summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc3303.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc3303.txt')
-rw-r--r--doc/rfc/rfc3303.txt1907
1 files changed, 1907 insertions, 0 deletions
diff --git a/doc/rfc/rfc3303.txt b/doc/rfc/rfc3303.txt
new file mode 100644
index 0000000..0a317fb
--- /dev/null
+++ b/doc/rfc/rfc3303.txt
@@ -0,0 +1,1907 @@
+
+
+
+
+
+
+Network Working Group P. Srisuresh
+Request for Comments: 3303 Kuokoa Networks
+Category: Informational J. Kuthan
+ Fraunhofer Institute FOKUS
+ J. Rosenberg
+ dynamicsoft
+ A. Molitor
+ Aravox Technologies
+ A. Rayhan
+ Ryerson University
+ August 2002
+
+
+ Middlebox communication architecture and framework
+
+Status of this Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2002). All Rights Reserved.
+
+Abstract
+
+ A principal objective of this document is to describe the underlying
+ framework of middlebox communications (MIDCOM) to enable complex
+ applications through the middleboxes, seamlessly using a trusted
+ third party. This document and a companion document on MIDCOM
+ requirements ([REQMTS]) have been created as a precursor to
+ rechartering the MIDCOM working group.
+
+ There are a variety of intermediate devices in the Internet today
+ that require application intelligence for their operation. Datagrams
+ pertaining to real-time streaming applications, such as SIP and
+ H.323, and peer-to-peer applications, such as Napster and NetMeeting,
+ cannot be identified by merely examining packet headers. Middleboxes
+ implementing Firewall and Network Address Translator services
+ typically embed application intelligence within the device for their
+ operation. The document specifies an architecture and framework in
+ which trusted third parties can be delegated to assist the
+ middleboxes to perform their operation, without resorting to
+ embedding application intelligence. Doing this will allow a
+ middlebox to continue to provide the services, while keeping the
+ middlebox application agnostic.
+
+
+
+
+Srisuresh, et al. Informational [Page 1]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+1. Introduction
+
+ Intermediate devices requiring application intelligence are the
+ subject of this document. These devices are referred to as
+ middleboxes throughout the document. Many of these devices enforce
+ application specific policy based functions such as packet filtering,
+ VPN (Virtual Private Network) tunneling, Intrusion detection,
+ security and so forth. Network Address Translator service, on the
+ other hand, provides routing transparency across address realms
+ (within IPv4 routing network or across V4 and V6 routing realms),
+ independent of applications. Application Level Gateways (ALGs) are
+ used in conjunction with NAT to examine and optionally modify
+ application payload so the end-to-end application behavior remains
+ unchanged for many of the applications traversing NAT middleboxes.
+ There may be other types of services requiring embedding application
+ intelligence in middleboxes for their operation. The discussion
+ scope of this document is however limited to Firewall and NAT
+ services. Nonetheless, the MIDCOM framework is designed to be
+ extensible to support the deployment of new services.
+
+ Tight coupling of application intelligence with middleboxes makes
+ maintenance of middleboxes hard with the advent of new applications.
+ Built-in application awareness typically requires updates of
+ operating systems with new applications or newer versions of existing
+ applications. Operators requiring support for newer applications
+ will not be able to use third party software/hardware specific to the
+ application and are at the mercy of their middlebox vendor to make
+ the necessary upgrade. Further, embedding intelligence for a large
+ number of application protocols within the same middlebox increases
+ complexity of the middlebox and is likely to be error prone and
+ degrade in performance.
+
+ This document describes a framework in which application intelligence
+ can be moved from middleboxes into external MIDCOM agents. The
+ premise of the framework is to devise a MIDCOM protocol that is
+ application independent, so the middleboxes can stay focused on
+ services such as firewall and NAT. The framework document includes
+ some explicit and implied requirements for the MIDCOM protocol.
+ However, it must be noted that these requirements are only a subset.
+ A separate requirements document lists the requirements in detail.
+
+ MIDCOM agents with application intelligence can assist the
+ middleboxes through the MIDCOM protocol in permitting applications
+ such as FTP, SIP and H.323. The communication between a MIDCOM agent
+ and a middlebox will not be noticeable to the end-hosts that take
+ part in the application, unless one of the end-hosts assumes the role
+ of a MIDCOM agent. Discovery of middleboxes or MIDCOM agents in the
+
+
+
+
+Srisuresh, et al. Informational [Page 2]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ path of an application instance is outside the scope of this
+ document. Further, any communication amongst middleboxes is also
+ outside the scope of this document.
+
+ This document describes the framework in which middlebox
+ communication takes place and the various elements that constitute
+ the framework. Section 2 describes the terms used in the document.
+ Section 3 defines the architectural framework of a middlebox for
+ communication with MIDCOM agents. The remaining sections cover the
+ components of the framework, illustration using sample flows, and
+ operational considerations with the MIDCOM architecture. Section 4
+ describes the nature of MIDCOM protocol. Section 5 identifies
+ entities that could potentially host the MIDCOM agent function.
+ Section 6 considers the role of Policy server and its function with
+ regard to communicating MIDCOM agent authorization policies. Section
+ 7 is an illustration of SIP flows using a MIDCOM framework in which
+ the MIDCOM agent is co-resident on a SIP proxy server. Section 8
+ addresses operational considerations in deploying a protocol adhering
+ to the framework described here. Section 9 is an applicability
+ statement, scoping the location of middleboxes. Section 11 outlines
+ security considerations for the middlebox in view of the MIDCOM
+ framework.
+
+2. Terminology
+
+ Below are the definitions for the terms used throughout the document.
+
+2.1. Middlebox function/service
+
+ A middlebox function or a middlebox service is an operation or method
+ performed by a network intermediary that may require application
+ specific intelligence for its operation. Policy based packet
+ filtering (a.k.a. firewall), Network address translation (NAT),
+ Intrusion detection, Load balancing, Policy based tunneling and IPsec
+ security are all examples of a middlebox function (or service).
+
+2.2. Middlebox
+
+ A Middlebox is a network intermediate device that implements one or
+ more of the middlebox services. A NAT middlebox is a middlebox
+ implementing NAT service. A firewall middlebox is a middlebox
+ implementing firewall service.
+
+ Traditional middleboxes embed application intelligence within the
+ device to support specific application traversal. Middleboxes
+ supporting the MIDCOM protocol will be able to externalize
+ application intelligence into MIDCOM agents. In reality, some of the
+
+
+
+
+Srisuresh, et al. Informational [Page 3]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ middleboxes may continue to embed application intelligence for
+ certain applications and depend on MIDCOM protocol and MIDCOM agents
+ for the support of remaining applications.
+
+2.3. Firewall
+
+ Firewall is a policy based packet filtering middlebox function,
+ typically used for restricting access to/from specific devices and
+ applications. The policies are often termed Access Control Lists
+ (ACLs).
+
+2.4. NAT
+
+ Network Address Translation is a method by which IP addresses are
+ mapped from one address realm to another, providing transparent
+ routing to end-hosts. Transparent routing here refers to modifying
+ end-node addresses en-route and maintaining state for these updates
+ so that when a datagram leaves one realm and enters another,
+ datagrams pertaining to a session are forwarded to the right end-host
+ in either realm. Refer to [NAT-TERM] for the definition of
+ Transparent routing, various NAT types, and the associated terms in
+ use. Two types of NAT are most common. Basic-NAT, where only an IP
+ address (and the related IP, TCP/UDP checksums) of packets is altered
+ and NAPT (Network Address Port Translation), where both an IP address
+ and a transport layer identifier, such as a TCP/UDP port (and the
+ related IP, TCP/UDP checksums), are altered.
+
+ The term NAT in this document is very similar to the IPv4 NAT
+ described in [NAT-TERM], but is extended beyond IPv4 networks to
+ include the IPv4-v6 NAT-PT described in [NAT-PT]. While the IPv4 NAT
+ [NAT-TERM] translates one IPv4 address into another IPv4 address to
+ provide routing between private V4 and external V4 address realms,
+ IPv4-v6 NAT-PT [NAT-PT] translates an IPv4 address into an IPv6
+ address, and vice versa, to provide routing between a V6 address
+ realm and an external V4 address realm.
+
+ Unless specified otherwise, NAT in this document is a middlebox
+ function referring to both IPv4 NAT, as well as IPv4-v6 NAT-PT.
+
+2.5. Proxy
+
+ A proxy is an intermediate relay agent between clients and servers of
+ an application, relaying application messages between the two.
+ Proxies use special protocol mechanisms to communicate with proxy
+ clients and relay client data to servers and vice versa. A Proxy
+ terminates sessions with both the client and the server, acting as
+ server to the end-host client and as client to the end-host server.
+
+
+
+
+Srisuresh, et al. Informational [Page 4]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ Applications such as FTP, SIP, and RTSP use a control session to
+ establish data sessions. These control and data sessions can take
+ divergent paths. While a proxy can intercept both the control and
+ data sessions, it might intercept only the control session. This is
+ often the case with real-time streaming applications such as SIP and
+ RTSP.
