Internet DRAFT - draft-ietf-midcom-requirements

draft-ietf-midcom-requirements









Midcom Working Group                               R P Swale
Internet Draft                          BTexact Technologies
November 2001                                       P A Mart
Expires May 2002                      Marconi Communications
                                                    P Sijben
                                         Lucent Technologies
                                                  Scott Brim
                                               Melinda Shore
                                               Cisco Systems


  Middlebox Communications (midcom) Protocol Requirements
          <draft-ietf-midcom-requirements-05.txt>


Status of this Memo

     This document is an Internet-Draft and is in full conformance with
     all provisions of Section 10 of RFC 2026 [RFC2026].

     Internet-Drafts are working documents of the Internet Engineering
     Task Force (IETF), its areas, and its working groups. Note that
     other groups may also distribute working documents as Internet-
     Drafts.

     Internet-Drafts are draft documents valid for a maximum of six
     months and may be updated, replaced, or obsoleted by other docu-
     ments at any time. It is inappropriate to use Internet-Drafts as
     reference material or to cite them other than as "work in
     progress."

     The list of current Internet-Drafts can be accessed at
     http://www.ietf.org/ietf/1id-abstracts.txt

     The list of Internet-Draft Shadow Directories can be accessed at
     http://www.ietf.org/shadow.html.


Abstract

     This document specifies the requirements that the Middlebox Commu-
     nication (midcom) protocol must satisfy in order to meet the needs
     of applications wishing to influence middlebox function.  These
     requirements were developed with a specific focus on network
     address translation and firewall middleboxes.




Swale et al.                  Informational                     [Page 1]





                           Midcom Requirements              October 2001


1.  Introduction

     This document is one of two developed by the Middlebox Communica-
     tion (midcom) working group to address the requirements and frame-
     work for a protocol between middleboxes and "midcom agents."  This
     document presents midcom requirements; [MCFW] presents the context
     and framework.  That document also presents terminology and defini-
     tions and should be read in tandem with this one.

     These requirements were developed by examining the midcom framework
     and extracting requirements, both explicit and implicit, that
     appeared there.

2.  Requirements

     Each requirement is presented as a statement, followed by brief
     explanatory material as appropriate.  Terminology is defined in
     [MCFW].  There may be overlap between requirements.

2.1.  Protocol machinery

2.1.1.

     The Midcom protocol must enable a Midcom agent requiring the ser-
     vices of a middlebox to establish an authorized association between
     itself and the middlebox.

     This states that the protocol must allow the middlebox to identify
     an agent requesting services and make a determination as to whether
     or not the agent will be permitted to do so.

2.1.2.

     The Midcom protocol must allow a Midcom agent to communicate with
     more than one middlebox simultaneously.

     In any but the most simple network, an agent is likely to want to
     influence the behavior of more than one middlebox.  The protocol
     design must not preclude the ability to do this.

2.1.3.

     The Midcom protocol must allow a middlebox to communicate with more
     than one Midcom agent simultaneously.





Swale et al.                  Informational                     [Page 2]





                           Midcom Requirements              October 2001


     There may be multiple instances of a single application or multiple
     applications desiring service from a single middlebox, and differ-
     ent agents may represent them.  The protocol design must not pre-
     clude the ability to do so.

2.1.4.

     Where a multiplicity of Midcom Agents are interacting with a given
     middlebox, the Midcom protocol must provide mechanisms ensuring
     that the overall behavior is deterministic.

     This states that the protocol must include mechanisms for avoiding
     race conditions or other situations in which the requests of one
     agent may influence the results of the requests of other agents in
     an unpredictable manner.

2.1.5.

     The Midcom protocol must enable the middlebox and any associated
     Midcom agents to establish known and stable state.  This must
     include the case of power failure, or other failure, where the pro-
     tocol must ensure that any resources used by a failed element can
     be released.

     This states that the protocol must provide clear identification for
     requests and results and that protocol operations must be atomic
     with respect to the midcom protocol.

2.1.6.

     The middlebox must be able to report its status to a Midcom agent
     with which it is associated.

2.1.7.

     The protocol must support unsolicited messages from middlebox to
     agent, for reporting conditions detected asynchronously at the mid-
     dlebox.

     It may be the case that exceptional conditions or other events at
     the middlebox (resource shortages, intrusion mitigation) will cause
     the middlebox to close pinholes or release resources without con-
     sulting the associated Midcom agent.  In that event the protocol
     must allow the middlebox to notify the agent.





Swale et al.                  Informational                     [Page 3]





                           Midcom Requirements              October 2001


2.1.8.

