RSIP Address Sharing with End-to-End Security Mike Borella Gabriel Montenegro
advertisement
RSIP Address Sharing with End-to-End Security Mike Borella, 3Com Corp. Gabriel Montenegro, Sun Microsystems March 2000 Where is the Network Edge? Yesterday: – Corporations – Universities Today: – Homes – Cell phones, PDAs Tomorrow: – Everywhere Hotels Airports Conference centers “Gas stations on the Information Superhighway” Realm Specific IP page 2 The Expansion of the Edge has Accelerated the IP Address Shortage About 4 billion total, but... – – – – Heavy allocation to North America and Europe Many unused (old Class A blocks) Limited by routing architecture (prefixes, CIDR) Conservative allocation policies Typically must demonstrate both need and usage Heterogeneity implies that address space usage count is intractable! – Perhaps as many as 50% unallocated – Given current growth trends, these wouldn’t last long on the open market Realm Specific IP page 3 The Solution So Far… Network Address Translation (NAT) Multiple hosts share one address – NAT router re-writes packet headers to same public IP – Application proxies for protocols that transmit addresses and ports On the down side... – Difficult to maintain and manage – Breaks IPSEC -> no VPNs – Doesn’t work well with many next-generation protocols mobile IP, multicast, RSVP, etc. Nonetheless, very widespread deployment Realm Specific IP page 4 NAT in a Nutshell Local SRC IP DST IP Local SRC Port Assigned SRC Port DST Port 10.0.0.4 192.156.136.22 1192 12300 80 NAT Router Internet 10.0.0.4 10.0.0.1 149.112.240.55 192.156.136.22 SRC IP: 192.156.136.22 10.0.0.4 SRC Port: 1192 80 SRC IP: 192.156.136.22 149.112.240.55 SRC Port: 80 12300 DST IP: 192.156.136.22 10.0.0.4 DST Port: 1192 80 DST IP: 149.112.240.55 192.156.136.22 DST Port: 12300 80 Realm Specific IP page 5 NAT Needs ALGs for Address and Port Content in the Payload FTP control packet from private host arriving at NAT router Source IP address (10.0.0.4) Source TCP port (1025) Destination IP address (192.156.136.22) Destination TCP port (21) IP Header TCP Header Payload (IP = 10.0.0.4, Port = 1026) Figure out protocol, look into packet, translate addresses and ports, change TCP sequence number, maintain running delta for lifetime of connection…yuck! Realm Specific IP page 6 Realm Specific IP (RSIP) RSIP goals – – – – Alternative to NAT on same network architecture less computation at router No need for ALGs IPSEC integration possible Use header tuples (e.g., ports, SPIs) to extend IP address space – IP addresses and tuples from the public routing realm are leased by private hosts – Assignments are made such that incoming packets can always be demultiplexed properly Realm Specific IP page 7 RSIP in a Nutshell Local SRC IP DST IP Assigned Port Assigned IP DST Port 10.0.0.4 192.156.136.22 1192 149.112.240.55 80 RSIP Router Internet 10.0.0.4 10.0.0.1 149.112.240.55 192.156.136.22 SRC IP: SRC IP:SRC Port: SRC Port: SRC IP: SRC SRC SRC IP: SRC Port: SRC Port: SRC IP: IP: IP: 149.112.240.55 192.156.136.22 10.0.0.4 10.0.0.1 10.0.0.1 Address 149.112.240.55 192.156.136.22 10000 21 149.112.240.55 21 10000 and port request DST IP: DST IP: DST Port: DST Port: DST IP: DST DST DST IP:10000-10015 DST Port: DST Port: DST IP: IP: IP: 149.112.240.55 10000 10.0.0.1 10.0.0.4 10.0.0.4 192.156.136.22 149.112.240.55 21 10000 192.156.136.22 21 Realm Specific IP page 8 RSIP vs. NAT Similarities – Demultiplex on tuples (e.g., addresses, port numbers) – Mapping kept by server/router Differences – NAT: Router modifies packets, host oblivious – RSIP: Host asks router how to make packets “Internet ready” – NAT: No modifications to host, protocol support in router – RSIP: Host modified but no protocol support required in router Realm Specific IP page 9 RSIP Protocol Lightweight negotiation between RSIP servers and hosts of arbitrary parameters – – – – “Network” and “control” resources Vendor-specific parameters Error reporting Transport agnostic may be TCP or UDP (we use port 4455) Message and parameter formats allow extensibility beyond our specification – E.g., IPSEC SPIs, ISAKMP cookies, PPTP call IDs, etc. Realm Specific IP page 10 Registration RSIP Server 10.0.0.4 10.0.0.1 149.112.240.55 REGISTRATION_RESPONSE (client ID = 2, REGISTRATION_REQUEST flow policy = local micro, remote macro) Realm Specific IP page 11 Assignment RSIP Server 10.0.0.4 10.0.0.1 149.112.240.55 ASSIGN_RESPONSE_RSAP-IP (client ID = 2, bindASSIGN_REQUEST_RSAP-IP ID = 1, local addr = 149.112.240.55, local port = 12345, remote addr port = X, lease = 3600, (client ID == 128.153.4.3, 2, local addr remote = X, local port = X, tunnel = IPIP) remote addr = 128.153.4.3, remote port = X) Realm Specific IP page 12 IPSEC Two related, but independent modules: – Secure encapsulation and transport (ESP, AH) Rather straightforward – Secure key exchange (IKE, ISAKMP, OAKLEY) Rather complicated Realm Specific IP page 13 IPSEC Encapsulation and Transport Encrypted Source IP address (149.112.60.12) Destination IP address (192.156.136.22) IP Header SPI (2240768201) ESP Header Source TCP port (1025) Payload (HTTP) Destination TCP port (80) TCP Header HASH ESP Trailer Authenticated Realm Specific IP page 14 RSIP with IPSEC ESP encrypts all ports: can’t use them to demultiplex! – Use SPI instead – Additional negotiation: ASSIGN_REQUEST_RSIPSEC IPSEC client module must: – Use ephemeral IKE source port Otherwise I-Cookie routing necessary - more negotiation Using default IKE port may cause rekeying problems – Acquire SPI values from RSIP module Realm Specific IP page 15 Remote Access from Airport Kiosk Corporate Network Mobile Client 56K or less Address Shortage Internet Airport LAN Security NAT Router Security Realm Specific IP page 16 Secure VPN Enabled by RSIP Mobile Client w/ RSIP Corporate Network Secure Virtual Tunnel RSIP-enabled address sharing Internet Airport LAN RSIP Router Realm Specific IP page 17 RSIP and IPv6? Part of a dual-stack transition mechanism? IPv4/IPv6 dual stack subnet IPv4 only subnet IPv4 Internet Backbone IPv4/IPv6 dual stack subnet IPv6 only subnet Realm Specific IP page 18 Current Status in the IETF draft-ietf-nat-rsip-protocol-06.txt draft-ietf-nat-rsip-framework-04.txt draft-ietf-nat-rsip-ipsec-03.txt draft-ietf-nat-rsip-slp-00.txt draft-ietf-dhc-nextserver-02.txt Realm Specific IP page 19