+
+2.6. ALG
+
+ Application Level Gateways (ALGs) are entities that possess the
+ application specific intelligence and knowledge of an associated
+ middlebox function. An ALG examines application traffic in transit
+ and assists the middlebox in carrying out its function.
+
+ An ALG may be a co-resident with a middlebox or reside externally,
+ communicating through a middlebox communication protocol. It
+ interacts with a middlebox to set up state, access control filters,
+ use middlebox state information, modify application specific payload,
+ or perform whatever else is necessary to enable the application to
+ run through the middlebox.
+
+ ALGs are different from proxies. ALGs are not visible to end-hosts,
+ unlike the proxies which are relay agents terminating sessions with
+ both end-hosts. ALGs do not terminate sessions with either end-host.
+ Instead, ALGs examine, and optionally modify, application payload
+ content to facilitate the flow of application traffic through a
+ middlebox. ALGs are middlebox centric, in that they assist the
+ middleboxes in carrying out their function, whereas, the proxies act
+ as a focal point for application servers, relaying traffic between
+ application clients and servers.
+
+ ALGs are similar to Proxies, in that, both ALGs and proxies
+ facilitate Application specific communication between clients and
+ servers.
+
+2.7. End-Hosts
+
+ End-hosts are entities that are party to a networked application
+ instance. End-hosts referred to in this document, are specifically
+ those terminating Real-time streaming Voice-over-IP applications,
+ such as SIP and H.323, and peer-to-peer applications such as Napster
+ and NetMeeting.
+
+2.8. MIDCOM Agents
+
+ MIDCOM agents are entities performing ALG functions, logically
+ external to a middlebox. MIDCOM agents possess a combination of
+ application awareness and knowledge of the middlebox function. This
+
+
+
+Srisuresh, et al. Informational [Page 5]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ combination enables the agents to facilitate traversal of the
+ middlebox by the application's packets. A MIDCOM agent may interact
+ with one or more middleboxes.
+
+ Only "In-Path MIDCOM agents" are considered in this document. In-
+ Path MIDCOM agents are agents which are within the path of those
+ datagrams that the agent needs to examine and/or modify in fulfilling
+ its role as a MIDCOM agent. "Within the path" here simply means that
+ the packets in question flow through the node that hosts the agent.
+ The packets may be addressed to the agent node at the IP layer.
+ Alternatively they may not be addressed to the agent node, but may be
+ constrained by other factors to flow through it. In fact, it is
+ immaterial to the MIDCOM protocol which of these is the case. Some
+ examples of In-Path MIDCOM agents are application proxies, gateways,
+ or even end-hosts that are party to the application.
+
+ Agents not resident on nodes that are within the path of their
+ relevant application flows are referred to as "Out-of-Path (OOP)
+ MIDCOM agents" and are out of the scope of this document.
+
+2.9. MIDCOM PDP
+
+ MIDCOM Policy Decision Point (PDP) is primarily a Policy Decision
+ Point(PDP), as defined in [POL-TERM]; and also acts as a policy
+ repository, holding MIDCOM related policy profiles in order to make
+ authorization decisions. [POL-TERM] defines a PDP as "a logical
+ entity that makes policy decisions for itself or for other network
+ elements that request such decisions"; and a policy repository as "a
+ specific data store that holds policy rules, their conditions and
+ actions, and related policy data".
+
+ A middlebox and a MIDCOM PDP may communicate further if the MIDCOM
+ PDP's policy changes or if a middlebox needs further information.
+ The MIDCOM PDP may, at anytime, notify the middlebox to terminate
+ authorization for an agent.
+
+ The protocol facilitating the communication between a middlebox and
+ MIDCOM PDP need not be part of the MIDCOM protocol. Section 6 in the
+ document addresses the MIDCOM PDP interface and protocol framework
+ independent of the MIDCOM framework.
+
+ Application specific policy data and policy interface between an
+ agent or application endpoint and a MIDCOM PDP is out of bounds for
+ this document. The MIDCOM PDP issues addressed in the document are
+ focused at an aggregate domain level as befitting the middlebox. For
+ example, a SIP MIDCOM agent may choose to query a MIDCOM PDP for the
+ administrative (or corporate) domain to find whether a certain user
+ is allowed to make an outgoing call. This type of application
+
+
+
+Srisuresh, et al. Informational [Page 6]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ specific policy data, as befitting an end user, is out of bounds for
+ the MIDCOM PDP considered in this document. It is within bounds,
+ however, for the MIDCOM PDP to specify the specific end-user
+ applications (or tuples) for which an agent is permitted to be an
+ ALG.
+
+2.10. Middlebox Communication (MIDCOM) protocol
+
+ The protocol between a MIDCOM agent and a middlebox allows the MIDCOM
+ agent to invoke services of the middlebox and allow the middlebox to
+ delegate application specific processing to the MIDCOM agent. The
+ MIDCOM protocol allows the middlebox to perform its operation with
+ the aid of MIDCOM agents, without resorting to embedding application
+ intelligence. The principal motivation behind architecting this
+ protocol is to enable complex applications through middleboxes,
+ seamlessly using a trusted third party, i.e., a MIDCOM agent.
+
+ This is a protocol yet to be devised.
+
+2.11. MIDCOM agent registration
+
+ A MIDCOM agent registration is defined as the process of provisioning
+ agent profile information with the middlebox or a MIDCOM PDP. MIDCOM
+ agent registration is often a manual operation performed by an
+ operator rather than the agent itself.
+
+ A MIDCOM agent profile may include agent authorization policy (i.e.,
+ session tuples for which the agent is authorized to act as ALG),
+ agent-hosting-entity (e.g., Proxy, Gateway, or end-host which hosts
+ the agent), agent accessibility profile (including any host level
+ authentication information), and security profile (for the messages
+ exchanged between the middlebox and the agent).
+
+2.12. MIDCOM session
+
+ A MIDCOM session is defined to be a lasting association between a
+ MIDCOM agent and a middlebox. The MIDCOM session is not assumed to
+ imply any specific transport layer protocol. Specifically, this
+ should not be construed as referring to a connection-oriented TCP
+ protocol.
+
+2.13. Filter
+
+ A filter is packet matching information that identifies a set of
+ packets to be treated a certain way by a middlebox. This definition
+ is consistent with [POL-TERM], which defines a filter as "A set of
+
+
+
+
+
+Srisuresh, et al. Informational [Page 7]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ terms and/or criteria used for the purpose of separating or
+ categorizing. This is accomplished via single- or multi-field
+ matching of traffic header and/or payload data".
+
+ 5-Tuple specification of packets in the case of a firewall and 5-
+ tuple specification of a session in the case of a NAT middlebox
+ function are examples of a filter.
+
+2.14. Policy action (or) Action
+
+ Policy action (or Action) is a description of the middlebox
+ treatment/service to be applied to a set of packets. This definition
+ is consistent with [POL-TERM], which defines a policy action as
+ "Definition of what is to be done to enforce a policy rule, when the
+ conditions of the rule are met. Policy actions may result in the
+ execution of one or more operations to affect and/or configure
+ network traffic and network resources".
+
+ NAT Address-BIND (or Port-BIND in the case of NAPT) and firewall
+ permit/deny action are examples of an Action.
+
+2.15. Policy rule(s)
+
+ The combination of one or more filters and one or more actions.
+ Packets matching a filter are to be treated as specified by the
+ associated action(s). The Policy rules may also contain auxiliary
+ attributes such as individual rule type, timeout values, creating
+ agent, etc.
+
+ Policy rules are communicated through the MIDCOM protocol.
+
+3.0 Architectural framework for middleboxes
+
+ A middlebox may implement one or more of the middlebox functions
+ selectively on multiple interfaces of the device. There can be a
+ variety of MIDCOM agents interfacing with the middlebox to
+ communicate with one or more of the middlebox functions on an
+ interface. As such, the middlebox communication protocol must allow
+ for selective communication between a specific MIDCOM agent and one
+ or more middlebox functions on the interface. The following diagram
+ identifies a possible layering of the service supported by a
+ middlebox and a list of MIDCOM agents that might interact with it.
