Sun's SKIP Firewall Traversal for Mobile IP
RFC 2356

Document Type RFC - Informational (June 1998; No errata)
Last updated 2013-03-02
Stream IETF
Formats plain text pdf html
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 2356 (Informational)
Telechat date
Responsible AD (None)
Send notices to (None)
Network Working Group                                      G. Montenegro
Request for Comments: 2356                                      V. Gupta
Category: Informational                           Sun Microsystems, Inc.
                                                               June 1998

              Sun's SKIP Firewall Traversal for Mobile IP

Status of This Memo

   This memo provides information for the Internet community.  This memo
   does not specify an Internet standard of any kind.  Distribution of
   this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (1998).  All Rights Reserved.

Abstract

   The Mobile IP specification establishes the mechanisms that enable a
   mobile host to maintain and use the same IP address as it changes its
   point of attachment to the network. Mobility implies higher security
   risks than static operation, because the traffic may at times take
   unforeseen network paths with unknown or unpredictable security
   characteristics. The Mobile IP specification makes no provisions for
   securing data traffic.  The mechanisms described in this document
   allow a mobile node out on a public sector of the internet to
   negotiate access past a SKIP firewall, and construct a secure channel
   into its home network.

   In addition to securing traffic, our mechanisms allow a mobile node
   to roam into regions that (1) impose ingress filtering, and (2) use a
   different address space.

Table of Contents

   1. Introduction ...............................................    2
   2. Mobility without a Firewall ................................    4
   3. Restrictions imposed by a Firewall .........................    4
   4. Two Firewall Options: Application relay and IP Security ....    5
   4.1 SOCKS version 5 [4] .......................................    5
   4.2 SKIP [3] ..................................................    6
   5. Agents and Mobile Node Configurations ......................    8
   6. Supporting Mobile IP: Secure Channel Configurations ........    9
   6.1 I: Encryption only Outside of Private Network .............    9
   6.2 II: End-to-End Encryption .................................   10
   6.3 III: End-to-End Encryption, Intermediate Authentication ...   10

Montenegro & Gupta           Informational                      [Page 1]
RFC 2356      Sun's SKIP Firewall Traversal for Mobile IP      June 1998

   6.4 IV: Encryption Inside and Outside .........................   10
   6.5 Choosing a Secure Channel Configuration ...................   11
   7. Mobile IP Registration Procedure with a SKIP Firewall ......   11
   7.1. Registration Request through the Firewall ................   12
   7.1.1. On the Outside (Public) Network ........................   13
   7.1.2. On the Inside (Private) Network ........................   14
   7.2. Registration Reply through the Firewall ..................   14
   7.2.1. On the Inside (Private) Network ........................   15
   7.2.2. On the Outside (Public) Network ........................   15
   7.3. Traversal Extension ......................................   16
   8. Data Transfer ..............................................   18
   8.1. Data Packet From the Mobile Node to a Correspondent Node .   18
   8.2. Data Packet From a Correspondent Node to the Mobile Node .   19
   8.2.1 Within the Inside (Private) Network .....................   20
   8.2.2. On the Outside (Public) Network ........................   21
   9. Security Considerations ....................................   21
   Acknowledgements ..............................................   22
   References ....................................................   22
   Authors' Addresses ............................................   23
   Full Copyright Statement ......................................   24

1. Introduction

   This document specifies what support is required at the firewall, the
   Mobile IP [1] home agent and the Mobile IP mobile node to enable the
   latter to access a private network from the Internet.  For example, a
   company employee could attach his/her laptop to some Internet access
   point by:

      a)   Dialing into a PPP/SLIP account on an Internet service
           provider's network.

      b)   Connecting into a 10Base-T or similar LAN network available
           at, for example, an IETF terminal room, a local university,
           or another company's premises.

   Notice that in these examples, the mobile node's relevant interface
   (PPP or 10Base-T) is configured with an IP address different from
   that which it uses "normally" (i.e. at the office). Furthermore, the
   IP address used is not necessarily a fixed assignment. It may be
   assigned temporarily and dynamically at the beginning of the session
Show full document text