Mobile IPv6 Firewall Traversal Design Team

Design Team Members

MIPv6 Chairs:

• Basavaraj Patil - basavaraj.patil@nokia.com
  
• Gopal Dommety - gdommety@cisco.com
  

Design Team Leader:

• Hannes Tschofenig - Hannes.Tschofenig@gmx.net
  

Design Team Mailing List

The design team mailing list (included the archieve) can be found here:
https://zeke.ecotroph.net/mailman/admin/mip6-firewall

To post a message to all the list members, send email to mip6-firewall@zeke.ecotroph.net.

Procedure

Before starting phone conferences we need to determine the scope of the design team work. Most solutions focus on parts of the problem domain and hence we also need to ensure that we agree on the scope of work.

This message, in accordance with IETF procedures, is to inform the MIP6 working group that the MIP6 co-chairs have commissioned a MIP6 Firewall Traversal design team.

The purpose of this design team is to complete the following WG charter item:
" Work on solutions to deal with firewalls and the problems that firewalls cause as identified in RFC 4487. "

The output of the design team is one or more documents to the MIP6 working group. This design team will use a separate mailing list, conference calls and Jabber chats.

Members of the design team are listed above.

The following hat wearers are also take part: Basavaraj Pati and Gopal Dommety

Archives of this design team can be found here: http://zeke.ecotroph.net/pipermail/mip6-firewall/

As with any design team in the IETF, the output of this design team must be approved by the MIP6 working group nor carries any special consideration in development of MIP6 working group consensus.

Reading List and Related Work

RFC 4487: Mobile IPv6 and Firewalls: Problem Statement http://www.ietf.org/rfc/rfc4487.txt

Firewall detection procedure: http://tools.ietf.org/wg/mip6/draft-miao-mip6-ft-02.txt

Solution for CN behind a firewall: http://tools.ietf.org/wg/mip6/draft-bajko-mip6-rrtfw-01.txt

Protocol between FW and MN that is triggered by incoming data packets: http://tools.ietf.org/wg/draft-zhang-mip6-fsup-01.txt

Transferring packet filter rules between HA and MAP (HMIP) secured using IKE: http://www.ietf.org/internet-drafts/draft-qiu-mip6-mobile-firewall-02.txt

Solution for all scenarios: http://tools.ietf.org/wg/nsis/draft-thiruvengadam-nsis-mip6-fw-05.txt

Solution to compile addresses: http://www.ietf.org/internet-drafts/draft-qiu-mip6-friendly-firewall-01.txt

Related work can be found in HIPRG (see draft-tschofenig-hiprg-hip-natfw-traversal-05.txt, HIP NATFW paper or SPINAT). Custom solution in MOBIKE to perform connectivity tests (for NAT only)

Phone Conferences

December 2006

Phone Conference Details

Date: 21. Dec. 4pm EST
Duration: ~ 1 Hour
Agenda: Scope and Requirements

Conference Dial-in Number: +1 (712) 580-0600
Participant Access Code: 288204#

Here is the feedback from the group:

Meeting Minutes

The following participants joined the phone conference:

• Yaron Sheffer
• Hannes Tschofenig
• Suresh Krishnan
• Vijay Devarapalli

It was clear that the problems for the data and the signaling traffic are different. With the signaling message related firewall traversal problems one needs to make a differentiation between the different scenarios.

The phone conference participants saw the following aspects as out-of-scope for the initial work:

• Protocol between FW and MN that is triggered by incoming data packets.

• Transferring packet filter rules between HA and MAP (HMIP) secured using IKE.

• HA behind a VPN gateway

A question regarding the type of documents being developed was raised. A Best Current Practice (BCP) document would define what someone has to do if he/she wants to allow Mobile IPv6 traffic to go through a firewall. It would also define what state is established and when.

There is the belief that the case of a HA being behind a firewall is a BCP issue.

Suresh would start with a BCP for MN behind a FW & HA behind a FW. Addressing data and signaling traffic.

Yaron sees problems for MN behind a FW and for CN behind a FW for real-world usage. He prefers changes to MIPv6 signaling over adoption of "overly liberal" firewall BCPs, such as allowing all IPsec traffic based on IP addresses only. MIPv6 changes make sense given the early state of MIPv6 deployment at this time.

Agreement that we should start with the simple BCP addressable cases first before we jump to the more complicated problems.

Suresh will investigate the state of the art regarding IPsec traffic through firewalls. Hannes will ask V6ops and IPsec guys. The problem is how stateful packet filtering firewalls handle this today with regard of matching incoming traffic to previous outgoing traffic.

Open questions:

• Should a firewall understand Mobile IP or firewall specific messages?
• Is it allowed to modify the MIPv6 signaling behavior? E.g., fixing MIPv6 signaling exchange to deal with RRT (Gabor's proposal)
• Is a generic signaling solution for firewall traversal desired for the DT members?