+
+
+
+
+
+
+
+
+
+Srisuresh, et al. Informational [Page 8]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ +---------------+ +--------------+
+ | MIDCOM agent | | MIDCOM agent |
+ | co-resident on| | co-resident |
+ | Proxy Server | | on Appl. GW |
+ +---------------+ +--------------+
+ ^ ^
+ | | +--------+
+ MIDCOM | | | MIDCOM |
+ Protocol | | +-| PDP |
+ | | / +--------+
+ +-------------+ | | /
+ | MIDCOM agent| | | /
+ | co-resident | | | /
+ | on End-hosts|<-+ | | /
+ +-------------+ | | | |
+ v v v v
+ +-------------------------------------------+
+ | Middlebox Communication |Policy |
+ | Protocol (MIDCOM) Interface |Interface |
+ +----------+--------+-----------+-----------+
+ Middlebox | | | | |
+ Functions | Firewall | NAT | VPN | Intrusion |
+ | | | tunneling | Detection |
+ +----------+--------+-----------+-----------+
+ Middlebox | Middlebox function specific policy rule(s)|
+ Managed | and other attributes |
+ Resources | |
+ +-------------------------------------------+
+
+ Figure 1: MIDCOM agents interfacing with a middlebox
+
+ Firewall ACLs, NAT-BINDs, NAT address-maps and Session-state are a
+ few of the middlebox function specific policy rules. A session state
+ may include middlebox function specific attributes, such as timeout
+ values, NAT translation parameters (i.e., NAT-BINDS), and so forth.
+ As Session-state may be shared across middlebox functions, a
+ Session-state may be created by a function, and terminated by a
+ different function. For example, a session-state may be created by
+ the firewall function, but terminated by the NAT function, when a
+ session timer expires.
+
+ Application specific MIDCOM agents (co-resident on the middlebox or
+ external to the middlebox) would examine the IP datagrams and help
+ identify the application the datagram belongs to, and assist the
+ middlebox in performing functions unique to the application and the
+ middlebox service. For example, a MIDCOM agent, assisting a NAT
+ middlebox, might perform payload translations, whereas a MIDCOM agent
+
+
+
+
+Srisuresh, et al. Informational [Page 9]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ assisting a firewall middlebox might request the firewall to permit
+ access to application specific, dynamically generated, session
+ traffic.
+
+4. MIDCOM Protocol
+
+ The MIDCOM protocol between a MIDCOM agent and a middlebox allows the
+ MIDCOM agent to invoke services of the middlebox and allow the
+ middlebox to delegate application specific processing to the MIDCOM
+ agent. The protocol will allow MIDCOM agents to signal the
+ middleboxes, to let complex applications using dynamic port based
+ sessions through them (i.e., middleboxes) seamlessly.
+
+ It is important to note that an agent and a middlebox can be on the
+ same physical device. In such a case, they may communicate using a
+ MIDCOM protocol message formats, but using a non-IP based transport,
+ such as IPC messaging (or) they may communicate using well-defined
+ API/DLL (or) the application intelligence is fully embedded into the
+ middlebox service (as it is done today in many stateful inspection
+ firewall devices and NAT devices).
+
+ The MIDCOM protocol will consist of a session setup phase, run-time
+ session phase, and a session termination phase.
+
+ Session setup must be preceded by registration of the MIDCOM agent
+ with either the middlebox or the MIDCOM PDP. The MIDCOM agent access
+ and authorization profile may either be pre-configured on the
+ middlebox (or) listed on a MIDCOM PDP; the middlebox is configured to
+ consult. MIDCOM shall be a client-server protocol, initiated by the
+ agent.
+
+ A MIDCOM session may be terminated by either of the parties. A
+ MIDCOM session termination may also be triggered by (a) the middlebox
+ or the agent going out of service and not being available for further
+ MIDCOM operations, or (b) the MIDCOM PDP notifying the middlebox that
+ a particular MIDCOM agent is no longer authorized.
+
+ The MIDCOM protocol data exchanged during run-time is governed
+ principally by the middlebox services the protocol supports.
+ Firewall and NAT middlebox services are considered in this document.
+ Nonetheless, the MIDCOM framework is designed to be extensible to
+ support the deployment of other services as well.
+
+
+
+
+
+
+
+
+
+Srisuresh, et al. Informational [Page 10]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+5.0. MIDCOM Agents
+
+ MIDCOM agents are logical entities which may reside physically on
+ nodes external to a middlebox, possessing a combination of
+ application awareness and knowledge of middlebox function. A MIDCOM
+ agent may communicate with one or more middleboxes. The issues of
+ middleboxes discovering agents, or vice versa, are outside the scope
+ of this document. The focus of the document is the framework in
+ which a MIDCOM agent communicates with a middlebox using MIDCOM
+ protocol, which is yet to be devised. Specifically, the focus is
+ restricted to just the In-Path agents.
+
+ In-Path MIDCOM agents are MIDCOM agents that are located naturally
+ within the message path of the application(s) they are associated
+ with. Bundled session applications, such as H.323, SIP, and RTSP
+ which have separate control and data sessions, may have their
+ sessions take divergent paths. In those scenarios, In-Path MIDCOM
+ agents are those that find themselves in the control path. In a
+ majority of cases, a middlebox will likely require the assistance of
+ a single agent for an application in the control path alone.
+ However, it is possible that a middlebox function, or a specific
+ application traversing the middlebox might require the intervention
+ of more than a single MIDCOM agent for the same application, one for
+ each sub-session of the application.
+
+ Application Proxies and gateways are a good choice for In-Path MIDCOM
+ agents, as these entities by definition, are in the path of an
+ application between a client and server. In addition to hosting the
+ MIDCOM agent function, these natively in-path application specific
+ entities may also enforce application-specific choices locally, such
+ as dropping messages infected with known viruses, or lacking user
+ authentication. These entities can be interjecting both the control
+ and data sessions. For example, FTP control and Data sessions are
+ interjected by an FTP proxy server.
+
+ However, proxies may also be interjecting just the control session
+ and not the data sessions, as is the case with real-time streaming
+ applications, such as SIP and RTSP. Note, applications may not
+ always traverse a proxy and some applications may not have a proxy
+ server available.
+
+ SIP proxies and H.323 gatekeepers may be used to host MIDCOM agent
+ functions to control middleboxes implementing firewall and NAT
+ functions. The advantage of using in-path entities, as opposed to
+ creating an entirely new agent, is that the in-path entities already
+ possess application intelligence. You will need to merely enable the
+ use of the MIDCOM protocol to be an effective MIDCOM agent. Figure 2
+ below illustrates a scenario where the in-path MIDCOM agents
+
+
+
+Srisuresh, et al. Informational [Page 11]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ interface with the middlebox. Let us say, the MIDCOM PDP has pre-
+ configured the in-path proxies as trusted MIDCOM agents on the
+ middlebox and the packet filter implements a 'default-deny' packet
+ filtering policy. Proxies use their application-awareness knowledge
+ to control the firewall function and selectively permit a certain
+ number of voice stream sessions dynamically using MIDCOM protocol.
+
+ In the illustration below, the proxies and the MIDCOM PDP are shown
+ inside a private domain. The intent however, is not to imply that
+ they be inside the private boundary alone. The proxies may also
+ reside external to the domain. The only requirement is that there be
+ a trust relationship with the middlebox.
+
+ +-----------+
+ | MIDCOM |
+ | PDP |~~~~~~~~~~~~~|
+ +-----------+ \
+ \
+ +--------+ \
+ | SIP |___ \
+ ________| Proxy | \ Middlebox \
+ / +--------+.. | +--------------------+
+ | : | MIDCOM | | |
+ | RTSP +---------+ :..|........| MIDCOM | POLICY |
+ SIP | ____| RTSP |.....|........| PROTOCOL | INTER- |
+ | / | Proxy |___ | | INTERFACE | FACE |
+ | | +---------+ \ \ |--------------------|
+ | | \ \______| |__SIP
+ | | \________| |__RTSP
+ | | ---| FIREWALL |--->--
+ +-----------+ /---| |---<--
+ +-----------+| Data streams // +--------------------+
+ +-----------+||---------->----// |
+ |end-hosts ||-----------<----- .
+ +-----------+ (RTP, RTSP data, etc.) |
+ . Outside the
+ Within a private domain | private domain
+
+ Legend: ---- Application data path datagrams
+ ____ Application control path datagrams
+ .... Middlebox Communication Protocol (MIDCOM)
+ ~~~~ MIDCOM PDP Interface
+ |
+ . private domain Boundary
+ |
+
+ Figure 2: In-Path MIDCOM Agents for middlebox Communication
+
+
+
+
+Srisuresh, et al. Informational [Page 12]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+5.1. End-hosts as In-Path MIDCOM agents
+
+ End-hosts are another variation of In-Path MIDCOM agents. Unlike
+ Proxies, End-hosts are a direct party to the application and possess
+ all the end-to-end application intelligence there is to it. End-
+ hosts presumably terminate both the control and data paths of an
+ application. Unlike other entities hosting MIDCOM agents, end-host
+ is able to process secure datagrams. However, the problem would be
+ one of manageability - upgrading all the end-hosts running a specific
+ application.
+
+6.0. MIDCOM PDP functions
+
+ The functional decomposition of the MIDCOM architecture assumes the
+ existence of a logical entity, known as MIDCOM PDP, responsible for
+ performing authorization and related provisioning services for the
+ middlebox as depicted in figure 1. The MIDCOM PDP is a logical
+ entity which may reside physically on a middlebox or on a node
+ external to the middlebox. The protocol employed for communication
+ between the middlebox and the MIDCOM PDP is unrelated to the MIDCOM
+ protocol.
