Multinode Persistent Sessions: The Sysplex Data Sharing End Game Bryant L. Osborn Bank of America.
RSIP Address Sharing with End-to-End Security
description
Transcript of RSIP Address Sharing with End-to-End Security
RSIPRSIPAddress Sharing with End-to-End SecurityAddress Sharing with End-to-End Security
Mike Borella, 3Com Corp.Gabriel Montenegro, Sun Microsystems
March 2000
Realm Specific IPpage 2
Where is the Network Edge?
Yesterday:– Corporations– Universities
Today:– Homes– Cell phones, PDAs
Tomorrow:– Everywhere
Hotels Airports Conference centers “Gas stations on the Information Superhighway”
Realm Specific IPpage 3
The Expansion of the Edge has Accelerated the IP Address Shortage
About 4 billion total, but...– Heavy allocation to North America and Europe– Many unused (old Class A blocks)– Limited by routing architecture (prefixes, CIDR)– Conservative allocation policies
Typically must demonstrate both need and usage Heterogeneity implies that address space usage
count is intractable!– Perhaps as many as 50% unallocated– Given current growth trends, these wouldn’t last long on
the open market
Realm Specific IPpage 4
The Solution So Far…Network Address Translation (NAT)
Multiple hosts share one address– NAT router re-writes packet headers to same public IP– Application proxies for protocols that transmit addresses
and ports On the down side...
– Difficult to maintain and manage– Breaks IPSEC -> no VPNs– Doesn’t work well with many next-generation protocols
mobile IP, multicast, RSVP, etc. Nonetheless, very widespread deployment
Realm Specific IPpage 5
DST IP:10.0.0.4
SRC IP:192.156.136.22
SRC Port:80
DST Port:1192
NAT in a Nutshell
Local SRC IP
192.156.136.22
Assigned SRC Port
1192
DST IP Local SRC Port DST Port
10.0.0.4 12300 80
192.156.136.22
Internet
DST IP:192.156.136.22
SRC IP:10.0.0.4
SRC Port:1192
DST Port:80
DST IP:192.156.136.22
SRC IP:149.112.240.55
SRC Port:12300
DST Port:80
DST IP:149.112.240.55
SRC IP:192.156.136.22
SRC Port:80
DST Port:12300
10.0.0.410.0.0.1 149.112.240.55
NAT RouterNAT Router
Realm Specific IPpage 6
NAT Needs ALGs for Address and Port Content in the Payload
FTP control packet from private host arriving at NAT routerFTP control packet from private host arriving at NAT router
Figure out protocol, look into packet, translate addresses and Figure out protocol, look into packet, translate addresses and ports, change TCP sequence number, maintain running delta for ports, change TCP sequence number, maintain running delta for lifetime of connection…yuck!lifetime of connection…yuck!
Source IP address(10.0.0.4)
Destination IP address(192.156.136.22)
Destination TCP port(21)
Source TCP port(1025)
Payload(IP = 10.0.0.4, Port = 1026)
IPHeader
TCPHeader
Realm Specific IPpage 7
Realm Specific IP (RSIP)
RSIP goals– Alternative to NAT on same network architecture– less computation at router– No need for ALGs– IPSEC integration possible
Use header tuples (e.g., ports, SPIs) to extend IP address space– IP addresses and tuples from the public routing realm are
leased by private hosts– Assignments are made such that incoming packets can
always be demultiplexed properly
Realm Specific IPpage 8
DST IP:149.112.240.55
SRC IP:192.156.136.22
SRC Port:21
DST Port:10000
DST IP:10.0.0.4
SRC IP:10.0.0.1
RSIP in a Nutshell
DST IP:192.156.136.22
SRC IP:149.112.240.55
SRC Port:10000
DST Port:21
DST IP:10.0.0.1
SRC IP:10.0.0.4
DST IP:10.0.0.1
SRC IP:10.0.0.4 Address and port
requestDST IP:10.0.0.4
SRC IP:10.0.0.1 149.112.240.55
10000-10015 DST IP:149.112.240.55
SRC IP:192.156.136.22
SRC Port:21
DST Port:10000
192.156.136.22
Internet10.0.0.4
10.0.0.1 149.112.240.55
RSIP RouterRSIP Router
Local SRC IP
192.156.136.22 1192
DST IP Assigned Port DST Port
10.0.0.4 80
Assigned IP
149.112.240.55
Realm Specific IPpage 9
RSIP vs. NAT
Similarities– Demultiplex on tuples (e.g., addresses, port numbers)– Mapping kept by server/router
Differences– NAT: Router modifies packets, host oblivious– RSIP: Host asks router how to make packets “Internet
ready”– NAT: No modifications to host, protocol support in router– RSIP: Host modified but no protocol support required in
router
Realm Specific IPpage 10
RSIP Protocol
Lightweight negotiation between RSIP servers and hosts of arbitrary parameters– “Network” and “control” resources– Vendor-specific parameters– Error reporting– Transport agnostic
may be TCP or UDP (we use port 4455) Message and parameter formats allow extensibility
beyond our specification– E.g., IPSEC SPIs, ISAKMP cookies, PPTP call IDs, etc.
