN THE HOME AGENT AND THE FIREWALL
   +---------------+----------+----+-----+--------------+------------+
   | IP Hdr (SKIP) | SKIP Hdr | AH | ESP | Inner IP Hdr | Reg. Reply |
   +---------------+----------+----+-----+--------------+------------+

     IP Hdr (SKIP):
        Source          home agent's address
        Destination     firewall's private (inside) address

     SKIP Hdr:
        Source          NSID = 0
                        Master Key-ID = none
        Destination     NSID = 0
                        Master Key-ID = none
     Inner IP Hdr:
        Source          home agent's address
        Destination     mobile node's care-of address

7.2.2. On the Outside (Public) Network

   The SKIP Firewall recovers the original Registration Reply packet and
   looks at the destination address: the mobile node's care-of address.

   The SKIP Firewall's dynamic packet filtering used the initial
   Registration Request (Secton 7.1) to establish a dynamic mapping
   between the care-of address and the mobile node's Master Key-ID.
   Hence, before forwarding the Registration Reply, it encrypts it using
   the mobile node's public component.

   This dynamic binding capability and the use of tunneling mode ESP
   obviate the need to extend the Mobile IP protocol with a "relay
   Registration Request". However, it requires that the Registration
   Reply exit the private network through the same firewall that
   forwarded the corresponding Registration Request.

   Instead of obtaining the mobile node's permanent address from the
   dynamic binding, a Mobile IP aware firewall could also obtain it from
   the Registration Reply itself. This renders the firewall stateless,
   and lets Registration Requests and Replies traverse the periphery of



Montenegro & Gupta           Informational                     [Page 15]

RFC 2356      Sun's SKIP Firewall Traversal for Mobile IP      June 1998


   the private network through different firewalls.

   REGISTRATION REPLY: BETWEEN THE FIREWALL AND THE MOBILE NODE
   +---------------+----------+----+-----+--------------+------------+
   | IP Hdr (SKIP) | SKIP Hdr | AH | ESP | Inner IP Hdr | Reg. Reply |
   +---------------+----------+----+-----+--------------+------------+

     IP Hdr (SKIP):
        Source          firewall's public (outside) address
        Destination     mobile node's care-of address

     SKIP Hdr:
        Source          NSID = 0
                        Master Key-ID = none
        Destination     NSID = 1
                        Master Key-ID = IPv4 addr of the mobile node
     Inner IP Hdr:
        Source          home agent's address
        Destination     mobile node's care-of address

7.3. Traversal Extension

   The Traversal Extension MAY be included by mobile nodes in
   Registration Requests, and by home agents in Registration Replies.
   As per Section 3.6.1.3 of [1], the Traversal Extension must appear
   before the Mobile-Home Authentication Extension.  A Traversal
   Extension is an explicit notification that there are one or more
   traversal points (firewalls, fireridges, etc) between the mobile node
   and its home agent. Negotiating access past these systems may imply a
   new authentication header, and possibly a new encapsulating header
   (perhaps as part of tunnel-mode ESP) whose IP destination address is
   the traversal address.

   Negotiating access past traversal points does not necessarily require
   cryptographic techniques.  For example, systems at the boundary
   between separate IP address spaces must be explicitly targetted
   (perhaps using unencrypted IP in IP encapsulation).

   A mobile node SHOULD include one Traversal Extension per traversal
   point in its Registration Requests. If present, their order MUST
   exactly match the order in which packets encounter them as they flow
   from the mobile node towards the home agent.

   Notice that there may be additional firewalls along the way, but the
   list of traversal points SHOULD only include those systems with which
   an explicit negotiation is required.





Montenegro & Gupta           Informational                     [Page 16]

RFC 2356      Sun's SKIP Firewall Traversal for Mobile IP      June 1998


   Similarly, the home agent SHOULD include one Traversal Extension per
   traversal point in its Registration Replies.  If present, their order
   MUST exactly match the order in which packets encounter them as they
   flow from the home agent to the mobile node.

   A Traversal Extension does not include any indication about how
   access is negotiated. Presumably, this information is obtained
   through separate means. This document does not attempt to solve the
   firewall discovery problem, that is, it does not specify how to
   discover the list of traversal points.

   As per section 1.9 of [1], the fact that the type value falls within
   the range 128 to 255 implies that if a home agent or a mobile node
   encounter a Traversal Extension in a Registration Request or Reply,
   they may silently ignore it. This is consistent with the fact that
   the Traversal Extension is essentially a hint.

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Type      |    Length     |        Reserved               |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                 MN to HA Traversal Address                    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |                 HA to MN Traversal Address                    |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

      Type

        129

      Length

         10

      Reserved

         0

      MN to HA Traversal Address

         The IP address of the an intermediate system or firewall
         encountered by datagrams sent by the mobile node towards the
         home agent. Typically, this is the external address of a
         firewall or firewall complex.






Montenegro & Gupta           Informational                     [Page 17]

RFC 2356      Sun's SKIP Firewall Traversal for Mobile IP      June 1998


         This field MUST be initialized in Registration Requests.  In
         Registration Replies, it is typically all 0's, otherwise, the
         mobile node SHOULD interpret it as a hint.

      HA to MN Traversal Address

         The IP address of an intermediate system or firewall
         encountered by datagrams sent by the home agent towards the
         mobile node. Typically, this is the internal address of a
         firewall or firewall complex.

         This field MUST be initialized in Registration Replies.  In
         Registration Requests, it is typically all 0's, otherwise, the
         home agent SHOULD interpret it as a hint.

8. Data Transfer

   Data transfer proceeds along lines similar to the Registration
   Request outlined above.  Section 8.1 discusses data traffic sent by a
   mobile node to a correspondent node. Section 8.2 shows packet formats
   for the reverse traffic being tunneled by the home agent to the
   mobile node.

8.1. Data Packet From the Mobile Node to a Correspondent Node

   The mobile node composes a packet destined to a correspondent node
   located within the private network.

   The Mobile IP function in the mobile node examines the Inner IP
   header, and determines that it satisfies conditions "a" and "b1" from
   Section 7.1. The mobile node requests the proper encryption and
   encapsulation services from SKIP.

   Thus, the mobile node with a co-located address sends encrypted
   traffic to the firewall, using the following format:

   DATA PACKET: FROM THE MOBILE NODE VIA THE FIREWALL
   +---------------+----------+----+-----+--------------+------+
   | IP Hdr (SKIP) | SKIP Hdr | AH | ESP | Inner IP Hdr | ULP  |
   +---------------+----------+----+-----+--------------+------+

     IP Hdr (SKIP):
        Source          mobile node's care-of address
        Destination     public (outside) address on the firewall







Montenegro & Gupta           Informational                     [Page 18]