+
+ Agents are registered with a MIDCOM PDP for authorization to invoke
+ services of the middlebox. The MIDCOM PDP maintains a list of agents
+ that are authorized to connect to each of the middleboxes the MIDCOM
+ PDP supports. In the context of the MIDCOM Framework, the MIDCOM PDP
+ does not assist a middlebox in the implementation of the services it
+ provides.
+
+ The MIDCOM PDP acts in an advisory capacity to a middlebox, to
+ authorize or terminate authorization for an agent attempting
+ connectivity to the middlebox. The primary objective of a MIDCOM PDP
+ is to communicate agent authorization information, so as to ensure
+ that the security and integrity of a middlebox is not jeopardized.
+ Specifically, the MIDCOM PDP should associate a trust level with each
+ agent attempting to connect to a middlebox and provide a security
+ profile. The MIDCOM PDP should be capable of addressing cases when
+ end-hosts are agents to the middlebox.
+
+6.1. Authentication, Integrity and Confidentiality
+
+ Host authenticity and individual message security are two distinct
+ types of security considerations. Host authentication refers to
+ credentials required of a MIDCOM agent to authenticate itself to the
+ middlebox and vice versa. When authentication fails, the middlebox
+ must not process signaling requests received from the agent that
+ failed authentication. Two-way authentication should be supported.
+ In some cases, the 2-way authentication may be tightly linked to the
+
+
+
+Srisuresh, et al. Informational [Page 13]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ establishment of keys to protect subsequent traffic. Two-way
+ authentication is often required to prevent various active attacks on
+ the MIDCOM protocol and secure establishment of keying material.
+
+ Security services such as authentication, data integrity,
+ confidentiality and replay protection may be adapted to secure MIDCOM
+ messages in an untrusted domain. Message authentication is the same
+ as data origin authentication and is an affirmation that the sender
+ of the message is who it claims to be. Data integrity refers to the
+ ability to ensure that a message has not been accidentally,
+ maliciously or otherwise altered or destroyed. Confidentiality is
+ the encryption of a message with a key, so that only those in
+ possession of the key can decipher the message content. Lastly,
+ replay protection is a form of sequence integrity, so when an
+ intruder plays back a previously recorded sequence of messages, the
+ receiver of the replay messages will simply drop the replay messages
+ into bit-bucket. Certain applications of the MIDCOM protocol might
+ require support for non-repudiation as an option of the data
+ integrity service. Typically, support for non-repudiation is
+ required for billing, service level agreements, payment orders, and
+ receipts for delivery of service.
+
+ IPsec AH ([IPSEC-AH]) offers data-origin authentication, data
+ integrity and protection from message replay. IPsec ESP ([IPSEC-
+ ESP]) provides data-origin authentication to a lesser degree (same as
+ IPsec AH if the MIDCOM transport protocol turns out to be TCP or
+ UDP), message confidentiality, data integrity and protection from
+ replay. Besides the IPsec based protocols, there are other security
+ options as well. TLS based transport layer security is one option.
+ There are also many application-layer security mechanisms available.
+ Simple Source-address based security is a minimal form of security
+ and should be relied on only in the most trusted environments, where
+ those hosts will not be spoofed.
+
+ The MIDCOM message security shall use existing standards, whenever
+ the existing standards satisfy the requirements. Security shall be
+ specified to minimize the impact on sessions that do not use the
+ security option. Security should be designed to avoid introducing
+ and to minimize the impact of denial of service attacks. Some
+ security mechanisms and algorithms require substantial processing or
+ storage, in which case the security protocols should protect
+ themselves as well as against possible flooding attacks that
+ overwhelm the endpoint (i.e., the middlebox or the agent) with such
+ processing. For connection oriented protocols (such as TCP) using
+ security services, the security protocol should detect premature
+ closure or truncation attacks.
+
+
+
+
+
+Srisuresh, et al. Informational [Page 14]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+6.2. Registration and deregistration of MIDCOM agents
+
+ Prior to allowing MIDCOM agents to invoke services of the middlebox,
+ a registration process must take place. Registration is a different
+ process than establishing a MIDCOM session. The former requires
+ provisioning agent profile information with the middlebox or a MIDCOM
+ PDP. Agent registration is often a manual operation performed by an
+ operator rather than the agent itself. Setting up MIDCOM session
+ refers to establishing a MIDCOM transport session and exchanging
+ security credentials between an agent and a middlebox. The transport
+ session uses the registered information for session establishment.
+
+ Profile of a MIDCOM agent includes agent authorization policy (i.e.,
+ session tuples for which the agent is authorized to act as ALG),
+ agent-hosting-entity (e.g., Proxy, Gateway or end-host which hosts
+ the agent), agent accessibility profile (including any host level
+ authentication information) and security profile (i.e., security
+ requirements for messages exchanged between the middlebox and the
+ agent).
+
+ MIDCOM agent profile may be pre-configured on a middlebox.
+ Subsequent to that, the agent may choose to initiate a MIDCOM session
+ prior to any data traffic. For example, MIDCOM agent authorization
+ policy for a middlebox service may be preconfigured by specifying the
+ agent in conjunction with a filter. In the case of a firewall, for
+ example, the ACL tuple may be altered to reflect the optional Agent
+ presence. The revised ACL may look something like the following.
+
+ (<Session-Direction>, <Source-Address>, <Destination-Address>, <IP-
+ Protocol>, <Source-Port>, <Destination-Port>, <Agent>)
+
+ The reader should note that this is an illustrative example and not
+ necessarily the actual definition of an ACL tuple. The formal
+ description of the ACL is yet to be devised. Agent accessibility
+ information should also be provisioned. For a MIDCOM agent,
+ accessibility information includes the IP address, trust level, host
+ authentication parameters and message authentication parameters.
+ Once a session is established between a middlebox and a MIDCOM agent,
+ that session should be usable with multiple instances of the
+ application(s), as appropriate. Note, all of this could be captured
+ in an agent profile for ease of management.
+
+ The technique described above is necessary for the pre-registration
+ of MIDCOM agents with the middlebox. The middlebox provisioning may
+ remain unchanged, if the middlebox learns of the registered agents
+ through a MIDCOM PDP. In either case, the MIDCOM agent should
+ initiate the session prior to the start of the application. If the
+ agent session is delayed until after the application has started, the
+
+
+
+Srisuresh, et al. Informational [Page 15]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ agent might be unable to process the control stream to permit the
+ data sessions. When a middlebox notices an incoming MIDCOM session,
+ and the middlebox has no prior profile of the MIDCOM agent, the
+ middlebox will consult its MIDCOM PDP for authenticity,
+ authorization, and trust guidelines for the session.
+
+7.0. MIDCOM Framework Illustration using an In-Path agent
+
+ In figure 3 below, we consider SIP applications (Refer [SIP]) to
+ illustrate the operation of the MIDCOM protocol. Specifically, the
+ application assumes that a caller, external to a private domain,
+ initiates the call. The middlebox is assumed to be located at the
+ edge of the private domain. A SIP phone (SIP User Agent
+ Client/Server) inside the private domain is capable of receiving
+ calls from external SIP phones. The caller uses a SIP Proxy, node
+ located external to the private domain, as its outbound proxy. No
+ interior proxy is assumed for the callee. Lastly, the external SIP
+ proxy node is designated to host the MIDCOM agent function.
+
+ Arrows 1 and 8 in the figure below refer to a SIP call setup exchange
+ between the external SIP phone and the SIP proxy. Arrows 4 and 5
+ refer to a SIP call setup exchange between the SIP proxy and the
+ interior SIP phone, and are assumed to be traversing the middlebox.
+ Arrows 2, 3, 6 and 7 below, between the SIP proxy and the middlebox,
+ refer to MIDCOM communication. Na and Nb represent RTP/RTCP media
+ traffic (Refer [RTP]) path in the external network. Nc and Nd
+ represent media traffic inside the private domain.
+
+ _________
+ --->| SIP |<-----\
+ / | Proxy | \
+ | |_________| |
+ 1| |^ ^| 4|
+ | || || |
+ |8 2||3 7||6 |5
+ ______________ | || || | _____________
+ | |<-/ _v|____|v___ \->| |
+ | External | Na | | Nc | SIP Phone |
+ | SIP phone |>------->| Middlebox |>------>| within |
+ | |<-------<|___________|<------<| Pvt. domain|
+ |____________| Nb Nd |____________|
+
+ Figure 3: MIDCOM framework illustration with In-Path SIP Proxy
+
+ As for the SIP application, we make the assumption that the middlebox
+ is pre-configured to accept SIP calls into the private SIP phone.
+ Specifically, this would imply that the middlebox implementing
+ firewall service is pre-configured to permit SIP calls (destination
+
+
+
+Srisuresh, et al. Informational [Page 16]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ TCP or UDP port number set to 5060) into the private phone.
