IETF Logo Mail Archive

Re: [Hipsec] HIP Native NAT Traversal

Miika Komu <mkomu@cs.hut.fi> Tue, 13 April 2010 05:31 UTC

Return-Path: <mkomu@cs.hut.fi>
X-Original-To: hipsec@core3.amsl.com
Delivered-To: hipsec@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 5B22028C0CE for <hipsec@core3.amsl.com>; Mon, 12 Apr 2010 22:31:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RrTL7DVTj0n8 for <hipsec@core3.amsl.com>; Mon, 12 Apr 2010 22:31:52 -0700 (PDT)
Received: from hutcs.cs.hut.fi (hutcs.cs.hut.fi [130.233.192.7]) by core3.amsl.com (Postfix) with ESMTP id BAEC13A682D for <hipsec@ietf.org>; Mon, 12 Apr 2010 22:31:52 -0700 (PDT)
Received: from hutcs.cs.hut.fi ([130.233.192.7] helo=[127.0.0.1]) by hutcs.cs.hut.fi with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.54) id 1O1Yiu-0003Fj-Qo for hipsec@ietf.org; Tue, 13 Apr 2010 08:31:44 +0300
Message-ID: <4BC401C5.1090800@cs.hut.fi>
Date: Tue, 13 Apr 2010 08:31:49 +0300
From: Miika Komu <mkomu@cs.hut.fi>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.10pre) Gecko/20100407 Shredder/3.0.5pre
MIME-Version: 1.0
To: hipsec@ietf.org
References: <4BBF283A.9080408@ericsson.com> <4BBF8C33.8050203@cs.hut.fi> <4BC2E8D6.6030404@nomadiclab.com> <010501cada94$b4cbcab0$ada56b80@cisco.com> <i2lc0c97aa91004122021h4a4911d7r1868d84cec7c2a75@mail.gmail.com>
In-Reply-To: <i2lc0c97aa91004122021h4a4911d7r1868d84cec7c2a75@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Subject: Re: [Hipsec] HIP Native NAT Traversal
X-BeenThere: hipsec@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the official IETF Mailing List for the HIP Working Group." <hipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/hipsec>
List-Post: <mailto:hipsec@ietf.org>
List-Help: <mailto:hipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/hipsec>, <mailto:hipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Apr 2010 05:31:54 -0000

On 13/04/10 06:21, frogsir wrote:

Hi,

> On Tue, Apr 13, 2010 at 2:05 AM, Dan Wing <dwing@cisco.com
> <mailto:dwing@cisco.com>> wrote:
>
>
>
>      > -----Original Message-----
>      > From: hipsec-bounces@ietf.org <mailto:hipsec-bounces@ietf.org>
>      > [mailto:hipsec-bounces@ietf.org <mailto:hipsec-bounces@ietf.org>]
>     On Behalf Of Ari Keranen
>      > Sent: Monday, April 12, 2010 2:33 AM
>      > To: hipsec@ietf.org <mailto:hipsec@ietf.org>
>      > Subject: Re: [Hipsec] HIP Native NAT Traversal
>      >
>      > Hi,
>      >
>      > On 04/09/2010 11:21 PM, Miika Komu wrote:
>      > > On 04/09/2010 04:14 PM, Gonzalo Camarillo wrote:
>      > >> in Anaheim, we decided to continue discussing on the list
>      > the following
>      > >> draft:
>      > >>
>      > >>
>      > https://datatracker.ietf.org/doc/draft-keranen-hip-native-nat-
>      > traversal/
>      > >>
>      > >> In particular, I would like to see discussions on the
>      > lessons learned
>      > >> from the STUN-based implementations and potential benefits of
>      > >> implementing STUN-like functionality in HIP.
>      > >
>      > > from a protocol design perspective, demultiplexing of HIP,
>      > ESP and STUN
>      > > packets is complicated. At implementation level, this introduced an
>      > > additional requirement of packet capture using iptables. I
>      > believe this
>      > > part would become cleaner design and implementation-wise by
>      > replacing
>      > > STUN with HIP.
>      >
>      > This is indeed a problem if you don't want to patch kernel
>      > code. While
>      > HIP packets can be simply demultiplexed using the non-ESP
>      > marker, STUN
>      > packets can't and therefore you need to either use some
>      > filtering before
>      > the IPsec processing (e.g., iptables) or process all the
>      > packets at user
>      > space, which causes some performance penalty.
>
>     Has there been a discussion to send STUN directly over HIP, rather
>     than replacing STUN with STUN-mimicing HIP messages?  Sending
>     STUN messages directly over HIP would remove the need to demux
>     STUN/HIP/ESP -- you would only need to demux HIP/ESP in the kernel
>     (as with today's HIP), and deal with a single HIP 'container' for
>     the STUN messages.
>
>
>
> *We have made such implementation.  The whole STUN message is
> encapsulate into HIP_STUN parameter which is carried by HIP_UPDATE
> packets. it solves most of  the demultiplexing problems indeed.*

to be more precise, it was just an internal implementation trick to get 
incoming STUN messages from the packet capture module to hipd. So it 
really did not solve the problem because it still required HIP/ESP/STUN 
demuxing somewhere in the system.

Having STUN messages in HIP encapsulated format *on-the-wire* would 
solve the demux problem, but the extra parser and marshaling library 
would still be necessary for STUN which would further increase the 
footprint of hipd.

v2.23.0 | Report a Bug | By Email