January 2007

Phone Conference Details

Date: 15th January 2007 9am EST
Duration: ~ 1 Hour
Agenda: Next Steps in Document Writing

Meeting Minutes

The following participants joined the phone conference:

• Yaron Sheffer
• Hannes Tschofenig
• QIU Ying
• Gabor Bajko
• Niklas Steinleitner

Hannes starts with a short summary of the previous phone conference.

Gabor mentions that there are different deployment scenarios to consider based on the capabilities of the involved nodes and their ability to support the discussed extensions:

• All nodes support the signaling solution
• Firewall does not support it.
• One of the end points (CN, HA, MN) does not support it.

Hannes mentiones that the considerations also played a role in HIP and the VoIP^? environment with NAT and firewall traversal.

Yaron mentions that he would like to see a functionality being specified where a firewall has the capability to inspect MIPv6 signaling messages, particularly with regard to MN <-> CN message exchanges.

QIU mentions that it is necessary to consider an IPsec data protection aspect for the MN<-> CN communication given the What documents to consider?

Hannes asks whether the following other MIP6 working group related activities should be considered:

• MIPv6 Auth -- http://www.ietf.org/rfc/rfc4285.txt
• Mobile Nodes and Multiple Interfaces in IPv6 (monami6) -- http://www.ietf.org/html.charters/monami6-charter.html and http://www.ietf.org/internet-drafts/draft-ietf-monami6-multiplecoa-01.txt
• MN <-> CN IPsec -- http://tools.ietf.org/wg/mip6/draft-ietf-mip6-cn-ipsec/
• Dual stacked hosts -- http://tools.ietf.org/wg/mip6/draft-ietf-mip6-nemo-v4traversal/
• SHIM6 related work -- http://www.ietf.org/html.charters/shim6-charter.html

Gabor mentions also the possibility to have a Binding Update being sent to IP address X and the response message coming from a different IP address.

Yaron points to a problem if end-to-end IPsec usage is used.

Hannes mentioned the difference between HIP and IKEv2 with regard to this aspect and the ability of a firewall to establish packet filter using the IP addresses of the end points together with the SPI in HIP.

Yaron suggests a title for the document to write, namely "Design Considerations for MIPv6 Firewall Traversal".

Hannes proposed to write a ToC^? of such a document and to perform a worksplit between the Design Team members.

Here is the outline of the document: FirewallTraversalDesignConsiderationsToC

28th June 2007

Phone Conference Details

Date: 28th June 2007
Time: 16:00 CEST = 10:00 EDT = 7:00 PDT
Duration: ~ 35 minutes

Conference Dial-in Number: +1 (712) 580-0100
Participant Access Code: 281404#

Participants

• Niklas
• Vijay
• Yaron
• Suresh
• Hesham
• Hannes
• Gabor
• Qiu Ying had problems connecting to the phone conference bridge.

Meeting Minutes

There was a brief chat about the recently published MIP ICE draft and the motivation behind publishing it. The draft can be found here:

Hannes summarized the work done in the design team so far.

The work can be broken into several pieces:

1) Allowing signaling messages and data traffic to travel between the mobile node and the home agent This includes a firewall at the mobile node's access network and a home agent behind a firewall.

2) Allow mobile IP signaling to travel end to end

3) Allow data traffic to travel in a route optimized fashion

Furthermore, there is the design aspect whether the firewall is agnostic to the mobile IP traffic or understands the signaling messages.

Hannes went through the existing drafts and Suresh noted that draft-qiu-mip6-friendly-firewall-01.txt does not work when the firewall does not see the MAC address of the mobile node. It was also mentioned that the proposals draft-zhang-mip6-fsup-01.txt and draft-qiu-mip6-mobile-firewall-02.txt are currently outside the scope of the work.

Next Steps

• Suresh is going to write a draft about HA behind firewall BCP and will distribute it to the list tomorrow for review by the design team.

• Gabor is going to update draft-bajko-mip6-rrtfw-01.txt

• Yaron suggested to investigate how firewall processing would look like. This is a more forward looking approach.

3rd July 2007

Phone Conference Details

Date: 3rd July 2007
Time: 16:00 CEST = 10:00 EDT = 7:00 PDT
Duration: ~ 20 minutes

Conference Dial-in Number: +1 (712) 580-0100
Participant Access Code: 281404#

Participants

• Niklas
• Yaron
• Suresh
• Hannes
• Qiu

Meeting Minutes

Suresh submitted a draft version for the -00 deadline. A couple of comments were sent to him and he is going to incorporate them in order to submit another version for the final draft submission deadline. There weren't too many discussions on technical issues.

-- HannesTschofenig - 04 Jul 2007