+ Likewise, middlebox implementing NAPT service would have been pre-
+ configured to provide a port binding, to permit incoming SIP calls to
+ be redirected to the specific private SIP phone. I.e., the INVITE
+ from the external caller is not made to the private IP address, but
+ to the NAPT external address.
+
+ The objective of the MIDCOM agent in the following illustration is to
+ merely permit the RTP/RTCP media stream (Refer [RTP]) through the
+ middlebox, when using the MIDCOM protocol architecture outlined in
+ the document. A SIP session typically establishes two RTP/RTCP media
+ streams - one from the callee to the caller and another from the
+ caller to the callee. These media sessions are UDP based and will
+ use dynamic ports. The dynamic ports used for the media stream are
+ specified in the SDP section (Refer [SDP]) of the SIP payload
+ message. The MIDCOM agent will parse the SDP section and use the
+ MIDCOM protocol to (a) open pinholes (i.e., permit RTP/RTCP session
+ tuples) in a middlebox implementing firewall service, or (b) create
+ PORT bindings and appropriately modify the SDP content to permit the
+ RTP/RTCP streams through a middlebox implementing NAT service. The
+ MIDCOM protocol should be sufficiently rich and expressive to support
+ the operations described under the timelines. The examples do not
+ show the timers maintained by the agent to keep the middlebox policy
+ rule(s) from timing out.
+
+ MIDCOM agent Registration and connectivity between the MIDCOM agent
+ and the middlebox are not shown in the interest of restricting the
+ focus of the MIDCOM transactions to enabling the middlebox to let the
+ media stream through. MIDCOM PDP is also not shown in the diagram
+ below or on the timelines for the same reason.
+
+ The following subsections illustrate a typical timeline sequence of
+ operations that transpire with the various elements involved in a SIP
+ telephony application path. Each subsection is devoted to a specific
+ instantiation of a middlebox service - NAPT (refer [NAT-TERM], [NAT-
+ TRAD]), firewall and a combination of both NAPT and firewall are
+ considered.
+
+7.1. Timeline flow - Middlebox implementing firewall service
+
+ In the following example, we will assume a middlebox implementing a
+ firewall service. We further assume that the middlebox is pre-
+ configured to permit SIP calls (destination TCP or UDP port number
+ set to 5060) into the private phone. The following timeline
+ illustrates the operations performed by the MIDCOM agent, to permit
+ RTP/RTCP media stream through the middlebox.
+
+
+
+
+
+Srisuresh, et al. Informational [Page 17]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ The INVITE from the caller (external) is assumed to include the SDP
+ payload. You will note that the MIDCOM agent requests the middlebox
+ to permit the Private-to-external RTP/RTCP flows before the INVITE is
+ relayed to the callee. This is because, in SIP, the calling party
+ must be ready to receive the media when it sends the INVITE with a
+ session description. If the called party (private phone) assumes
+ this and sends "early media" before sending the 200 OK response, the
+ firewall will have blocked these packets without this initial MIDCOM
+ signaling from the agent.
+
+ SIP Phone SIP Proxy Middlebox SIP Phone
+ (External) (MIDCOM agent) (FIREWALL (private)
+ | | Service) |
+ | | | |
+ |----INVITE------>| | |
+ | | | |
+ |<---100Trying----| | |
+ | | | |
+ | Identify end-2-end | |
+ | parameters (from Caller's | |
+ | SDP) for the pri-to-Ext | |
+ | RTP & RTCP sessions. | |
+ | (RTP1, RTCP1) | |
+ | | | |
+ | |+Permit RTP1, RTCP1 +>| |
+ | |<+RTP1, RTCP1 OKed++++| |
+ | | | |
+ | |--------INVITE---------------------->|
+ | | | |
+ | |<-----180 Ringing--------------------|
+ |<--180Ringing----| | |
+ | |<-------200 OK-----------------------|
+ | | | |
+ | Identify end-2-end | |
+ | parameters (from callee's | |
+ | SDP) for the Ext-to-Pri | |
+ | RTP and RTCP sessions. | |
+ | (RTP2, RTCP2) | |
+ | | | |
+ | |+Permit RTP2, RTCP2 +>| |
+ | |<+RTP2, RTCP2 OKed++++| |
+ | | | |
+ |<---200 OK ------| | |
+ |-------ACK------>| | |
+ | |-----------ACK---------------------->|
+ | | | |
+ |<===================RTP/RTCP==========================>|
+
+
+
+
+Srisuresh, et al. Informational [Page 18]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ | | | |
+ |-------BYE------>| | |
+ | |--------------------------BYE------->|
+ | | | |
+ | |<----------200 OK--------------------|
+ | | | |
+ | |++Cancel permits to | |
+ | | RTP1, RTCP1, RTP2, | |
+ | | and RTCP2 +++++++++>| |
+ | |<+RTP1, RTP2, RTCP1 & | |
+ | | RTCP2 cancelled ++++| |
+ | | | |
+ |<---200 OK-------| | |
+ | | | |
+
+ Legend: ++++ MIDCOM control traffic
+ ---- SIP control traffic
+ ==== RTP/RTCP media traffic
+
+7.2. Timeline flow - Middlebox implementing NAPT service
+
+ In the following example, we will assume a middlebox implementing
+ NAPT service. We make the assumption that the middlebox is pre-
+ configured to redirect SIP calls to the specific private SIP phone
+ application. I.e., the INVITE from the external caller is not made
+ to the private IP address, but to the NAPT external address. Let us
+ say, the external phone's IP address is Ea, NAPT middlebox external
+ Address is Ma, and the internal SIP phone's private address is Pa.
+ SIP calls to the private SIP phone will arrive as TCP/UDP sessions,
+ with the destination address and port set to Ma and 5060
+ respectively. The middlebox will redirect these datagrams to the
+ internal SIP phone. The following timeline will illustrate the
+ operations necessary to be performed by the MIDCOM agent to permit
+ the RTP/RTCP media stream through the middlebox.
+
+ As with the previous example (section 7.1), the INVITE from the
+ caller (external) is assumed to include the SDP payload. You will
+ note that the MIDCOM agent requests the middlebox to create NAT
+ session descriptors for the private-to-external RTP/RTCP flows before
+ the INVITE is relayed to the private SIP phone (for the same reasons
+ as described in section 7.1). If the called party (private phone)
+ sends "early media" before sending the 200 OK response, the NAPT
+ middlebox will have blocked these packets without the initial MIDCOM
+ signaling from the agent. Also, note that after the 200 OK is
+ received by the proxy from the private phone, the agent requests the
+ middlebox to allocate NAT session descriptors for the external-to-
+ private RTP2 and RTCP2 flows, such that the ports assigned on the Ma
+ for RTP2 and RTCP2 are contiguous. The RTCP stream does not happen
+
+
+
+Srisuresh, et al. Informational [Page 19]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ with a non-contiguous port. Lastly, you will note that even though
+ each media stream (RTP1, RTCP1, RTP2 and RTCP2) is independent, they
+ are all tied to the single SIP control session, while their NAT
+ session descriptors were being created. Finally, when the agent
+ issues a terminate session bundle command for the SIP session, the
+ middlebox is assumed to delete all associated media stream sessions
+ automagically.
