Re: [EME] Traversing HIP-aware NATs and Firewalls: Problem Statement andRequirements

Hannes Tschofenig <Hannes.Tschofenig@gmx.net> Tue, 19 June 2007 07:11 UTC

Return-path: <eme-bounces@irtf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I0Xrs-0007FY-7w; Tue, 19 Jun 2007 03:11:12 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I0Xrr-0007FL-2m for eme@irtf.org; Tue, 19 Jun 2007 03:11:11 -0400
Received: from mail.gmx.net ([213.165.64.20]) by ietf-mx.ietf.org with smtp (Exim 4.43) id 1I0Xro-0006mw-Jg for eme@irtf.org; Tue, 19 Jun 2007 03:11:11 -0400
Received: (qmail invoked by alias); 19 Jun 2007 07:11:07 -0000
Received: from p549869D1.dip.t-dialin.net (EHLO [192.168.1.3]) [84.152.105.209] by mail.gmx.net (mp028) with SMTP; 19 Jun 2007 09:11:07 +0200
X-Authenticated: #29516787
X-Provags-ID: V01U2FsdGVkX1+DDcttJtOD/aFlLwswvesvdfBPPBv6HNV/nrsCmL Nk2ryAUDDhF9zN
Message-ID: <4677818C.7070008@gmx.net>
Date: Tue, 19 Jun 2007 09:11:08 +0200
From: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
User-Agent: Thunderbird 2.0.0.4 (Windows/20070604)
MIME-Version: 1.0
To: Paul Francis <francis@cs.cornell.edu>
Subject: Re: [EME] Traversing HIP-aware NATs and Firewalls: Problem Statement andRequirements
References: <E6F7A586E0A3F94D921755964F6BE006C9806B@EXCHANGE2.cs.cornell.edu>
In-Reply-To: <E6F7A586E0A3F94D921755964F6BE006C9806B@EXCHANGE2.cs.cornell.edu>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Y-GMX-Trusted: 0
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 25620135586de10c627e3628c432b04a
Cc: eme@irtf.org
X-BeenThere: eme@irtf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: end-middle-end research group <eme.irtf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/eme>, <mailto:eme-request@irtf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/eme>
List-Post: <mailto:eme@irtf.org>
List-Help: <mailto:eme-request@irtf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/eme>, <mailto:eme-request@irtf.org?subject=subscribe>
Errors-To: eme-bounces@irtf.org

Hi Paul,

Paul Francis wrote:
> Hi Hannes,
>
> I'm responding to your emails out of order...
>
> This draft certainly is relevant.  I would not claim to have been intimately
> familiar with it when we wrote the EME drafts, but speaking for myself I was
> vaguely aware of it.  (As you can see, we were quite lazy about citing much
> of anything.  Especially the design draft is meant to trigger getting
> feedback...it is certainly our intent to do a better job with citations once
> we think we are on the right track.)
>   
Hmmm.

> As far as the HIP nat traversal stuff relates to NUTSS, Am I right in saying
> that it suffers from the problem of assymetric paths (i.e. with multihomed
> sites)?  If this is the case, then NUTSS seems very complimentary to HIP (as
> Tom and others are suggesting).
>   
It depends what you call "suffer". There are various ways to solve these 
problems. It is just not beautiful when NAT/Firewall traversal is dumped 
into HIP. It works nicely when you use other protocols that are designed 
for this purpose.

On the other hand, stateful packet filtering firewalls just don't work 
nicely with asymmetric paths. It's just the way how they work; it's 
their purpose.

> Sorry if this is a stupid question, but am I right in assuming that with hip
> nat/fw traversal, the middleboxes can authenticate the HIP setup, but not
> data packets themselves (which after all are vanilla IPSec packets)
>   
That's true unless you use
* digitally sign each packet
* Establish IPsec tunnels recursively, or
* use something similar to the stuff suggested in 
http://www.ambient-networks.org/docs/Advanced_HIP_based_Firewall_Traversal.pdf 


But again, there is the question why you actually need this functionality.


Ciao
Hannes

> PF
>
>  
>
>   
>> -----Original Message-----
>> From: Hannes Tschofenig [mailto:Hannes.Tschofenig@gmx.net] 
>> Sent: Monday, June 18, 2007 4:09 PM
>> To: eme@irtf.org
>> Subject: [EME] Traversing HIP-aware NATs and Firewalls: 
>> Problem Statement andRequirements
>>
>> This document might be related and relevant:
>> http://www.tschofenig.com/drafts/draft-tschofenig-hiprg-hip-na
>> tfw-traversal-04.txt
>>
>> I wonder whether someone ever looked at it.
>>
>>
>>
>> _______________________________________________
>> EME mailing list
>> EME@irtf.org
>> https://www1.ietf.org/mailman/listinfo/eme
>>
>>     


_______________________________________________
EME mailing list
EME@irtf.org
https://www1.ietf.org/mailman/listinfo/eme