ABI Working Title: Messaging NSLP

Transcription

1 ABI Working Title: Messaging NSLP University of Helsinki Helsinki University of Technology VTT Technical Research Centre of Finland September 19, 2006 i

2 Contents 1 Introduction 1 2 NSIS Framework NSIS Working Group The GIST New Messaging Protocol Design Goals Messages Messaging Applications and Application Interface Messaging NSLP process read write Messaging NSLP Message and Object Formats Application data object Bibliography 7 ii

3 1 Introduction Traditional signaling protocols are mainly focused on Quality of Service. Also other signaling purposes exists, for example to modify routing depending on resource availability of routers. It is necessary to transfer information between routers, or in some cases between router and end host of communication. One specific case is routing in mesh network when taking account of very limited resources of mesh routers. More use scenarios can be found from [FIXME: ref]. In this paper we present basic design of a new messaging protocol that is to be used to transfer generic data between signaling nodes. The protocol will use existing NSIS framework [6] as transport mechanism (Next Steps In Signaling), and it is going to form a new NSLP (NSIS Signaling Layer Protocol). While our first goal is to create this new protocol to transfer measurement/monitoring data, we will create generic messaging protocol. It is going to work on top of the existing transfer service to keep the protocol itself very simple. We focus on router-to-router communications, but the protocol is meant to be extensible so it will be usable also in other scenarios. 1

4 2 NSIS Framework Old signaling protocols, for example Resource ReServation Protocol (RSVP), have been around for years [11]. While developing further, the RSVP has became very complicated. Next Steps in Signaling Working Group was formed at IETF to standardize an IP signaling protocol suite. In this section we briefly introduce their work. 2.1 NSIS Working Group The NSIS Working Group was formed to develop new two-layer signaling framework, that simplifies process of creating new signaling applications by separating signaling applications from transport and other needed basic services. It was not necessary to re-invent everything, for example, RSVP (Resource ReServation Protocol) [11] concepts are used as much as possible. Some goals for NSIS (Next Steps In Signaling) Working Group are given in RFC 3726 Requirements for Signaling Protocols [1]. Also RFC 4094, Analysis of Existing Quality-of-Service Signaling Protocols [10] is not to be forgotten as a background information. Some NSIS documents are already published as RFCs, but there are many drafts also. Here is a short list of the most interesting documents: RFC 4080 Next Steps in Signaling (NSIS): Framework [6]. How is the whole thing supposed to work. In NSIS framework only unicast data flows are considered. The NSIS framework uses two layer approach: lower layer is generic, and it provides some services (for example transport) to the upper layer where signaling applications reside. RFC 4081 Security Threats for Next Steps in Signaling (NSIS)[13]. Security can not be forgotten, and this document lists numerous security threats. There are some generic threats for all protocols (not specific to NSIS) like message injection, modification and replay. Also some interesting (considering our NSLP) NSIS specific threats are listed in RFC We have to be careful at least with these attacks and threats: flooding, identity spoofing and denial of service. GIST General Internet Signaling Transport [12] provides transport service to signaling protocols (lower layer at the NSIS framework). More details are given a bit later in this documenta. NSIS Extensibility NSIS Extensibility Model [9]. How is the NSIS supposed to be extended. Some details and practices we have to follow (NSLP identifier, routing method to use...). Diagnostics NSLP Design Options of NSIS Diagnostics NSLP [4]. Example of NSIS Signaling Layer Protocol, focuses on NSIS/GIST diagnostics. Metering NSLP NSLP for Metering Configuration Signaling [3]. Another NSLP. Focuses on metering packets of given data flows. Authorization for NSLPs Authorization for NSIS Signaling Layer Protocols [7] describes Session Authorization Object that provides more strict authorization for NSLPs than basic GIST methods. As stated before, the NSIS framework is divided to two layers. Upper layer, the signaling applications, use services provided by the lower layer. This separation is done to make signaling application design easier and simpler, and to reuse already existing, widely accepted methods. 2

5 2.2 The GIST In our point of view, the most important existing work is the GIST, General Internet Signaling Transport, that provides us reliable transport mechanism and routing. It also includes mechanisms to protect message integrity and confidentiality. Existing protocols and methods are being used in GIST where possible. For example TLS is used in security and transport is done using existing protocols like tcp and udp. At least two different implementations of GIST exists [5], [2]. The API that GIST provides to signaling applications is quite simple concerning amount of functions. There are only six different functions (SendMessage, RcvMessage, MessageStatus, NetworkNotification, SetStateLifetime and InvalidateRoutingState ) in it. In reality the GIST is much more complicated due to numerous parameters each function accepts. The basic GIST protocol stack is shown in Figure 1 Nat/Firewall NSLP QoS NSLP GIST TCP/UDP/TLS/dTLS IPv4 / IPv6 Figure 1: NSIS Protocol stack with existing signaling layer protocols 3

