Sun's SKIP Firewall Traversal for Mobile IP
RFC 2356
Network Working Group G. Montenegro
Request for Comments: 2356 V. Gupta
Category: Informational Sun Microsystems, Inc.
June 1998
Sun's SKIP Firewall Traversal for Mobile IP
Status of This Memo
This memo provides information for the Internet community. This memo
does not specify an Internet standard of any kind. Distribution of
this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1998). All Rights Reserved.
Abstract
The Mobile IP specification establishes the mechanisms that enable a
mobile host to maintain and use the same IP address as it changes its
point of attachment to the network. Mobility implies higher security
risks than static operation, because the traffic may at times take
unforeseen network paths with unknown or unpredictable security
characteristics. The Mobile IP specification makes no provisions for
securing data traffic. The mechanisms described in this document
allow a mobile node out on a public sector of the internet to
negotiate access past a SKIP firewall, and construct a secure channel
into its home network.
In addition to securing traffic, our mechanisms allow a mobile node
to roam into regions that (1) impose ingress filtering, and (2) use a
different address space.
Table of Contents
1. Introduction ............................................... 2
2. Mobility without a Firewall ................................ 4
3. Restrictions imposed by a Firewall ......................... 4
4. Two Firewall Options: Application relay and IP Security .... 5
4.1 SOCKS version 5 [4] ....................................... 5
4.2 SKIP [3] .................................................. 6
5. Agents and Mobile Node Configurations ...................... 8
6. Supporting Mobile IP: Secure Channel Configurations ........ 9
6.1 I: Encryption only Outside of Private Network ............. 9
6.2 II: End-to-End Encryption ................................. 10
6.3 III: End-to-End Encryption, Intermediate Authentication ... 10
Montenegro & Gupta Informational [Page 1]
RFC 2356 Sun's SKIP Firewall Traversal for Mobile IP June 1998
6.4 IV: Encryption Inside and Outside ......................... 10
6.5 Choosing a Secure Channel Configuration ................... 11
7. Mobile IP Registration Procedure with a SKIP Firewall ...... 11
7.1. Registration Request through the Firewall ................ 12
7.1.1. On the Outside (Public) Network ........................ 13
7.1.2. On the Inside (Private) Network ........................ 14
7.2. Registration Reply through the Firewall .................. 14
7.2.1. On the Inside (Private) Network ........................ 15
7.2.2. On the Outside (Public) Network ........................ 15
7.3. Traversal Extension ...................................... 16
8. Data Transfer .............................................. 18
8.1. Data Packet From the Mobile Node to a Correspondent Node . 18
8.2. Data Packet From a Correspondent Node to the Mobile Node . 19
8.2.1 Within the Inside (Private) Network ..................... 20
8.2.2. On the Outside (Public) Network ........................ 21
9. Security Considerations .................................... 21
Acknowledgements .............................................. 22
References .................................................... 22
Authors' Addresses ............................................ 23
Full Copyright Statement ...................................... 24
1. Introduction
This document specifies what support is required at the firewall, the
Mobile IP [1] home agent and the Mobile IP mobile node to enable the
latter to access a private network from the Internet. For example, a
company employee could attach his/her laptop to some Internet access
point by:
a) Dialing into a PPP/SLIP account on an Internet service
provider's network.
b) Connecting into a 10Base-T or similar LAN network available
at, for example, an IETF terminal room, a local university,
or another company's premises.
Notice that in these examples, the mobile node's relevant interface
(PPP or 10Base-T) is configured with an IP address different from
that which it uses "normally" (i.e. at the office). Furthermore, the
IP address used is not necessarily a fixed assignment. It may be
assigned temporarily and dynamically at the beginning of the session
(e.g. by IPCP in the PPP case, or DHCP in the 10Base-T case).
The following discussion assumes a network configuration consisting
of a private network separated by a firewall from the general
Show full document text