190 likes | 379 Views
RSIP Address Sharing with End-to-End Security. Mike Borella , 3Com Corp. Gabriel Montenegro , Sun Microsystems March 2000. Where is the Network Edge?. Yesterday: Corporations Universities Today: Homes Cell phones, PDAs Tomorrow: Everywhere Hotels Airports Conference centers
E N D
RSIP Address Sharing with End-to-End Security Mike Borella, 3Com Corp. Gabriel Montenegro, Sun Microsystems March 2000
Where is the Network Edge? • Yesterday: • Corporations • Universities • Today: • Homes • Cell phones, PDAs • Tomorrow: • Everywhere • Hotels • Airports • Conference centers • “Gas stations on the Information Superhighway”
The Expansion of the Edge has Accelerated the IP Address Shortage • About 4 billion total, but... • Heavy allocation to North America and Europe • Many unused (old Class A blocks) • Limited by routing architecture (prefixes, CIDR) • Conservative allocation policies • Typically must demonstrate both need and usage • Heterogeneity implies that address space usage count is intractable! • Perhaps as many as 50% unallocated • Given current growth trends, these wouldn’t last long on the open market
The Solution So Far…Network Address Translation (NAT) • Multiple hosts share one address • NAT router re-writes packet headers to same public IP • Application proxies for protocols that transmit addresses and ports • On the down side... • Difficult to maintain and manage • Breaks IPSEC -> no VPNs • Doesn’t work well with many next-generation protocols • mobile IP, multicast, RSVP, etc. • Nonetheless, very widespread deployment
10.0.0.4 NAT in a Nutshell NAT Router 10.0.0.1 149.112.240.55
NAT Needs ALGs for Address and Port Content in the Payload FTP control packet from private host arriving at NAT router Source IP address Source TCP port (10.0.0.4) (1025) Payload (IP = 10.0.0.4, Port = 1026) Destination IP address Destination TCP port (192.156.136.22) (21) IP TCP Header Header Figure out protocol, look into packet, translate addresses and ports, change TCP sequence number, maintain running delta for lifetime of connection…yuck!
Realm Specific IP (RSIP) • RSIP goals • Alternative to NAT on same network architecture • less computation at router • No need for ALGs • IPSEC integration possible • Use header tuples (e.g., ports, SPIs) to extend IP address space • IP addresses and tuples from the public routing realm are leased by private hosts • Assignments are made such that incoming packets can always be demultiplexed properly
Local SRC IP DST IP Assigned Port Assigned IP DST Port 10.0.0.4 192.156.136.22 1192 149.112.240.55 80 10.0.0.4 RSIP in a Nutshell RSIP Router 10.0.0.1 149.112.240.55
RSIP vs. NAT • Similarities • Demultiplex on tuples (e.g., addresses, port numbers) • Mapping kept by server/router • Differences • NAT: Router modifies packets, host oblivious • RSIP: Host asks router how to make packets “Internet ready” • NAT: No modifications to host, protocol support in router • RSIP: Host modified but no protocol support required in router
RSIP Protocol • Lightweight negotiation between RSIP servers and hosts of arbitrary parameters • “Network” and “control” resources • Vendor-specific parameters • Error reporting • Transport agnostic • may be TCP or UDP (we use port 4455) • Message and parameter formats allow extensibility beyond our specification • E.g., IPSEC SPIs, ISAKMP cookies, PPTP call IDs, etc.
10.0.0.4 REGISTRATION_REQUEST REGISTRATION_RESPONSE (client ID = 2, flow policy = local micro, remote macro) Registration RSIP Server 10.0.0.1 149.112.240.55
ASSIGN_REQUEST_RSAP-IP (client ID = 2, local addr = X, local port = X, remote addr = 128.153.4.3, remote port = X) 10.0.0.4 ASSIGN_RESPONSE_RSAP-IP (client ID = 2, bind ID = 1, local addr = 149.112.240.55, local port = 12345, remote addr = 128.153.4.3, remote port = X, lease = 3600, tunnel = IPIP) Assignment RSIP Server 10.0.0.1 149.112.240.55
IPSEC • Two related, but independent modules: • Secure encapsulation and transport (ESP, AH) • Rather straightforward • Secure key exchange (IKE, ISAKMP, OAKLEY) • Rather complicated
RSIP with IPSEC • ESP encrypts all ports: can’t use them to demultiplex! • Use SPI instead • Additional negotiation: ASSIGN_REQUEST_RSIPSEC • IPSEC client module must: • Use ephemeral IKE source port • Otherwise I-Cookie routing necessary - more negotiation • Using default IKE port may cause rekeying problems • Acquire SPI values from RSIP module
Internet Remote Access from Airport Kiosk Corporate Network Mobile Client Airport LAN NAT Router
Internet Secure VPN Enabled by RSIP Corporate Network Mobile Client w/ RSIP Secure Virtual Tunnel Airport LAN RSIP Router
RSIP and IPv6? • Part of a dual-stack transition mechanism?
Current Status in the IETF • draft-ietf-nat-rsip-protocol-06.txt • draft-ietf-nat-rsip-framework-04.txt • draft-ietf-nat-rsip-ipsec-03.txt • draft-ietf-nat-rsip-slp-00.txt • draft-ietf-dhc-nextserver-02.txt