draft-ietf-mip6-firewalls-03.txt   draft-ietf-mip6-firewalls-04.txt 
MIP6 F. Le MIP6 F. Le
Internet-Draft CMU Internet-Draft CMU
Expires: April 20, 2006 S. Faccin Expires: July 29, 2006 S. Faccin
B. Patil B. Patil
Nokia Nokia
H. Tschofenig H. Tschofenig
Siemens Siemens
October 17, 2005 January 25, 2006
Mobile IPv6 and Firewalls: Problem statement Mobile IPv6 and Firewalls: Problem statement
draft-ietf-mip6-firewalls-03.txt draft-ietf-mip6-firewalls-04.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 38 skipping to change at page 1, line 38
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on April 20, 2006. This Internet-Draft will expire on July 29, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2005). Copyright (C) The Internet Society (2006).
Abstract Abstract
Network elements such as firewalls are an integral aspect of a Network elements such as firewalls are an integral aspect of a
majority of IP networks today, given the state of security in the majority of IP networks today, given the state of security in the
Internet, threats, and vulnerabilities to data networks. Current IP Internet, threats, and vulnerabilities to data networks. Current IP
networks are predominantly based on IPv4 technology and hence networks are predominantly based on IPv4 technology and hence
firewalls have been designed for these networks. Deployment of IPv6 firewalls have been designed for these networks. Deployment of IPv6
networks is currently progressing, albeit at a slower pace. networks is currently progressing, albeit at a slower pace.
Firewalls for IPv6 networks are still maturing and in development. Firewalls for IPv6 networks are still maturing and in development.
skipping to change at page 2, line 20 skipping to change at page 2, line 20
firewalls available for IPv6 networks do not support Mobile IPv6. firewalls available for IPv6 networks do not support Mobile IPv6.
Unless firewalls are aware of Mobile IPv6 protocol details, these Unless firewalls are aware of Mobile IPv6 protocol details, these
security devices will interfere in the smooth operation of the security devices will interfere in the smooth operation of the
protocol and can be a detriment to deployment. This document protocol and can be a detriment to deployment. This document
captures the issues that may arise in the deployment of IPv6 networks captures the issues that may arise in the deployment of IPv6 networks
when they support Mobile IPv6 and firewalls. when they support Mobile IPv6 and firewalls.
The issues are not only applicable to firewalls protecting enterprise The issues are not only applicable to firewalls protecting enterprise
networks, but are also applicable in 3G mobile networks such as GPRS/ networks, but are also applicable in 3G mobile networks such as GPRS/
UMTS and cdma2000 networks. UMTS and CDMA 2000 networks.
The goal of this Internet draft is to highlight the issues with The goal of this Internet draft is to highlight the issues with
firewalls and Mobile IPv6 and act as an enabler for further firewalls and Mobile IPv6 and act as an enabler for further
discussion. Issues identified here can be solved by developing discussion. Issues identified here can be solved by developing
appropriate solutions in the MIP6 WG. appropriate solutions in the MIP6 WG.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
skipping to change at page 6, line 21 skipping to change at page 6, line 21
o CoA: Care of Address o CoA: Care of Address
o CoTI: Care of Test Init o CoTI: Care of Test Init
o HA: Home Agent o HA: Home Agent
o HoA: Home Address o HoA: Home Address
o HoTI: Home Test Init o HoTI: Home Test Init
o HoT: Home Test
o MN: Mobile Node o MN: Mobile Node
o RO: Route Optimization o RO: Route Optimization
o RRT: Return Routability Test o RRT: Return Routability Test
4. Overview of firewalls 4. Overview of firewalls
The following section provides a brief overview of firewalls. It is The following section provides a brief overview of firewalls. It is
intended as background information so that issues with the Mobile intended as background information so that issues with the Mobile
skipping to change at page 8, line 8 skipping to change at page 8, line 8
external networks reaches the firewall, it searches the packet's external networks reaches the firewall, it searches the packet's
source IP address, destination IP address, Protocol type, source port source IP address, destination IP address, Protocol type, source port
number and destination port number in its state table to see if the number and destination port number in its state table to see if the
packet matches the characteristics of a request sent previously. If packet matches the characteristics of a request sent previously. If
so, the firewall lets the packet pass. Otherwise, the packet is so, the firewall lets the packet pass. Otherwise, the packet is
dropped since it was not requested from inside the network. dropped since it was not requested from inside the network.