6 3 New Messaging Protocol The new messaging protocol is going to be used to transfer messages between signaling nodes in network. Main motivation to design this new protocol is the need to transfer monitoring information between routers, but it can be utilized also in other domains. More scenarios are defined in [8]. The NSIS protocol suite, GIST to be exact, provides transport service that seems to fulfill our transport level needs. In addition, GIST has some security related services, for example per node authentication. It also provides message protection: messages can be protected against modification, injection, replay and eavesdropping [12]. The protocol stack with our new NSLP (NSIS Signaling Layer Protocol) would then be similar to one at Figure 2. Application Application Application Messaging NSLP GIST TCP/UDP/TLS/dTLS IPv4 / IPv6 Figure 2: Protocol stack with new NSLP 3.1 Design Goals One important goal is to keep the new protocol simple. The protocol itself does not need to know what kind of data is going to be sent or received. The new protocol itself will be stateless. State management is done, if needed, in application level. While protocol itself is kept very simple, it is meant to be flexible by independent applications. In terms of messaging NSLP, a new application can be created by allocating new application identifier, no further modifications to the NSLP is needed. 3.2 Messages The basic message type is notification, that can be sent by application with or without explicit request message. These two messages are shown in Figure 3. Regardless of message type, all received messages are passed to suitable application. If suitable application is not found, the received message will be (FIXME: silently?) discarded. There will be two message types, request and notification. 4

7 When request is received, it is passed to suitable application, identified by application id. Host 1 Host 2 Host 1 Host 2 Notification Request Notification Notification Figure 3: Two messaging scenarios: Notify with and without request 3.3 Messaging Applications and Application Interface There can be several different applications that use the messaging service provided by the Messaging NSLP. Each application has an unique application identifier that is used by the Messaging NSLP to find proper recipient application for each message received. Interface regarding applications is very simple with no more than two operations, read and write (Figure 4). All communication between application and Messaging NSLP is done by application with these two operations. Application read() write() Messaging NSLP GIST Figure 4: Messaging NSLP application interface Messaging NSLP process While GIST is handling the actual sending and receiving of messages, it can not understand the content of Messaging NSLP messages. When the GIST receives a message with NSLP identifier matching to Messaging NSLP, it is passed to Messaging NSLP process. Messaging NSLP process interprets the message headers, and selects proper messaging application to which the message data is delivered read Read operation is used by application to transfer data from the Messaging NSLP process. Application identifier is given as a parameter, so Messaging NSLP can associate read request to applicable data. 5

8 3.3.3 write Write operation is used by application to transfer data to the Messaging NSLP. In addition to the actual message data, are application identifier and destination address provided as parameters. 3.4 Messaging NSLP Message and Object Formats While Messaging NSLP itself has only small header, NSIS message header contains mandatory parts defined in GIST specification. One mandatory part is NSIS Signaling Layer Protocol Identifier (NSLPID), allocated by IANA (Internet Assigned Numbers Authority). Also session identifier (SID) is present in every NSIS message. Session identifiers should be selected so that it can not be guessed by hypothetical attacker. Messaging NSLP header contains following fields: type Type of message (request or notify). length Length of following application data object. appid Application identifier. reserved Some reserved fields also exists type r r r r Application ID (24bit) r r r r length (32bit) Application data object When messaging application sends message to another NSIS host the messaging NSLP encapsulates the message data into an application data object. It has a header that contains following fields: type Application specific message type. length Object data length. application specific Application specific header type length Application specific header (24bit)

9 The basic structure of our NSLP message header can be seen in Figure 5. There is a reserved range of NSLPIDs ( ) for private/experimental use. Common header * version number * message type * size * NSLPID... Originating node Authentication information Data Figure 5: Coarse-grained message header of our NSLP References [1] M. Brunner, ed. Requirements for Signaling Protocols. RFC 3726, The Internet Engineering Task Force, April [2] NSIS Java Implementation. URL: May [3] F. Dressler et al. NSLP for Metering Configuration Signaling. Internet-draft (work in progress), The Internet Engineering Task Force, June [4] X. Fu, I. Juchem, C. Dickmann, and H. Tschofenig. Design Options of NSIS Diagnostics NSLP. Internet-draft (work in progress), The Internet Engineering Task Force, March [5] NSIS Implementation. URL: May [6] R. Hancock, G. Karagiannis, J. Loughney, and S. Van den Bosch. Next Steps in Signaling (NSIS): Framework. RFC 4080, The Internet Engineering Task Force, June [7] J.Manner, M. Stiemerling, and H. Tschofenig. Authorization for NSIS Signaling Layer Protocols. Internet-draft (work in progress), The Internet Engineering Task Force, June [8] J. Kilpi. Working title: Plug-in visions. [9] J. Loughney. NSIS Extensibility Model. Internet-draft (work in progress), The Internet Engineering Task Force, March [10] J. Manner and X. Fu. Analysis of Existing Quality-of-Service Signaling Protocols. RFC 4094, The Internet Engineering Task Force, May [11] Resource ReServation Protocol (RSVP) Version 1 Functional Specification. RFC 2205, The Internet Engineering Task Force, September [12] H. Schulzrinne and R. Hancock. GIST: General Internet Signaling Transport. Internet-draft (work in progress), The Internet Engineering Task Force, August [13] H. Tschofenig and D. Kroeselberg. Security Threats for Next Steps in Signaling (NSIS). RFC 4081, The Internet Engineering Task Force, June