1 / 19

RSIP Address Sharing with End-to-End Security

This article explores how RSIP provides an alternative to NAT for address sharing with improved security and integration with IPSEC.

hharold
Download Presentation

RSIP Address Sharing with End-to-End Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. RSIP Address Sharing with End-to-End Security Mike Borella, 3Com Corp. Gabriel Montenegro, Sun Microsystems March 2000

  2. Where is the Network Edge? • Yesterday: • Corporations • Universities • Today: • Homes • Cell phones, PDAs • Tomorrow: • Everywhere • Hotels • Airports • Conference centers • “Gas stations on the Information Superhighway”

  3. The Expansion of the Edge has Accelerated the IP Address Shortage • About 4 billion total, but... • Heavy allocation to North America and Europe • Many unused (old Class A blocks) • Limited by routing architecture (prefixes, CIDR) • Conservative allocation policies • Typically must demonstrate both need and usage • Heterogeneity implies that address space usage count is intractable! • Perhaps as many as 50% unallocated • Given current growth trends, these wouldn’t last long on the open market

  4. The Solution So Far…Network Address Translation (NAT) • Multiple hosts share one address • NAT router re-writes packet headers to same public IP • Application proxies for protocols that transmit addresses and ports • On the down side... • Difficult to maintain and manage • Breaks IPSEC -> no VPNs • Doesn’t work well with many next-generation protocols • mobile IP, multicast, RSVP, etc. • Nonetheless, very widespread deployment

  5. 10.0.0.4 NAT in a Nutshell NAT Router 10.0.0.1 149.112.240.55

  6. NAT Needs ALGs for Address and Port Content in the Payload FTP control packet from private host arriving at NAT router Source IP address Source TCP port (10.0.0.4) (1025) Payload (IP = 10.0.0.4, Port = 1026) Destination IP address Destination TCP port (192.156.136.22) (21) IP TCP Header Header Figure out protocol, look into packet, translate addresses and ports, change TCP sequence number, maintain running delta for lifetime of connection…yuck!

  7. Realm Specific IP (RSIP) • RSIP goals • Alternative to NAT on same network architecture • less computation at router • No need for ALGs • IPSEC integration possible • Use header tuples (e.g., ports, SPIs) to extend IP address space • IP addresses and tuples from the public routing realm are leased by private hosts • Assignments are made such that incoming packets can always be demultiplexed properly

  8. Local SRC IP DST IP Assigned Port Assigned IP DST Port 10.0.0.4 192.156.136.22 1192 149.112.240.55 80 10.0.0.4 RSIP in a Nutshell RSIP Router 10.0.0.1 149.112.240.55

  9. RSIP vs. NAT • Similarities • Demultiplex on tuples (e.g., addresses, port numbers) • Mapping kept by server/router • Differences • NAT: Router modifies packets, host oblivious • RSIP: Host asks router how to make packets “Internet ready” • NAT: No modifications to host, protocol support in router • RSIP: Host modified but no protocol support required in router

  10. RSIP Protocol • Lightweight negotiation between RSIP servers and hosts of arbitrary parameters • “Network” and “control” resources • Vendor-specific parameters • Error reporting • Transport agnostic • may be TCP or UDP (we use port 4455) • Message and parameter formats allow extensibility beyond our specification • E.g., IPSEC SPIs, ISAKMP cookies, PPTP call IDs, etc.

  11. 10.0.0.4 REGISTRATION_REQUEST REGISTRATION_RESPONSE (client ID = 2, flow policy = local micro, remote macro) Registration RSIP Server 10.0.0.1 149.112.240.55

  12. ASSIGN_REQUEST_RSAP-IP (client ID = 2, local addr = X, local port = X, remote addr = 128.153.4.3, remote port = X) 10.0.0.4 ASSIGN_RESPONSE_RSAP-IP (client ID = 2, bind ID = 1, local addr = 149.112.240.55, local port = 12345, remote addr = 128.153.4.3, remote port = X, lease = 3600, tunnel = IPIP) Assignment RSIP Server 10.0.0.1 149.112.240.55

  13. IPSEC • Two related, but independent modules: • Secure encapsulation and transport (ESP, AH) • Rather straightforward • Secure key exchange (IKE, ISAKMP, OAKLEY) • Rather complicated

  14. IPSEC Encapsulation and Transport

  15. RSIP with IPSEC • ESP encrypts all ports: can’t use them to demultiplex! • Use SPI instead • Additional negotiation: ASSIGN_REQUEST_RSIPSEC • IPSEC client module must: • Use ephemeral IKE source port • Otherwise I-Cookie routing necessary - more negotiation • Using default IKE port may cause rekeying problems • Acquire SPI values from RSIP module

  16. Internet Remote Access from Airport Kiosk Corporate Network Mobile Client Airport LAN NAT Router

  17. Internet Secure VPN Enabled by RSIP Corporate Network Mobile Client w/ RSIP Secure Virtual Tunnel Airport LAN RSIP Router

  18. RSIP and IPv6? • Part of a dual-stack transition mechanism?

  19. Current Status in the IETF • draft-ietf-nat-rsip-protocol-06.txt • draft-ietf-nat-rsip-framework-04.txt • draft-ietf-nat-rsip-ipsec-03.txt • draft-ietf-nat-rsip-slp-00.txt • draft-ietf-dhc-nextserver-02.txt

More Related