rfc2356.txt

来自「中、英文RFC文档大全打包下载完全版 .」· 文本 代码 · 共 1,347 行 · 第 1/4 页

RFC 2356      Sun's SKIP Firewall Traversal for Mobile IP      June 1998


     SKIP Hdr:
        Source          NSID = 1
                        Master Key-ID = IPv4 address of the mobile node
        Destination     NSID = 0
                        Master Key-ID = none
     Inner IP Hdr:
        Source          mobile node's home address
        Destination     correspondent node's address

   The SKIP Firewall intercepts this packet, decrypts the Inner IP Hdr
   and upper-layer payload (ULP) and checks the destination address.
   Since the packet is destined to a correspondent node in the private
   network, the "Inner" IP datagram is delivered internally.  Once the
   SKIP firewall injects this packet into the private network, it is
   routed independently of its source address.

   As this last assumption is not always true, the mobile node may
   construct a bi-directional tunnel with its home agent. Doing so,
   guarantees that the "Inner IP Hdr" is:

     Inner IP Hdr:
        Source          care-of address
        Destination     home agent address

   When at home, communication between the the mobile node and certain
   external correspondent nodes may need to go through application-
   specific firewalls or proxies, different from the SKIP firewall.
   While on the public network, the mobile node's communication with
   these hosts, MUST use a bi-directional tunnel.

8.2. Data Packet From a Correspondent Node to the Mobile Node

   The home agent intercepts a packet from a correspondent node to the
   mobile node. It encapsulates it such that the Mobile IP encapsulating
   IP header's source and destination addresses are the home agent and
   care-of addresses, respectively. This would suffice for delivery
   within the private network. Since the current care-of address of the
   mobile node is not within the private network, this packet MUST be
   sent via the firewall. The home agent can accomplish this by
   encapsulating the datagram in a SKIP packet destined to the firewall
   (i.e. we assume secure channel configuration number 4).










Montenegro & Gupta           Informational                     [Page 19]

RFC 2356      Sun's SKIP Firewall Traversal for Mobile IP      June 1998


8.2.1 Within the Inside (Private) Network

   From the home agent to the private (inside) address of the firewall
   the packet format is:

   DATA PACKET: BETWEEN THE HOME AGENT AND THE FIREWALL
   +--------+------+----+-----+--------+--------+-----+
   | IP Hdr | SKIP | AH | ESP | mobip  | Inner  | ULP |
   | (SKIP) | Hdr  |    |     | IP Hdr | IP Hdr |     |
   +--------+------+----+-----+--------+--------+-----+

     IP Hdr (SKIP):
        Source          home agent's address
        Destination     private (inside) address on the firewall

     SKIP Hdr:
        Source          NSID = 0
                        Master Key-ID = none
        Destination     NSID = 0
                        Master Key-ID = none

     Mobile-IP IP Hdr:
        Source          home agent's address
        Destination     care-of address

     Inner IP Hdr:
        Source          correspondent node's address
        Destination     mobile node's address

     ULP:               upper-layer payload

   The packet format above does not require the firewall to have a
   dynamic binding. The association between the mobile node's permanent
   address and it care-of address can be deduced from the contents of
   the "Mobile-IP IP Hdr" and the "Inner IP Hdr".

   Nevertheless, a nomadic binding is an assurance that currently the
   mobile node is, in fact, at the care-of address.













Montenegro & Gupta           Informational                     [Page 20]

RFC 2356      Sun's SKIP Firewall Traversal for Mobile IP      June 1998


8.2.2. On the Outside (Public) Network

   The SKIP firewall intercepts the packet, and recovers the Mobile IP
   encapsulated datagram. Before sending it out, the dynamic packet
   filter configured by the original Registration Request triggers
   encryption of this packet, this time by the SKIP firewall for
   consumption by the mobile node.  The resultant packet is:

   DATA PACKET: BETWEEN THE FIREWALL AND THE MOBILE NODE
   +--------+------+----+-----+--------+--------+-----+
   | IP Hdr | SKIP | AH | ESP | mobip  | Inner  | ULP |
   | (SKIP) | Hdr  |    |     | IP Hdr | IP Hdr |     |
   +--------+------+----+-----+--------+--------+-----+

     IP Hdr (SKIP):
        Source          firewall's public (outside) address
        Destination     mobile node's care-of address

     SKIP Hdr:
        Source          NSID = 0
                        Master Key-ID = none
        Destination     NSID = 1
                        Master Key-ID = IPv4 address of the mobile node

     Mobile-IP IP Hdr:
        Source          home agent's address
        Destination     care-of address

     Inner IP Hdr:
        Source          correspondent node's address
        Destination     mobile node's address

     ULP:               upper-layer payload

   At the mobile node, SKIP processes the packets sent by the firewall.
   Eventually, the inner IP header and the upper-layer packet (ULP) are
   retrieved and passed on.