Realm Specific IPpage 11
Registration
10.0.0.4 10.0.0.1 149.112.240.55
RSIP ServerRSIP Server
REGISTRATION_REQUESTREGISTRATION_REQUESTREGISTRATION_RESPONSE REGISTRATION_RESPONSE
(client ID = 2, flow policy = local micro, remote macro)(client ID = 2, flow policy = local micro, remote macro)
Realm Specific IPpage 12
Assignment
10.0.0.4 10.0.0.1 149.112.240.55
RSIP ServerRSIP Server
ASSIGN_REQUEST_RSAP-IPASSIGN_REQUEST_RSAP-IP(client ID = 2, local addr = X, local port = X, (client ID = 2, local addr = X, local port = X,
remote addr = 128.153.4.3, remote port = X)remote addr = 128.153.4.3, remote port = X)
ASSIGN_RESPONSE_RSAP-IP ASSIGN_RESPONSE_RSAP-IP (client ID = 2, bind ID = 1, local addr = 149.112.240.55, local port = (client ID = 2, bind ID = 1, local addr = 149.112.240.55, local port = 12345, remote addr = 128.153.4.3, remote port = X, lease = 3600, 12345, remote addr = 128.153.4.3, remote port = X, lease = 3600,
tunnel = IPIP)tunnel = IPIP)
Realm Specific IPpage 13
IPSEC
Two related, but independent modules:– Secure encapsulation and transport (ESP, AH)
Rather straightforward
– Secure key exchange (IKE, ISAKMP, OAKLEY) Rather complicated
Realm Specific IPpage 14
IPSEC Encapsulation and Transport
S ource IP address(149 .112 .60 .12 )
D es tina tion IP add ress(192 .156 .136 .22 )
D es tina tion T C P po rt(80 )
S ource T C P po rt(1025)
P ay load(H T T P )
IPH eader
TC PH eader
S P I(2240768201)
E S PH eader
H A S H
E S PTra iler
E ncrypted
A uthentica ted
Realm Specific IPpage 15
RSIP with IPSEC
ESP encrypts all ports: can’t use them to demultiplex!– Use SPI instead– Additional negotiation: ASSIGN_REQUEST_RSIPSEC
IPSEC client module must:– Use ephemeral IKE source port
Otherwise I-Cookie routing necessary - more negotiation Using default IKE port may cause rekeying problems
– Acquire SPI values from RSIP module
Realm Specific IPpage 16
Remote Access from Airport Kiosk
InternetInternet
S ecurity
S ecurity
Airport LANAirport LAN
AddressShortage
NAT RouterNAT Router
56K orless
Corporate Corporate NetworkNetwork
Mobile ClientMobile Client
Realm Specific IPpage 17
Secure VPN Enabled by RSIP
InternetInternetAirport LANAirport LAN
RSIP RouterRSIP Router
Corporate Corporate NetworkNetwork
Mobile Client Mobile Client w/ RSIPw/ RSIP
R S IP -enab ledaddress sharing
Secure Virtual TunnelSecure Virtual Tunnel
Realm Specific IPpage 18
RSIP and IPv6?
Part of a dual-stack transition mechanism?
IP v4 In ternet B ackbone
IP v4/IP v6 duals tack subnet
IP v4 on ly subnetIP v4/IP v6 duals tack subnet
IP v6 on ly subnet
Realm Specific IPpage 19
Current Status in the IETF
draft-ietf-nat-rsip-protocol-06.txt draft-ietf-nat-rsip-framework-04.txt draft-ietf-nat-rsip-ipsec-03.txt draft-ietf-nat-rsip-slp-00.txt draft-ietf-dhc-nextserver-02.txt