MIPL (CN)

This MIPL module implements the corresponding node functionality. The same re- lease used for the MN (MIPL 2.0.2) has been used as a starting point for the develop- ment on the CN. However, the NSIS based Mobile IPv6 firewall traversal has required some extensions to the MIPL source code:

• When the MIPL implementation on the CN receives a specific message (e.g., HoTI, CoTI or data traffic), it triggers the MIP6FWD via the interface Cfa to install the corresponding firewall pinhole and waits for the response. The MIP6FWD itself again triggers the NAT/FW NSLP to trigger this firewall pin- hole via the interface Cfb. When the MIPL implementation receives a successful response it resumes the normal MIPL progress.

7.1.2.7.1 Cfa (MIPL – MIP6FWD)

Cfa is an inter-process interface implemented using a TCP socket. This interface is very similar to the interface Mfa, but reacts on different events. In contrast to the Mfa interface, which reacts on a new CoA, the Cfa interface interacts on the event of re- ceiving a HoTI message, a CoTI message or on receiving/sending bi-directional/route optimised data traffic from/to the MN.

If this happens, it triggers the MIP6FWD in order to trigger a firewall pinhole between the nodes, e.g., for the HoT message between the CN and the HA. Therefore, a trigger message (e.g., of type CREATE) is used, which signals the MIP6FWD the format of the required firewall pinhole. After triggering the MIP6FWD, the MIPL implementation is halted and waits for a response message from the MIP6FWD. With the response, the MIP6FWD informs the MIPL implementation about the success of the firewall pinhole creation. The messages are similar to the messages explained

in Section 7.1.2.5.1. The rules that the MIPL and the MIP6FWD modules have to

observe are:

• As soon as the MIPL implementation receives a specific message (e.g., HoTI, CoTI or data traffic), it sends a MIPTRIGGER MSG NSIS CREATE message to the MIP6FWD to install the corresponding firewall pinhole and waits for the response. For the example of receiving a HoTI, it triggers a firewall pinhole for

7.1 NSIS Based Mobile IPv6 Firewall Traversal Implementation

• When the MIP6FWD receives a MIPTRIGGER MSG CREATE message, it computes this request and triggers the NAT/FW NSLP to install the firewall pinhole as it is requested. It later informs the MIPL implementation about the success of the firewall pinhole creation request.

• If the MIPL implementation receives a successful MIPTRIGGER MSG ACK to a MIPTRIGGER MSG CREATE message, it resumes the normal MIPL imple- mentation. This could be the installation of further firewall pinholes, or the normal MIPL process. In the example, this means to send the HoT to the HA, as it now can traverse the firewalls.

The interaction between MIPL and MIP6FWD on the CN is depicted in the flow

diagram in Figure 7.10.

Start

Receiving Trigger Event e.g. HoTI/CoTI

Send to MIP6FWD MIPTRIGGER_MSG_CREATE

[Pinhole Format]

Wait for MIP6FWD

Receive from MIP6FWD MIPTRIGGER_MSG_ACK Go ahead MIPL MIPL Start MIP6FWD Wait for msg

Receive from MIPL MIPTRIGGER_MSG_CREATE

[Pinhole Format]

Trigger NAT/FW NSLP CREATE [Pinhole Format]

Wait for NSIS

Receive from NSIS SUCCESS

Send to MIPL MIPTRIGGER_MSG_ACK

Figure 7.10: Interaction between MIPL and MIP6FWD (CN)

7.1.2.7.2 Cfb (MIP6FWD – NAT/FW NSLP)

7.1.2.7.3 Cfc (NAT/FW NSLP – NSIS)

Cfc is the same interface as Mfc, which is described in detail in Section 7.1.2.5.3.

7.2 Mobile IPv6 Application Layer Gateway

The Mobile IPv6 Application Layer Gateway proof-of-concept implementation is still in an unstable condition. The prototype implementation is realised as a netfilter/ipt- ables [netfilter] module and is available at [MIP6ALG].

The prototype implementation currently only supports the basic primitives as de- scribed in Section 5.4.3.1, more precisely, the primitives described in Section 5.4.3.1.1,

Section 5.4.3.1.2 and Section 5.4.3.1.3. However, the possibility to implement these

requirements already proves that the Mobile IPv6 Application Layer Gateway is tech- nically feasible and implementable.

7.3 Summary

This chapter has presented the NSIS based Mobile IPv6 firewall traversal and the Mobile IPv6 Application Layer Gateway firewall traversal proof-of-concept implemen-

tations. The approaches have been described in detail in Section 5.3 and Section 5.4.

The described proof-of-concept implementations developed as part of this thesis have proved that firewall traversal in Mobile IPv6 environments is technically feasible and implementable for both the NSIS based Mobile IPv6 firewall traversal and the Mobile IPv6 Application Layer Gateway firewall traversal.

Chapter 8 evaluates the proposed Mobile IPv6 firewall traversal solutions as well as

8 Evaluation

This chapter evaluates the Mobile IPv6 firewall traversal solutions proposed in Chap-

ter 5 as well as their in Chapter 7 described proof-of-concept implementations. This

has to be done either with the help of a performance testing and/or with the help

of a mathematical model. Section 8.1 evaluates the NSIS based Mobile IPv6 firewall

traversal approach and implementation while Section 8.2 evaluates the Mobile IPv6

Application Layer Gateway firewall traversal approach.

8.1 NSIS Based Mobile IPv6 Firewall Traversal

This section evaluates the NSIS based Mobile IPv6 firewall traversal approach, as

introduced in Section 5.3 and its implementation described in Section 7.1. The

NSIS based Mobile IPv6 firewall traversal bases on the Next Steps in Signaling (NSIS) [HKLdB05] NSIS Transport Layer Protocol (NTLP) [SH08] and the NAT/Fire- wall NSIS Signaling Layer Protocol (NSLP) [STAD08]. Due to this modular design it is required to study the performance of the NTLP and NSLP layers individually before being able to draw conclusions from their impact on the NSIS based Mobile IPv6 firewall traversal approach.

Therefore, this section firstly examines the performance of the NSIS NTLP and the

utilised FreeNSIS [FreeNSIS] implementation in Section 8.1.1. Secondly, it presents a

performance testing for the NAT/FW NSLP implementation in Section8.1.2. Finally,

the NSIS based Mobile IPv6 firewall traversal approach is analysed with the help of a

mathematical model in Section8.1.3.