+
+ SIP Phone SIP Proxy Middlebox SIP Phone
+ (External) (MIDCOM agent) (NAPT (Private)
+ IP Addr:Ea | Service) IP addr:Pa
+ | | IP addr:Ma |
+ | | | |
+ |----INVITE------>| | |
+ | | | |
+ |<---100Trying----| | |
+ | | | |
+ | |++ Query Port-BIND | |
+ | | for (Ma, 5060) +++>| |
+ | |<+ Port-BIND reply | |
+ | | for (Ma, 5060) ++++| |
+ | | | |
+ | |++ Query NAT Session | |
+ | | Descriptor for | |
+ | | Ea-to-Pa SIP flow+>| |
+ | |<+ Ea-to-Pa SIP flow | |
+ | | Session Descriptor+| |
+ | | | |
+ | Determine the Internal | |
+ | IP address (Pa) | |
+ | of the callee. | |
+ | | | |
+ | Identify UDP port numbers | |
+ | on Ea (Eport1, Eport1+1) | |
+ | for pri-to-ext RTP & RTCP | |
+ | sessions (RTP1, RTCP1) | |
+ | | | |
+ | |++Create NAT Session | |
+ | | descriptors for | |
+ | | RTP1, RTCP1; Set | |
+ | | parent session to | |
+ | | SIP-ctrl session ++>| |
+ | |<+RTP1, RTCP1 session | |
+ | | descriptors created+| |
+ | | | |
+ | | |..redirected..|
+ | |--------INVITE--------|------------->|
+ | | | |
+
+
+
+Srisuresh, et al. Informational [Page 20]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ | |<-----180Ringing---------------------|
+ | | | |
+ |<--180Ringing----| | |
+ | |<-------200 OK-----------------------|
+ | | | |
+ | Identify UDP port numbers | |
+ | on Pa (Pport2, Pport2+1) | |
+ | for ext-to-pri RTP & RTCP | |
+ | sessions (RTP2, RTCP2) | |
+ | | | |
+ | |++Create consecutive | |
+ | | port BINDs on Ma | |
+ | | for (Pa, Pport2), | |
+ | | (Pa, Pport2+1) ++++>| |
+ | |<+Port BINDs created++| |
+ | | | |
+ | |++Create NAT Session | |
+ | | descriptors for | |
+ | | RTP2, RTCP2; Set | |
+ | | parent session to | |
+ | | SIP-ctrl session ++>| |
+ | |<+RTP2, RTCP2 session | |
+ | | descriptors created+| |
+ | | | |
+ | Modify the SDP | |
+ | parameters in "200 OK" | |
+ | with NAPT PORT-BIND | |
+ | for the RTP2 port on Ma. | |
+ | | | |
+ |<---200 OK ------| | |
+ | | | |
+ |-------ACK------>| | |
+ | | | |
+ | Modify IP addresses | |
+ | appropriately in the SIP | |
+ | header (e.g., To, from, | |
+ | Via, contact fields) | |
+ | | |..redirected..|
+ | |-----------ACK--------|------------->|
+ | | | |
+ | | | |
+ |<===================RTP/RTCP============|=============>|
+ | | | |
+ |-------BYE------>| | |
+ | | | |
+ | |----------------------|-----BYE----->|
+ | | | |
+ | |<----------200 OK--------------------|
+
+
+
+Srisuresh, et al. Informational [Page 21]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ | | | |
+ | |+++Terminate the SIP | |
+ | | Session bundle +++>| |
+ | |<++SIP Session bundle | |
+ | | terminated ++++++++| |
+ | | | |
+ |<---200 OK-------| | |
+ | | | |
+
+ Legend: ++++ MIDCOM control traffic
+ ---- SIP control traffic
+ ==== RTP/RTCP media traffic
+
+7.3. Timeline flow - Middlebox implementing NAPT and firewall
+
+ In the following example, we will assume a middlebox implementing a
+ combination of a firewall and a stateful NAPT service. We make the
+ assumption that the NAPT function is configured to translate the IP
+ and TCP headers of the initial SIP session into the private SIP
+ phone, and the firewall function is configured to permit the initial
+ SIP session.
+
+ In the following time line, it may be noted that the firewall
+ description is based on packet fields on the wire (ex: as seen on the
+ external interface of the middlebox). In order to ensure correct
+ behavior of the individual services, you will notice that NAT
+ specific MIDCOM operations precede firewall specific operations on
+ the MIDCOM agent. This is noticeable in the time line below when the
+ MIDCOM agent processes the "200 OK" from the private SIP phone. The
+ MIDCOM agent initially requests the NAT service on the middlebox to
+ set up port-BIND and session-descriptors for the media stream in both
+ directions. Subsequent to that, the MIDCOM agent determines the
+ session parameters (i.e., the dynamic UDP ports) for the media
+ stream, as viewed by the external interface and requests the firewall
+ service on the middlebox to permit those sessions through.
+
+ SIP Phone SIP Proxy Middlebox SIP Phone
+ (External) (MIDCOM agent) (NAPT & (Private)
+ IP Addr:Ea | firewall IP addr:Pa
+ | | Services) |
+ | | IP addr:Ma |
+ | | | |
+ |----INVITE------>| | |
+ | | | |
+ |<---100Trying----| | |
+ | | | |
+ | |++ Query Port-BIND | |
+ | | for (Ma, 5060) +++>| |
+
+
+
+Srisuresh, et al. Informational [Page 22]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ | |<+ Port-BIND reply | |
+ | | for (Ma, 5060) ++++| |
+ | | | |
+ | |++ Query NAT Session | |
+ | | Descriptor for | |
+ | | Ea-to-Pa SIP flow+>| |
+ | |<+ Ea-to-Pa SIP flow | |
+ | | Session Descriptor+| |
+ | | | |
+ | Determine the Internal | |
+ | IP address (Pa) | |
+ | of the callee. | |
+ | | | |
+ | Identify UDP port numbers | |
+ | on Ea (Eport1, Eport1+1) | |
+ | for pri-to-ext RTP & RTCP | |
+ | sessions (RTP1, RTCP1) | |
+ | | | |
+ | |++Create NAT Session | |
+ | | descriptors for | |
+ | | RTP1, RTCP1; Set the| |
+ | | parent session to | |
+ | | point to SIP flow++>| |
+ | |<+RTP1, RTCP1 session | |
+ | | descriptors created+| |
+ | | | |
+ | |++Permit RTP1 & RTCP1 | |
+ | | sessions External to| |
+ | | middlebox, namely | |
+ | | Ma to Ea:Eport1, | |
+ | | Ma to Ea:Eport1+1 | |
+ | | sessions ++++++++++>| |
+ | |<+Ma to Ea:Eport1, | |
+ | | Ma to Ea:Eport1+1 | |
+ | | sessions OKed ++++++| |
+ | | | |
+ | | |..redirected..|
+ | |--------INVITE--------|------------->|
+ | | | |
+ | |<-----180Ringing---------------------|
+ | | | |
+ |<--180Ringing----| | |
+ | |<-------200 OK-----------------------|
+ | | | |
+ | Identify UDP port numbers | |
+ | on Pa (Pport2, Pport2+1) | |
+ | for ext-to-pri RTP & RTCP | |
+ | sessions (RTP2, RTCP2) | |
+
+
+
+Srisuresh, et al. Informational [Page 23]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ | | | |
+ | |++Create consecutive | |
+ | | port BINDs on Ma | |
+ | | for (Pa, Pport2), | |
+ | | (Pa, Pport2+1) ++++>| |
+ | |<+Port BINDs created | |
+ | | on Ma as (Mport2, | |
+ | | Mport2+1) ++++++++++| |
+ | | | |
+ | |++Create NAT Session | |
+ | | descriptors for | |
+ | | RTP2, RTCP2; Set the| |
+ | | parent session to | |
+ | | point to SIP flow++>| |
+ | |<+RTP2, RTCP2 session | |
+ | | descriptors created+| |
+ | | | |
+ | Modify the SDP | |
+ | parameters in "200 OK" | |
+ | with NAPT PORT-BIND | |
+ | for RTP2 port on Ma. | |
+ | | | |
+ | |++Permit RTP2 & RTCP2 | |
+ | | sessions External | |
+ | | middlebox, namely | |
+ | | Ea to Ma:Mport2, | |
+ | | Ea to Ma:Mport2+1 | |
+ | | sessions ++++++++++>| |
+ | |<+Ea to Ma:Mport2, | |
+ | | Ea to Ma:Mport2 | |
+ | | sessions OKed ++++++| |
+ | | | |
+ |<---200 OK ------| | |
+ | | | |
+ |-------ACK------>| | |
+ | | |..redirected..|
+ | |-----------ACK--------|------------->|
+ | | | |
+ | | | |
+ |<===================RTP/RTCP============|=============>|
+ | | | |
+ |-------BYE------>| | |
+ | | | |
+ | |----------------------|-----BYE----->|
+ | | | |
+ | |<----------200 OK--------------------|
+ | | | |
+ | |+++Terminate the SIP | |
+
+
+
+Srisuresh, et al. Informational [Page 24]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ | | Session bundle +++>| |
+ | |<++SIP Session bundle | |
+ | | terminated ++++++++| |
+ | | | |
+ | |++Cancel permits to | |
+ | | sessions External | |
+ | | middlebox, namely | |
+ | | Ma to Ea:Eport1, | |
+ | | Ma to Ea:Eport1+1 | |
+ | | Ea to Ma:Mport2, | |
+ | | Ea to Ma:Mport2+1 | |
+ | | sessions ++++++++++>| |
+ | |<+Removed permits to | |
+ | | sessions listed ++++| |
+ | | | |
+ |<---200 OK-------| | |
+ | | | |
+
+ Legend: ++++ MIDCOM control traffic
+ ---- SIP control traffic
+ ==== RTP/RTCP media traffic
+
+8.0. Operational considerations
+
+8.1. Multiple MIDCOM sessions between agents and middlebox
+
+ A middlebox cannot be assumed to be a simple device implementing just
+ one middlebox function and no more than a couple of interfaces.
+ Middleboxes often combine multiple intermediate functions into the
+ same device and have the ability to provision individual interfaces
+ of the same device with different sets of functions and varied
+ provisioning for the same function across the interfaces.
+
+ As such, a MIDCOM agent ought to be able to have a single MIDCOM
+ session with a middlebox and use the MIDCOM interface on the
+ middlebox to interface with different services on the same middlebox.
+
+8.2. Asynchronous notification to MIDCOM agents
+
+ Asynchronous notification by the middlebox to a MIDCOM agent can be
+ useful for events such as Session creation, Session termination,
+ MIDCOM protocol failure, middlebox function failure or any other
+ significant event. Independently, ICMP error codes can also be
+ useful to notify transport layer failures to the agents.