9. Security Considerations

   The topic of this document is security. Nevertheless, it is
   imperative to point out the perils involved in allowing a flow of IP
   packets through a firewall. In essence, the mobile host itself MUST
   also take on responsibility for securing the private network, because
   it extends its periphery. This does not mean it stops exchanging
   unencrypted IP packets with hosts on the public network.  For
   example, it MAY have to do so in order to satisfy billing
   requirements imposed by the foreign site, or to renew its DHCP lease.



Montenegro & Gupta           Informational                     [Page 21]

RFC 2356      Sun's SKIP Firewall Traversal for Mobile IP      June 1998


   In the latter case it might filter not only on IP source address, but
   also on protocol and port numbers.

   Therefore, it MUST have some firewall capabilities, otherwise, any
   malicious individual that gains access to it will have gained access
   to the private network as well.

Acknowledgements

   Ideas in this document have benefited from discussions with at least
   the following people: Bill Danielson, Martin Patterson, Tom Markson,
   Rich Skrenta, Atsushi Shimbo, Behfar Razavi, Avinash Agrawal, Tsutomu
   Shimomura and Don Hoffman. Jim Solomon has also provided many helpful
   comments on this document.

References

   [1] Perkins, C., "IP Mobility Support", RFC 2002, October 1996.

   [2] Perkins, C., "IP Encapsulation within IP", RFC 2003, October
       1996.

   [3] A. Aziz and M. Patterson, Design and Implementation of SKIP,
       available on-line at http://skip.incog.com/inet-95.ps. A
       previous version of the paper was presented at INET '95 under
       the title Simple Key Management for Internet Protocols (SKIP),
       and appears in the conference proceedings under that title.

   [4] Leech, M., Ganis, M., Lee, Y, Kuris, R., Koblas, D., and
       L. Jones, "SOCKS Protocol Version 5", RFC 1928, March 1996.

   [5] Leech, M., "Username/Password Authentication for SOCKS V5",
       RFC 1929, March 1996.

   [6] Atkinson, R., "IP Encapsulating Payload", RFC 1827, August
       1995.

   [7] Atkinson, R., "IP Authentication Header", RFC 1826, August
       1995.

   [8] Stephen Kent, message to the IETF's IPSEC mailing list,
       Message-Id: <v02130500ae569a3e904e@[128.89.30.29]>, September
       6, 1996.

   [9] Tom Markson, private communication, June 12, 1996.






Montenegro & Gupta           Informational                     [Page 22]

RFC 2356      Sun's SKIP Firewall Traversal for Mobile IP      June 1998


   [10] A. Aziz, T. Markson, H. Prafullchandra. Encoding of an
        Unsigned Diffie-Hellman Public Value. Available on-line as
        http://skip.incog.com/spec/EUDH.html.

Authors' Addresses

   Gabriel E. Montenegro
   Sun Microsystems, Inc.
   901 San Antonio Road
   Mailstop UMPK 15-214
   Mountain View, California 94303

   Phone: (415)786-6288
   Fax: (415)786-6445
   EMail: gabriel.montenegro@Eng.Sun.COM


   Vipul Gupta
   Sun Microsystems, Inc.
   901 San Antonio Road
   Mailstop UMPK 15-214
   Mountain View, California 94303

   Phone: (415)786-3614
   Fax: (415)786-6445
   EMail: vipul.gupta@Eng.Sun.COM

























Montenegro & Gupta           Informational                     [Page 23]

RFC 2356      Sun's SKIP Firewall Traversal for Mobile IP      June 1998


Full Copyright Statement

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

   This document and translations of it may be copied and furnished to
   others, and derivative works that comment on or otherwise explain it
   or assist in its implementation may be prepared, copied, published
   and distributed, in whole or in part, without restriction of any
   kind, provided that the above copyright notice and this paragraph are
   included on all such copies and derivative works.  However, this
   document itself may not be modified in any way, such as by removing
   the copyright notice or references to the Internet Society or other
   Internet organizations, except as needed for the purpose of
   developing Internet standards in which case the procedures for
   copyrights defined in the Internet Standards process must be
   followed, or as required to translate it into languages other than
   English.

   The limited permissions granted above are perpetual and will not be
   revoked by the Internet Society or its successors or assigns.

   This document and the information contained herein is provided on an
   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.























Montenegro & Gupta           Informational                     [Page 24]