     The Midcom protocol must provide for the mutual authentication of
     Midcom agent and middlebox to one another.

     In addition for the more obvious need for the Midcom agent to
     authenticate itself to the middlebox, there are some attacks
     against the protocol which can be mitigated by having the middlebox
     authenticate to the agent.  See [MCFW].

2.1.9.

     The Midcom protocol must allow either the Midcom agent or the mid-
     dlebox to terminate the Midcom session between a Midcom Agent and a
     middlebox.  This allows either entity to close the session for
     maintenance, security or other reasons.

2.1.10.

     A Midcom agent must be able to determine whether or not a request
     was successful.

     This states that a middlebox must return a success or failure indi-
     cation to a request made by an agent.

2.1.11.

     The Midcom protocol must contain version interworking capabilities
     to enable subsequent extensions to support different types of mid-
     dlebox and future requirements of applications not considered at
     this stage.

     We assume that there will be later revisions of this protocol.  The
     initial version will focus on communication with firewalls and
     NATs, and it is possible that the protocol will need to be modified
     as support for other middlebox types is added.  These version
     interworking capabilities may include (but not be limited to) a
     protocol version number.

2.1.12.

     It must be possible to deterministically predict the behavior of
     the middlebox in the presence of overlapping rules.

     The protocol must preclude nondeterministic behavior in the case of
     overlapping rulesets, e.g. by ensuring that some known precedence



Swale et al.                  Informational                     [Page 4]





                           Midcom Requirements              October 2001


     is imposed.

2.2.  Midcom Protocol Semantics

2.2.1.

     The syntax and semantics of the Midcom protocol must be extensible
     to allow the requirements of future applications to be adopted.

     This is related to, but different from, the requirement for ver-
     sioning support.  As support for additional middlebox types is
     added there may be a need to add new message types.

2.2.2.

     The Midcom protocol must support the ability of an agent to install
     a ruleset that governs multiple types of middlebox actions (e.g.
     firewall and NAT).

     This states that a the protocol must support rules and actions for
     a variety of types of middleboxes.  A Midcom agent ought to be able
     to have a single Midcom session with a middlebox and use the Midcom
     interface on the middlebox to interface with different middlebox
     functions on the same middlebox interface.

2.2.3.

     The protocol must support the concept of a ruleset group comprising
     a multiple of individual rulesets to be treated as an aggregate.

     Applications using more than one data stream may find it more con-
     venient and more efficient to be able to use single messages to
     tear down, extend, and manipulate all middlebox rulesets being used
     by one instance of the application.

2.2.4.

     The protocol must allow the midcom agent to extend the lifetime of
     an existing ruleset that otherwise would be deleted by the middle-
     box.

2.2.5.

     If a peer does not understand an option it must be clear whether
     the action required is to proceed without the unknown attribute
     being taken into account or the request is to be rejected.  Where



Swale et al.                  Informational                     [Page 5]





                           Midcom Requirements              October 2001


     attributes may be ignored if not understood, a means may be pro-
     vided to inform the client about what has been ignored.

     This states that failure modes must be robust, providing sufficient
     information for the agent or middlebox to be able to accommodate
     the failure or to retry with a new option that is more likely to
     succeed.

2.2.6.

     To enable management systems to interact with the Midcom environ-
     ment, the protocol must include failure reasons that allow the Mid-
     com Agent behavior to be modified as a result of the information
     contained in the reason.  Failure reasons need to be chosen such
     that they do not make an attack on security easier.

2.2.7.

     The Midcom protocol must not preclude multiple authorized agents
     from working on the same ruleset.

2.2.8.

     The Midcom protocol must be able to carry filtering rules, includ-
     ing but not limited to the 5-tuple, from the midcom agent to the
     middlebox.

     By "5-tuple" we refer to the standard <source address, source port,
     destination address, destination port, transport protocol> tuple.
     Other filtering elements may be carried, as well.

2.2.9.

     When the middlebox performs a port mapping function, the protocol
     should allow the Midcom agent to request that the external port
     number have the same oddity as the internal port.

     This requirement is to support RTP and RTCP [RFC1889] "oddity"
     requirements.

2.2.10.

     When the middlebox performs a port mapping function, the protocol
     should allow the Midcom agent to request that a consecutive range
     of external port numbers be mapped to consecutive internal ports.




Swale et al.                  Informational                     [Page 6]





                           Midcom Requirements              October 2001


     This requirement is to support RTP and RTCP "sequence" require-
     ments.

2.2.11.