+
+ In addition, periodic notification of various forms of data, such as
+ statistics update, would also be a useful function that would be
+ beneficial to certain types of agents.
+
+
+
+Srisuresh, et al. Informational [Page 25]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+8.3. Timers on middlebox considered useful
+
+ When supporting the MIDCOM protocol, the middlebox is required to
+ allocate dynamic resources, as specified in policy rule(s), upon
+ request from agents. Explicit release of dynamically allocated
+ resources happens when the application session is ended or when a
+ MIDCOM agent requests the middlebox to release the resource.
+
+ However, the middlebox should be able to recover the dynamically
+ allocated resources, even as the agent that was responsible for the
+ allocation is not alive. Associating a lifetime for these dynamic
+ resources and using a timer to track the lifetime can be a good way
+ to accomplish this.
+
+8.4. Middleboxes supporting multiple services
+
+ A middlebox could be implementing a variety of services (e.g. NAT and
+ firewall) in the same box. Some of these services might have inter-
+ dependency on shared resources and sequence of operation. Others may
+ be independent of each other. Generally speaking, the sequence in
+ which these function operations may be performed on datagrams is not
+ within the scope of this document.
+
+ In the case of a middlebox implementing NAT and firewall services, it
+ is safe to state that the NAT operation on an interface will precede
+ a firewall on the egress and will follow a firewall on the ingress.
+ Further, firewall access control lists, used by a firewall, are
+ assumed to be based on session parameters, as seen on the interface
+ supporting firewall service.
+
+8.5. Signaling and Data traffic
+
+ The class of applications the MIDCOM architecture addresses focus
+ around applications that have a combination of, one or more,
+ signaling and data traffic sessions. The signaling may be done out-
+ of-band, using a dedicated stand-alone session or may be done in-
+ band, within a data session. Alternately, signaling may also be done
+ as a combination of both stand-alone and in-band sessions.
+
+ SIP is an example of an application based on distinct signaling and
+ data sessions. A SIP signaling session is used for call setup
+ between a caller and a callee. A MIDCOM agent may be required to
+ examine/modify SIP payload content to administer the middlebox so as
+ to let the media streams (RTP/RTCP based) through. A MIDCOM agent is
+ not required to intervene in the data traffic.
+
+
+
+
+
+
+Srisuresh, et al. Informational [Page 26]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ Signaling and context specific Header information is sent in-band,
+ within the same data stream for applications such as HTTP embedded
+ applications, sun-RPC (embedding a variety of NFS apps), Oracle
+ transactions (embedding oracle SQL+, MS ODBC, Peoplesoft) etc.
+
+ H.323 is an example of an application that sends signaling in both
+ dedicated stand-alone sessions, as well as in conjunction with data.
+ H.225.0 call signaling traffic traverses middleboxes by virtue of
+ static policy, no MIDCOM control needed. H.225.0 call signaling also
+ negotiates ports for an H.245 TCP stream. A MIDCOM agent is required
+ to examine/modify the contents of the H.245 so that H.245 can
+ traverse it.
+
+ H.245 traverses the middlebox and also carries Open Logical Channel
+ information for media data. So, the MIDCOM agent is once again
+ required to examine/modify the payload content needs to let the media
+ traffic flow.
+
+ The MIDCOM architecture takes into consideration, supporting
+ applications with independent signaling and data sessions as well as
+ applications that have signaling and data communicated over the same
+ session.
+
+ In the cases where signaling is done on a single stand-alone session,
+ it is desirable to have a MIDCOM agent interpret the signaling stream
+ and program the middlebox (that transits the data stream) so as to
+ let the data traffic through uninterrupted.
+
+9. Applicability Statement
+
+ Middleboxes may be stationed in a number of topologies. However, the
+ signaling framework outlined in this document may be limited to only
+ those middleboxes that are located in a DMZ (De-Militarized Zone) at
+ the edge of a private domain, connecting to the Internet.
+ Specifically, the assumption is that you have a single middlebox
+ (running NAT or firewall) along the application route. Discovery of
+ a middlebox along an application route is outside the scope of this
+ document. It is conceivable to have middleboxes located between
+ departments within the same domain or inside the service provider's
+ domain and so forth. However, care must be taken to review each
+ individual scenario and determine the applicability on a case-by-case
+ basis.
+
+ The applicability may also be illustrated as follows. Real-time and
+ streaming applications, such as Voice-Over-IP, and peer-to-peer
+ applications, such as Napster and Netmeeting, require administering
+ firewalls and NAT middleboxes to let their media streams reach hosts
+ inside a private domain. The requirements are in the form of
+
+
+
+Srisuresh, et al. Informational [Page 27]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ establishing a "pin-hole" to permit a TCP/UDP session (the port
+ parameters of which are dynamically determined) through a firewall or
+ retain an address/port bind in the NAT device to permit sessions to a
+ port. These requirements are met by current generation middleboxes
+ using adhoc methods, such as embedding application intelligence
+ within a middlebox to identify the dynamic session parameters and
+ administering the middlebox internally as appropriate. The objective
+ of the MIDCOM architecture is to create a unified, standard way to
+ exercise this functionality, currently existing in an ad-hoc fashion,
+ in some of the middleboxes.
+
+ By adopting MIDCOM architecture, middleboxes will be able to support
+ newer applications they have not been able to support thus far.
+ MIDCOM architecture does not, and must not in anyway, change the
+ fundamental characteristic of the services supported on the
+ middlebox.
+
+ Typically, organizations shield a majority of their corporate
+ resources (such as end-hosts) from visibility to the external network
+ by the use of a De-Militarized Zone (DMZ) at the domain edge. Only a
+ portion of these hosts are allowed to be accessed by the external
+ world. The remaining hosts and their names are unique to the private
+ domain. Hosts visible to the external world and the authoritative
+ name server that maps their names to network addresses are often
+ configured within a DMZ (De-Militarized Zone) in front of a firewall.
+ Hosts and middleboxes within DMZ are referred to as DMZ nodes.
+
+ Figure 4 below illustrates the configuration of a private domain with
+ a DMZ at its edge. Actual configurations may vary. Internal hosts
+ are accessed only by users inside the domain. Middleboxes, located
+ in the DMZ may be accessed by agents inside or outside the domain.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Srisuresh, et al. Informational [Page 28]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ \ | /
+ +-----------------------+
+ |Service Provider Router|
+ +-----------------------+
+ WAN |
+ Stub A .........|\|....
+ |
+ +---------------+
+ | NAT middlebox |
+ +---------------+
+ |
+ | DMZ - Network
+ ------------------------------------------------------------
+ | | | | |
+ +--+ +--+ +--+ +--+ +-----------+
+ |__| |__| |__| |__| | Firewall |
+ /____\ /____\ /____\ /____\ | middlebox |
+ DMZ-Host1 DMZ-Host2 ... DMZ-Name DMZ-Web +-----------+
+ Server Server etc. |
+ |
+ Internal Hosts (inside the private domain) |
+ ------------------------------------------------------------
+ | | | |
+ +--+ +--+ +--+ +--+
+ |__| |__| |__| |__|
+ /____\ /____\ /____\ /____\
+ Int-Host1 Int-Host2 ..... Int-Hostn Int-Name Server
+
+ Figure 4: DMZ network configuration of a private domain.
+
+10. Acknowledgements
+
+ The authors wish to thank Christian Huitema, Joon Maeng, Jon
+ Peterson, Mike Fisk, Matt Holdrege, Melinda Shore, Paul Sijben,
+ Philip Mart, Scott Brim and Richard Swale for their valuable
+ critique, advice and input on an earlier rough version of this
+ document. The authors owe special thanks to Eliot Lear for kick-
+ starting the e-mail discussion on use-case scenarios with a SIP
+ application flow diagram through a middlebox. Much thanks to Bob
+ Penfield, Cedric Aoun, Christopher Martin, Eric Fleischman, George
+ Michaelson, Wanqun Bao, and others in the MIDCOM work group for their
+ very detailed feedback on a variety of topics and adding clarity to
+ the discussion. Last, but not the least, the authors owe much thanks
+ to Mark Duffy, Scott Brim, Melinda Shore and others for their help
+ with terminology definition and discussing the embedded requirements
+ within the framework document.
+
+
+
+
+
+Srisuresh, et al. Informational [Page 29]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+11. Security Considerations
+
+ Discussed below are security considerations in accessing a middlebox.
+ Without MIDCOM protocol support, the premise of a middlebox operation
+ fundamentally requires the data to be in the clear, as the middlebox
+ needs the ability to inspect and/or modify packet headers and
+ payload. This compromises the confidentiality requirement in some
+ environments. Further, updating transport headers and rewriting
+ application payload data, in some cases, by NAT prevents the use of
+ integrity protection on some data streams traversing NAT middleboxes.
+ Clearly, this can pose a significant security threat to the
+ application in an untrusted transport domain.
