RE: [EME] Traversing HIP-aware NATs and Firewalls: Problem Statement andRequirements
Paul Francis <francis@cs.cornell.edu> Tue, 19 June 2007 15:49 UTC
Return-path: <eme-bounces@irtf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I0fxR-0005r2-H0; Tue, 19 Jun 2007 11:49:29 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I0fxP-0005qs-Lh for eme@irtf.org; Tue, 19 Jun 2007 11:49:27 -0400
Received: from mail-hub-2.cs.cornell.edu ([128.84.103.139] helo=exch-hub2.cs.cornell.edu) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I0fxN-0006NJ-89 for eme@irtf.org; Tue, 19 Jun 2007 11:49:27 -0400
Received: from exchfe2.cs.cornell.edu (128.84.97.34) by mail-hub.cs.cornell.edu (128.84.103.140) with Microsoft SMTP Server id 8.0.700.0; Tue, 19 Jun 2007 11:49:24 -0400
Received: from EXCHANGE2.cs.cornell.edu ([128.84.96.44]) by exchfe2.cs.cornell.edu with Microsoft SMTPSVC(6.0.3790.1830); Tue, 19 Jun 2007 11:49:19 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-Class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE: [EME] Traversing HIP-aware NATs and Firewalls: Problem Statement andRequirements
Date: Tue, 19 Jun 2007 11:49:18 -0400
Message-ID: <E6F7A586E0A3F94D921755964F6BE006C980CD@EXCHANGE2.cs.cornell.edu>
In-Reply-To: <4677818C.7070008@gmx.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [EME] Traversing HIP-aware NATs and Firewalls: Problem Statement andRequirements
Thread-Index: AceyQgRRTxcJXXneRXqSoWRBq3hguwARy5bA
From: Paul Francis <francis@cs.cornell.edu>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
X-OriginalArrivalTime: 19 Jun 2007 15:49:19.0522 (UTC) FILETIME=[66051020:01C7B289]
Received-SPF: None (mail-hub.cs.cornell.edu: francis@cs.cornell.edu does not designate permitted sender hosts)
X-Spam-Score: 0.0 (/)
X-Scan-Signature: a87a9cdae4ac5d3fbeee75cd0026d632
Cc: eme@irtf.org
X-BeenThere: eme@irtf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: end-middle-end research group <eme.irtf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/eme>, <mailto:eme-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/eme>
List-Post: <mailto:eme@irtf.org>
List-Help: <mailto:eme-request@irtf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/eme>, <mailto:eme-request@irtf.org?subject=subscribe>
Errors-To: eme-bounces@irtf.org
Something along the lines of > http://www.ambient-networks.org/docs/Advanced_HIP_based_Firewall_Traversal.pd f would be interesting in the context of NUTSS...allows middleboxes to do per-packet authentication without requiring recursive/nested IPsec tunnels... PF > -----Original Message----- > From: Hannes Tschofenig [mailto:Hannes.Tschofenig@gmx.net] > Sent: Tuesday, June 19, 2007 3:11 AM > To: Paul Francis > Cc: eme@irtf.org > Subject: Re: [EME] Traversing HIP-aware NATs and Firewalls: > Problem Statement andRequirements > > Hi Paul, > > Paul Francis wrote: > > Hi Hannes, > > > > I'm responding to your emails out of order... > > > > This draft certainly is relevant. I would not claim to have been > > intimately familiar with it when we wrote the EME drafts, > but speaking > > for myself I was vaguely aware of it. (As you can see, we > were quite > > lazy about citing much of anything. Especially the design draft is > > meant to trigger getting feedback...it is certainly our > intent to do a > > better job with citations once we think we are on the right track.) > > > Hmmm. > > > As far as the HIP nat traversal stuff relates to NUTSS, Am > I right in > > saying that it suffers from the problem of assymetric paths > (i.e. with > > multihomed sites)? If this is the case, then NUTSS seems very > > complimentary to HIP (as Tom and others are suggesting). > > > It depends what you call "suffer". There are various ways to > solve these problems. It is just not beautiful when > NAT/Firewall traversal is dumped into HIP. It works nicely > when you use other protocols that are designed for this purpose. > > On the other hand, stateful packet filtering firewalls just > don't work nicely with asymmetric paths. It's just the way > how they work; it's their purpose. > > > Sorry if this is a stupid question, but am I right in assuming that > > with hip nat/fw traversal, the middleboxes can authenticate the HIP > > setup, but not data packets themselves (which after all are vanilla > > IPSec packets) > > > That's true unless you use > * digitally sign each packet > * Establish IPsec tunnels recursively, or > * use something similar to the stuff suggested in > http://www.ambient-networks.org/docs/Advanced_HIP_based_Firewa > ll_Traversal.pdf > > > But again, there is the question why you actually need this > functionality. > > > Ciao > Hannes > > > PF > > > > > > > > > >> -----Original Message----- > >> From: Hannes Tschofenig [mailto:Hannes.Tschofenig@gmx.net] > >> Sent: Monday, June 18, 2007 4:09 PM > >> To: eme@irtf.org > >> Subject: [EME] Traversing HIP-aware NATs and Firewalls: > >> Problem Statement andRequirements > >> > >> This document might be related and relevant: > >> http://www.tschofenig.com/drafts/draft-tschofenig-hiprg-hip-na > >> tfw-traversal-04.txt > >> > >> I wonder whether someone ever looked at it. > >> > >> > >> > >> _______________________________________________ > >> EME mailing list > >> EME@irtf.org > >> https://www1.ietf.org/mailman/listinfo/eme > >> > >> > > _______________________________________________ EME mailing list EME@irtf.org https://www1.ietf.org/mailman/listinfo/eme
- [EME] Traversing HIP-aware NATs and Firewalls: Pr… Hannes Tschofenig
- RE: [EME] Traversing HIP-aware NATs and Firewalls… Paul Francis
- Re: [EME] Traversing HIP-aware NATs and Firewalls… Hannes Tschofenig
- Re: [EME] Traversing HIP-aware NATs and Firewalls… Hannes Tschofenig
- RE: [EME] Traversing HIP-aware NATs and Firewalls… Paul Francis