     It should be possible to define rulesets that contain a more spe-
     cific filter spec than an overlapping ruleset.  This should allow
     agents to request actions for the subset that contradict those of
     the overlapping set.

     This should allow Midcom agent to request to a Midcom server con-
     trolling a firewall function that a subset of the traffic that
     would be allowed by the overlapping ruleset be specifically disal-
     lowed.

2.3.  General Security Requirements

2.3.1.

     The Midcom protocol must provide for message authentication, confi-
     dentiality, and integrity.

2.3.2.

     The Midcom protocol must allow for optional confidentiality protec-
     tion of control messages.  If provided the mechanism should allow a
     choice in the algorithm to be used.

2.3.3.

     The Midcom protocol must operate across un-trusted domains between
     the Midcom agent and middlebox in a secure fashion.

2.3.4.

     The Midcom protocol must define mechanisms to mitigate replay
     attacks on the control messages.

3.  Security Considerations

     The security requirements for a midcom protocol are discussed in
     section 2.3.







Swale et al.                  Informational                     [Page 7]





                           Midcom Requirements              October 2001


4.  Normative References

[MCFW] Srisuresh, S. et al.  "Middlebox Communication Architecture and
     framework," work in progress.  October 2001.

[RFC1889] Schulzrinne, H. et al. "RTP: A Transport Protocol for Real-
     Time Applications," RFC 1889.  January 1996.

5.  Informative References

[RFC2026] Bradner, S. "The Internet Standards Process -- Revision 3,"
     RFC 2026. October 1996.

Authors' Addresses


     Richard Swale
     BTexact Technologies
     Callisto House
     Adastral Park
     Ipswich United Kingdom
     Email:  richard.swale@bt.com

     Paul Sijben
     Lucent Technologies EMEA BV
     Huizen
     Netherlands
     Email: sijben@lucent.com

     Philip Mart
     Marconi Communications Ltd.
     Edge Lane
     Liverpool
     United Kingdom
     Email: philip.mart@marconi.com

     Scott Brim
     Cisco Systems
     146 Honness Lane
     Ithaca, NY 14850
     Email: sbrim@cisco.com

     Melinda Shore
     Cisco Systems
     809 Hayts Road
     Ithaca, NY 14850



Swale et al.                  Informational                     [Page 8]





                           Midcom Requirements              October 2001


     Email: mshore@cisco.com


Copyright

     The following copyright notice is copied from RFC 2026 [RFC2026]
     Section 10.4, and describes the applicable copyright for this docu-
     ment.

     Copyright (C) The Internet Society October 1, 2001. All Rights
     Reserved.

     This document and translations of it may be copied and furnished to
     others, and derivative works that comment on or otherwise explain
     it or assist in its implementation may be prepared, copied, pub-
     lished and distributed, in whole or in part, without restriction of
     any kind, provided that the above copyright notice and this para-
     graph are included on all such copies and derivative works.  How-
     ever, this document itself may not be modified in any way, such as
     by removing the copyright notice or references to the Internet
     Society or other Internet organizations, except as needed for the
     purpose of developing Internet standards in which case the proce-
     dures for copyrights defined in the Internet Standards process must
     be followed, or as required to translate it into languages other
     than English.

     The limited permissions granted above are perpetual and will not be
     revoked by the Internet Society or its successors or assignees.

     This document and the information contained herein is provided on
     an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGI-
     NEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED,
     INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
     INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WAR-
     RANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

6.  Intellectual Property

     The following notice is copied from RFC 2026 [Bradner, 1996], Sec-
     tion 10.4, and describes the position of the IETF concerning intel-
     lectual property claims made against this document.

     The IETF takes no position regarding the validity or scope of any
     intellectual property or other rights that might be claimed to per-
     tain to the implementation or use other technology described in
     this document or the extent to which any license under such rights



Swale et al.                  Informational                     [Page 9]





                           Midcom Requirements              October 2001


     might or might not be available; neither does it represent that it
     has made any effort to identify any such rights.  Information on
     the IETF's procedures with respect to rights in standards-track and
     standards-related documentation can be found in BCP-11.  Copies of
     claims of rights made available for publication and any assurances
     of licenses to be made available, or the result of an attempt made
     to obtain a general license or permission for the use of such pro-
     prietary rights by implementers or users of this specification can
     be obtained from the IETF Secretariat.

     The IETF invites any interested party to bring to its attention any
     copyrights, patents or patent applications, or other proprietary
     rights which may cover technology that may be required to practice
     this standard.  Please address the information to the IETF Execu-
     tive Director.


































Swale et al.                  Informational                    [Page 10]