+
+ The MIDCOM protocol framework removes the need for a middlebox to
+ inspect or manipulate transport payload. This allows applications to
+ better protect themselves end-to-end with the aid of a trusted MIDCOM
+ agent. This is especially the case when the agent is a resident on
+ the end-host. When an agent has the same end-to-end ability as the
+ end-host to interpret encrypted and integrity protected data,
+ transiting a middlebox can be encrypted and integrity protected. The
+ MIDCOM agent will still be able to interpret the data and simply
+ notify the middlebox of open holes, install NAT table entries, etc.
+ Note, however, the MIDCOM framework does not help with the problem of
+ NAT breaking IPsec since in this case the middlebox still modifies IP
+ and transport headers.
+
+ Security between a MIDCOM agent and a middlebox has a number of
+ components. Authorization, authentication, integrity and
+ confidentiality. Authorization refers to whether a particular agent
+ is authorized to signal a middlebox with requests for one or more
+ applications, adhering to a certain policy profile. Failing the
+ authorization process might indicate a resource theft attempt or
+ failure due to administrative and/or credential deficiencies. In
+ either case, the middlebox should take the proper measures to
+ audit/log such attempts and consult its designated MIDCOM PDP for the
+ required action if the middlebox is configured with one.
+ Alternatively, the middlebox may resort to a default service deny
+ policy when a MIDCOM agent fails to prompt the required credentials.
+ Section 6 discusses the middlebox to MIDCOM PDP interactions in view
+ of policy decisions.
+
+ Authentication refers to confirming the identity of an originator for
+ all datagrams received from the originator. Lack of strong
+ credentials for authentication of MIDCOM messages between an agent
+ and a middlebox can seriously jeopardize the fundamental service
+ rendered by the middlebox. A consequence of not authenticating an
+ agent would be that an attacker could spoof the identity of a
+ "legitimate" agent and open holes in the firewall. Another would be
+
+
+
+Srisuresh, et al. Informational [Page 30]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ that it could otherwise manipulate the state on a middlebox, creating
+ a denial-of-service attack by closing needed pinholes or filling up a
+ NAT table. A consequence of not authenticating the middlebox to an
+ agent is that an attacker could pose as a middlebox and respond to
+ NAT requests in a manner that would divert data to the attacker.
+ Failing to submit the required/valid credentials, once challenged,
+ may indicate a replay attack, in which case a proper action is
+ required by the middlebox such as auditing, logging, or consulting
+ its designated MIDCOM PDP to reflect such failure. A consequence of
+ not protecting the middlebox against replay attacks would be that a
+ specific pinhole may be reopened or closed by an attacker at will,
+ thereby bombarding end hosts with unwarranted data or causing denial
+ of service.
+
+ Integrity is required to ensure that a MIDCOM message has not been
+ accidentally or maliciously altered or destroyed. The result of a
+ lack of data integrity enforcement in an untrusted environment could
+ be that an imposter will alter the messages sent by an agent and
+ bring the middlebox to a halt or cause a denial of service for the
+ application the agent is attempting to enable.
+
+ Confidentiality of MIDCOM messages ensure that the signaling data is
+ accessible only to the authorized entities. When a middlebox agent
+ is deployed in an untrusted environment, lack of confidentiality will
+ allow an intruder to perform traffic flow analysis and snoop the
+ middlebox. The intruder could cannibalize a lesser secure MIDCOM
+ session and destroy or compromise the middlebox resources he
+ uncovered on other sessions. Needless to say, the least secure
+ MIDCOM session will become the achilles heel and make the middlebox
+ vulnerable to security attacks.
+
+ Lastly, there can be security vulnerability to the applications
+ traversing a middlebox when a resource on a middlebox is controlled
+ by multiple external agents. A middlebox service may be disrupted
+ due to conflicting directives from multiple agents associated with
+ different middlebox functions but applied to the same application
+ session. Care must be taken in the protocol design to ensure that
+ agents for one function do not abruptly step over resources impacting
+ a different function. Alternately, the severity of such
+ manifestations could be lessened when a single MIDCOM agent is
+ responsible for supporting all the middlebox services for an
+ application, due to the reduced complexity and synchronization effort
+ in managing the middlebox resources.
+
+
+
+
+
+
+
+
+Srisuresh, et al. Informational [Page 31]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+References
+
+ [SIP] Rosenberg, J., Shulzrinne, H., Camarillo, G., Johnston,
+ A., Peterson, J., Sparks, R., Handley, M., Schooler, E.,
+ "SIP: Session Initiation Protocol", RFC 3261, June 2002.
+
+ [SDP] Handley, M. and V. Jacobson, "SDP: Session Description
+ Protocol", RFC 2327, April 1998.
+
+ [H.323] ITU-T Recommendation H.323. "Packet-based Multimedia
+ Communications Systems," 1998.
+
+ [RTP] Schulzrinne, H., Casner, S., Frederick, R. and V.
+ Jacobson, "RTP: A Transport Protocol for Real-Time
+ Applications", RFC 1889, January 1996.
+
+ [RTSP] Schulzrinne, H., Rao, A. and R. Lanphier: "Real Time
+ Streaming Protocol (RTSP)", RFC 2326, April 1998.
+
+ [FTP] Postel, J. and J. Reynolds, "File Transfer Protocol", STD
+ 9, RFC 959, October 1985.
+
+ [NAT-TERM] Srisuresh, P. and M. Holdrege, "IP Network Address
+ Translator (NAT) Terminology and Considerations", RFC
+ 2663, August 1999.
+
+ [NAT-TRAD] Srisuresh, P. and K. Egevang, "Traditional IP Network
+ Address Translator (Traditional NAT)", RFC 3022, January
+ 2001.
+
+ [NAT-PT] Tsirtsis, G. and P. Srisuresh, "Network Address
+ Translation - Protocol Translation (NAT-PT)", RFC 2766,
+ February 2000.
+
+ [IPsec-AH] Kent, S. and R. Atkinson, "IP Authentication Header", RFC
+ 2402, November 1998.
+
+ [IPsec-ESP] Kent, S. and R. Atkinson, "IP Encapsulating Security
+ Payload (ESP)", RFC 2406, November 1998.
+
+ [TLS] Dierks, T. and C. Allen, "The TLS Protocol Version 1.0",
+ RFC 2246, January 1999.
+
+ [POL-TERM] Westerinen, A., Schnizlein, J., Strassner, J., Scherling,
+ M., Quinn, B., Herzog, S., Huynh, A., Carlson, M., Perry,
+ J. and S. Waldbusser, "Terminology for Policy-Based
+ Management", RFC 3198, November 2001.
+
+
+
+
+Srisuresh, et al. Informational [Page 32]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+ [REQMTS] Swale, R. P., Mart, P. A., Sijben, P., Brim, S. and M.
+ Shore, "Middlebox Communications (midcom) Protocol
+ Requirements", RFC 3304, August 2002.
+
+Authors' Addresses
+
+ Pyda Srisuresh
+ Kuokoa Networks, Inc.
+ 475 Potrero Ave.
+ Sunnyvale, CA 94085
+ EMail: srisuresh@yahoo.com
+
+ Jiri Kuthan
+ Fraunhofer Institute FOKUS
+ Kaiserin-Augusta-Allee 31
+ D-10589 Berlin, Germany
+ EMail: kuthan@fokus.fhg.de
+
+ Jonathan Rosenberg
+ dynamicsoft
+ 72 Eagle Rock Avenue
+ First Floor
+ East Hanover, NJ 07936
+ U.S.A.
+ EMail: jdrosen@dynamicsoft.com
+
+ Andrew Molitor
+ Aravox technologies
+ 4201 Lexington Avenue North, Suite 1105
+ Arden Hills, MN 55126
+ U.S.A.
+ voice: (651) 256-2700
+ EMail: amolitor@visi.com
+
+ Abdallah Rayhan
+ WINCORE Lab
+ Electrical and Computer Engineering
+ Ryerson University
+ 350 Victoria Street
+ Toronto, ON M5B 2K3
+ EMail: rayhan@ee.ryerson.ca, ar_rayhan@yahoo.ca
+
+
+
+
+
+
+
+
+
+
+Srisuresh, et al. Informational [Page 33]
+
+RFC 3303 MIDCOM Architecture and Framework August 2002
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2002). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others, and derivative works that comment on or otherwise explain it
+ or assist in its implementation may be prepared, copied, published
+ and distributed, in whole or in part, without restriction of any
+ kind, provided that the above copyright notice and this paragraph are
+ included on all such copies and derivative works. However, this
+ document itself may not be modified in any way, such as by removing
+ the copyright notice or references to the Internet Society or other
+ Internet organizations, except as needed for the purpose of
+ developing Internet standards in which case the procedures for
+ copyrights defined in the Internet Standards process must be
+ followed, or as required to translate it into languages other than
+ English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Srisuresh, et al. Informational [Page 34]
+