datatracker.ietf.org
Sign in
Version 5.4.0, 2014-04-22
Report a bug

NAT and Firewall Traversal Issues of Host Identity Protocol (HIP) Communication
RFC 5207

Document type: RFC - Informational (April 2008)
Was draft-irtf-hiprg-nat (hiprg RG)
Document stream: IRTF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IRTF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 5207 (Informational)
Responsible AD: Mark Townsley
Send notices to: stiemerling@netlab.nec.de

Network Working Group                                     M. Stiemerling
Request for Comments: 5207                                    J. Quittek
Category: Informational                                              NEC
                                                               L. Eggert
                                                                   Nokia
                                                              April 2008

   NAT and Firewall Traversal Issues of Host Identity Protocol (HIP)
                             Communication

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

IESG Note

   This RFC is a product of the Internet Research Task Force and is not
   a candidate for any level of Internet Standard.  The IRTF publishes
   the results of Internet-related research and development activities.
   These results might not be suitable for deployment.

Abstract

   The Host Identity Protocol (HIP) changes the way in which two
   Internet hosts communicate.  One key advantage over other schemes is
   that HIP does not require modifications to the traditional network-
   layer functionality of the Internet, i.e., its routers.  In the
   current Internet, however, many devices other than routers modify the
   traditional network-layer behavior of the Internet.  These
   "middleboxes" are intermediary devices that perform functions other
   than the standard functions of an IP router on the datagram path
   between source and destination hosts.  Whereas some types of
   middleboxes may not interfere with HIP at all, others can affect some
   aspects of HIP communication, and others can render HIP communication
   impossible.  This document discusses the problems associated with HIP
   communication across network paths that include specific types of
   middleboxes, namely, network address translators and firewalls.  It
   identifies and discusses issues in the current HIP specifications
   that affect communication across these types of middleboxes.  This
   document is a product of the IRTF HIP Research Group.

Stiemerling, et al.          Informational                      [Page 1]
RFC 5207           HIP NAT/Firewall Traversal Issues          April 2008

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  3
   2.  HIP across NATs  . . . . . . . . . . . . . . . . . . . . . . .  4
     2.1.  Phase 1: HIP Base Exchange . . . . . . . . . . . . . . . .  4
       2.1.1.  IPv4 HIP Base Exchange . . . . . . . . . . . . . . . .  4
       2.1.2.  IPv6 HIP Base Exchange . . . . . . . . . . . . . . . .  5
     2.2.  Phase 2: ESP Data Exchange . . . . . . . . . . . . . . . .  5
   3.  HIP Across Firewalls . . . . . . . . . . . . . . . . . . . . .  6
     3.1.  Phase 1: HIP Base Exchange . . . . . . . . . . . . . . . .  6
       3.1.1.  IPv4 HIP Base Exchange . . . . . . . . . . . . . . . .  6
       3.1.2.  IPv6 HIP Base Exchange . . . . . . . . . . . . . . . .  6
     3.2.  Phase 2: ESP Data Exchange . . . . . . . . . . . . . . . .  7
   4.  HIP Extensions . . . . . . . . . . . . . . . . . . . . . . . .  7
   5.  NAT Extensions . . . . . . . . . . . . . . . . . . . . . . . .  8
   6.  Legacy NAT and Firewall Traversal  . . . . . . . . . . . . . .  8
   7.  HIP across Other Middleboxes . . . . . . . . . . . . . . . . .  9
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . .  9
   9.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 10
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 10
     10.1. Normative References . . . . . . . . . . . . . . . . . . . 10
     10.2. Informative References . . . . . . . . . . . . . . . . . . 10

Stiemerling, et al.          Informational                      [Page 2]
RFC 5207           HIP NAT/Firewall Traversal Issues          April 2008

1.  Introduction

   The current specification of the Host Identity Protocol (HIP)
   [RFC4423] assumes simple Internet paths, where routers forward
   globally routable IP packets based on their destination address
   alone.

   In the current Internet, such pure paths are becoming increasingly
   rare.  For a number of reasons, several types of devices modify or
   extend the pure forwarding functionality the Internet's network layer
   used to deliver.  [RFC3234] coins the term middleboxes for such
   devices: "A middlebox is (...) any intermediary device performing
   functions other than the normal, standard functions of an IP router
   on the datagram path between a source host and destination host".

   Middleboxes affect communication in a number of ways.  For example,
   they may inspect the flows of some transport protocols, such as TCP,

[include full document text]