[Mip6-firewall] HA Firewall BCP draft

Sat Jun 30 05:59:15 EDT 2007

Hi, Suresh

Attached please found the text on mobile node behind a firewall. The part 
should be section 5, right? Please review and attached to your parts.

Regards and Thanks
Qiu Ying

------------ Institute For Infocomm Research - Disclaimer -------------This email is confidential and may be privileged.  If you are not the intended recipient, please delete it and notify us immediately. Please do not copy or use it for any purpose, or disclose its contents to any other person. Thank you.--------------------------------------------------------
-------------- next part --------------
5.  Mobile Node behind a Firewall

   This section recommends a procedure if a mobile node is within a 
   network protected by firewall. In the specifications of mobile IPv6
   [RFC3775, RFC3776], the mobile node will send/receive following 
   messages: home binding updated messages (BU_HA, BA_HA), return 
   routablity messages (HoTI, HoT, CoTI, CoT) and correspondent binding 
   update messages (BU_CN and BA_CN).

   No matter if a MN is roaming into a visiting network or already stays 
   in the visiting network and need to update its CoA, after allocated 
   or authorized a new CoA, it informs its HA and CN of its current CoA. 

   Since the MN is always the initiator, it is able to apply the pinholes 
   from the firewall for the communications with other parties.

5.1. Open a pinhole between MN and HA:

   The procedure of the home binding update is

   1) 	The mobile node gets current care-of address;
   2)	The mobile node solicits a firewall pinhole for the 
       Communications between the care-of address and its home agent 
       (with a fixed address) with the protocol number 50 (ESP);
   3)	  the mobile node sends the home binding update message BUHA to its 
       home agent through the pinhole;
   4)  the home agent sends back a acknowledgement BAHA through the 
       pinholes and set up security tunnel between the home agent and 
       its home agent;
   5) 	thereafter every packet between the mobile node and its home agent 
       goes through the security tunnel.
   6)  this pinhole is a long term one, which is kept to open till MN 
       leaves the network or applies a new CoA.  

5.2. Open a pinhole between MN and CN:

   The procedure of opening pinholes between MN and CN is:

   1)  the mobile node sends the HoTI message to its home agent through 
       the security tunnel;
   2)  after receiving the HoT message from the correspondent node, the 
       home agent forwards the HoT message to the mobile node through 
       the security tunnel, too;
   3)  the mobile node solicits a firewall pinhole with protocol number 
       135 for the communications between the care-of address and the 
       correspondent node;
   4)  the mobile node sends the CoTI message to its correspondent node 
       through the pinhole;
   5)  the correspondent node sends back the CoT message through the 
       pinhole;
   6)  the mobile send the binding update message BUCN to its
       correspondent node through the pinhole;
   7)  the correspondent node sends back a acknowledgement BACN through 
       the pinholes;
   8)  the mobile node requires to open more ports for the pinhole;
   9)  thereafter every packet between the mobile node and its 
       correspondent node goes through the pinhole.
   10) this pinhole is a short term one. Once the communication between 
       MN and CN is terminated, the pinhole must be closed. 