NSIS and the NAT/Firewall NSLP

4.10.4.1 Evaluation and Applicability

The Next Steps in Signaling (NSIS) [HKLdB05] and the NAT/Firewall NSIS Signal- ing Layer Protocol (NAT/FW NSLP) [STAD08] based approaches satisfy the general requirements. They support IPv4 and IPv6 and NSIS (including NAT/FW NSLP) is designed for wide-area or global Internet usage. Therefore, both are fully applicable for large networks. Admittedly, the current NSIS NAT/FW NSLP does not explic- itly support Mobile IPv6. However, it should be easy to add this support by either extending it to support Mobile IPv6, or make it be able to interact with Mobile IPv6. NSIS and NAT/FW NSLP already support an authorisation framework [MSTB08] and signaling traffic protected by SCTP [FDC08]. In general, each network- or transport- layer security protocol should be applicable for NSIS. Hence, this approach fully fulfills these security requirements. Besides, as an explicit firewall traversal approach, NSIS and the NAT/FW NSLP should be reliable, as they rely on soft state and not rely on a centralised entity. However, it has not been experimented in the Internet scale or large deployments.

The deployment requirements of the NSIS based approach are remarkable as they require NSIS and NAT/FW NSLP to run on sender- and receiver-side and on all in- termediate middleboxes. So, significant modifications on the middleboxes are needed, though, as an explicit firewall traversal approach, it is not required that a middlebox understands the protocol logic of the application. Additionally, NSIS do not need any additional network entities or special hardware.

In general, the setup and administration for NSIS and NAT/FW NSLP should be easy, as they only need information from local interfaces and the routing table. NSIS

and the NAT/FW NSLP have been implemented, e.g., by the University of G¨ottin-

gen [FreeNSIS] but have not been experimented in the open Internet or large ISP deployments yet. Therefore, it is available but it is difficult to draw conclusions for operational requirements.

This approach is an explicit firewall traversal solution and the path needs to be sig- naled before the data traffic. Additionally, NSIS requires path discovery before the NSLP signaling can be done and therefore might have an increased session setup time. So, the session setup time for this approach is higher then for an on the fly approach. However, it has been proven that the utilised middlebox implementation becomes the

bottleneck of a “heavy-load-scenario” not NSIS or the NAT/FW NSLP, as described

in Section 8.1.2 and in [SPTF06]. As a soft state protocol, all NSIS and NAT/FW

NSLP states need to be refreshed during a specified time value, otherwise the session state times out and will be deleted. So, the performance and scalability requirements are achieved.

4.10.4.2 NSIS Based Mobile IPv6 Firewall Traversal

According to this evaluation, an NSIS and NAT/FW NSLP based approach is fully applicable for Mobile IPv6 firewall traversal.

Mobile IPv6 firewall traversal based on NSIS and NAT/FW NSLP is one of the most promising solutions to deal with the problems and impacts of having firewalls in Mobile IPv6 environment. One main contribution of this thesis is the development of

the NSIS based Mobile IPv6 firewall traversal solution, introduced in Section 5.3.

4.11 Summary

The potential middlebox traversal solutions investigated could be summarised – if

feasible – in Table 4.1 according to the above evaluation results. From this table it

can be seen that each solution has its advantages and disadvantages in dealing with firewall traversal problems in a Mobile IPv6 environments, whereas the light-grey fields represent small disadvantages which are more or less easy to overcome and the dark-grey fields represent major issues or disadvantages.

The overall evaluation can be concluded as follows:

Although the Policy-Based Networks approach is applicable and has been used in some network scenarios, it do not offer properties like the support for Mobile IPv6 traffic and has disadvantages and some open issues. STUN, TURN, and ICE offers a good potential candidate, however, like all solution alternatives, it also has some disadvantages and conditions. [Tsc08] and [Baj08] recently proposed the Mobile IP Interactive Connectivity Establishment (M-ICE), an ICE based solution to deal with the Mobile IPv6 firewall traversal problems, but this approach introduces a long delay for gathering the candidates. This limits it applicability for seamless handover with Mobile IPv6 firewall traversal.

The NSIS and NAT/FW NSLP based solution, as well as the Application Layer Gate- way based solution are both applicable to overcome the problems and impacts when having firewalls in Mobile IPv6 environment. According to the evaluation and ap- plicability study, they represent the most promising solution alternatives for Mobile IPv6 firewall traversal, and this thesis therefore focuses on these two candidates. After having presented the state-of-the-art approaches for middlebox traversal and evaluating their applicability for Mobile IPv6 firewall traversal in this chapter, the

4.11 Summary

ALG,

PBN STUN, NSIS and

MIDCOM TURN, ICE NAT\FW

General Requirements

IPv6 Support Yes Yes Yes Yes

Mobile IPv6 Support No No Not required Not required

Applicability for

Yes Yes Yes Yes

large Networks

Security Requirements

Authorisation, Authentication,

Yes Yes

and Accounting Issues Limited Limited

Protected Signaling Not required Yes Not required Yes

Deployment Requirements Additional Network

No No

Entities/Hardware Yes Yes

Additional Software

No

on Middleboxes Yes Yes Yes

Additional Application

No

Logic on Middleboxes Yes Yes Yes

Additional Software on

No No No

Sender and Receiver Yes

Operational Requirements Easy Setup

Yes Yes

and Administration No Limited

Reliability Yes Yes Limited Yes

Available, deployed

Yes Yes

and operational Limited Limited

Performance and Scalability Requirements

Low Session Setup Yes Yes Limited Limited

Performance/Scalability Yes Limited Yes Yes

Table 4.1: Evaluation and Applicability Summary

following Chapter 5 now presents how they can be utilised to achieve Mobile IPv6

5 Proposed Mobile IPv6 Firewall

Traversal Solutions

5.1 Motivation and Overview

Several aspects could prevent Mobile IPv6 from operating successfully in the presence

of firewalls; these problems and impacts are introduced in Chapter 3. This could be

a major impediment to the successful deployment of Mobile IPv6. To overcome these problems, this chapter presents two different solutions, appropriate to allow Mobile IPv6 to work in presence of middleboxes. Both have been designed and developed as main contribution of this thesis and are standardised within the IETF [IETF].

Section 5.3 describes the NSIS based Mobile IPv6 firewall traversal solution, which

has been developed within the EU Framework Programme 6 [EUFP6] ENABLE [EN-

ABLE] project. Section5.4describes the second solution, based on Application Layer

Gateway. This solution was developed within the IETF Mobile IPv6 Firewall Traver- sal Design Team, established by the IETF MEXT working group [MEXT]. The Mobile IPv6 Application Layer Gateway solution is a MEXT working group draft.