The firewall removes the state table entries either when the TCP The firewall removes the state table entries either when the TCP
close session negotiation packets are routed through, or after some close session negotiation packets are routed through, or after some
configurable timeout period. This ensures that dropped connections configurable timeout period. This ensures that dropped connections
do not leave holes in the table. do not leave holes open in the firewall.
For UDP, similar state is created. However, since UDP is For UDP, similar state is created. However, since UDP is
connectionless and the protocol does not have an indication of the connectionless and the protocol does not have an indication of the
beginning nor the end of a session, the state is based only on beginning nor the end of a session, the state is based only on
timers. timers.
5. Analysis of various scenarios involving MIP6 nodes and firewalls 5. Analysis of various scenarios involving MIP6 nodes and firewalls
The following section describes various scenarios involving MIP6 The following section describes various scenarios involving MIP6
nodes and firewalls and also presents the issues related to each nodes and firewalls and also presents the issues related to each
skipping to change at page 9, line 27 skipping to change at page 9, line 27
protected by firewall(s) protected by firewall(s)
o Section 5.2 analyzes the issues when the CN is in a network o Section 5.2 analyzes the issues when the CN is in a network
protected by firewall(s) protected by firewall(s)
o Section 5.3 analyzes the issues when the HA is in a network o Section 5.3 analyzes the issues when the HA is in a network
protected by firewall(s) protected by firewall(s)
The MN may also be moving from an external network, to a network The MN may also be moving from an external network, to a network
protected by firewall(s). The issues of this case are described in protected by firewall(s). The issues of this case are described in
Section 5.3. Section 5.4.
Some of the described issues (e.g. Section 5.1 and Section 5.2) may Some of the described issues (e.g. Section 5.1 and Section 5.2) may
require modifications to the protocols or to the firewalls, and require modifications to the protocols or to the firewalls, and
others (e.g. Section 5.3) may require only appropriate rules and others (e.g. Section 5.3) may require only appropriate rules and
configuration to be in place. configuration to be in place.
5.1. Scenario where the Mobile Node is in a network protected by 5.1. Scenario where the Mobile Node is in a network protected by
firewall(s) firewall(s)
Let's consider a MN A, in a network protected by firewall(s). Let's consider a MN A, in a network protected by firewall(s).
skipping to change at page 13, line 37 skipping to change at page 13, line 37
via its Home Agent and via its Home Agent and
* a Care of Test Init (COTI) message directly to its * a Care of Test Init (COTI) message directly to its
Correspondent Node C. Correspondent Node C.
The Care of Test Init message is sent using the CoA of B as the The Care of Test Init message is sent using the CoA of B as the
source address. Such a packet does not match any entry in the source address. Such a packet does not match any entry in the
protecting firewall (2). The CoTi message will thus be dropped by protecting firewall (2). The CoTi message will thus be dropped by
the firewall. the firewall.
The HoTI is a Mobility Header packet, and the protocol type The HoTI is a Mobility Header packet, and as the protocol type
differs from the existing states (2), the HoTI packet will also be differs from the established state in the firewall (see (2)), the
dropped. HoTI packet will also be dropped.
As a consequence, the RRT cannot be completed and route As a consequence, the RRT cannot be completed and route
optimization cannot be applied. Every packet has to go through optimization cannot be applied. Every packet has to go through
the node B's Home Agent and tunneled between B's Home Agent and B. the node B's Home Agent and tunneled between B's Home Agent and B.
+----------------+ +----------------+
| +----+ HoTI (HoA) +----+ | +----+ HoTI (HoA) +----+
| | FW |X<---------------|HA B| | | FW |X<---------------|HA B|
| +----X +----+ | +----X +----+
| +------+ | ^ CoTI & HoTI ^ | +------+ | ^ CoTI & HoTI ^
skipping to change at page 23, line 41 skipping to change at page 23, line 41
This document and the information contained herein are provided on an This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement Copyright Statement
Copyright (C) The Internet Society (2005). This document is subject Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights. except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is currently provided by the
Internet Society. Internet Society.
 End of changes. 11 change blocks. 
12 lines changed or deleted 14 lines changed or added

This html diff was produced by rfcdiff 1.28, available from http://www.levkowetz.com/ietf/tools/rfcdiff/