summaryrefslogtreecommitdiff
path: root/internet-draft-satp.txt
diff options
context:
space:
mode:
Diffstat (limited to 'internet-draft-satp.txt')
-rw-r--r--internet-draft-satp.txt250
1 files changed, 153 insertions, 97 deletions
diff --git a/internet-draft-satp.txt b/internet-draft-satp.txt
index 16faed2..24fa1a4 100644
--- a/internet-draft-satp.txt
+++ b/internet-draft-satp.txt
@@ -65,8 +65,8 @@ Abstract
mode and allows tunneling of every ETHER TYPE protocol (e.g.
ethernet, ip, arp ...). satp directly includes cryptography and
message authentication based on the methodes used by SRTP. It is
- intended to deliver a generic, scaleable, secure and reliability
- solution for tunneling and relaying of packets of any protocol.
+ intended to deliver a generic, scaleable and secure solution for
+ tunneling and relaying of packets of any protocol.
@@ -115,12 +115,7 @@ Internet-Draft secure anycast tunneling protocol (satp) March 2007
1. Introduction
- anytun defines a Host Anycast Service as defined in rfc1546. It uses
- a peer-to-peer achitecture, with anycast servers and unicast clients.
- It can be used to build high scalable and redundant tunnel services.
- It also has a relay mode, that makes it possible, that only one of
- the connection endpoints has to use the anytun protocol. This can be
- used to make connections through Firewalls or behind a NAT Router
+ anytun defines a Host Anycast Service as defined in rfc1546.
RFC3068 [1] DTD.
@@ -164,55 +159,60 @@ Internet-Draft secure anycast tunneling protocol (satp) March 2007
+
+
+
+
+
Gsenger Expires September 2, 2007 [Page 3]
Internet-Draft secure anycast tunneling protocol (satp) March 2007
-2. Operation modes
+2. Features and usage scenarios
This section gives an overview of possible operation modes und usage
scenarios. Please note, that the protocols used in the figures are
- only examples and that anytun itself does not care about either
- transport protocols or encapsulated protocols. Routing and network
- address translation is not done by anytun. Each implemetation MAY
- choose it's own way of doing this task (e.g. using functions provided
- by the operating system). Anytun is used to establish and controll
- tunnnels, to encapsulate and encrypt data.
+ only examples and that SATP itself does not care about either
+ transport protocols or encapsulated protocols. Routing is not done
+ by SATP and each implemetation MAY choose it's own way of doing this
+ task (e.g. using functions provided by the operating system). SATP
+ is used only to encapsulate and encrypt data.
2.1. Usage scenarions
-2.1.1. tunneling from unicast client over anycast servers to unicast
- client
+2.1.1. tunneling from unicast hosts over anycast routers to other
+ unicast hosts
- An example of anytun used in tunnel mode
+ An example of SATP used to tunnel in a unicast client - anycast
+ server model
----------- -----------
| RTP | ---------- | RTP |
- ----------- -> |server 1| -> -----------
+ ----------- -> |router 1| -> -----------
| UDP | ---------- | UDP |
----------- -----------
----- | IPv6 | ---------- | IPv6 | -----
- | | -> ----------- -> |server 2| -> ----------- -> | |
- ----- | anytun | ---------- | anytun | -----
+ | | -> ----------- -> |router 2| -> ----------- -> | |
+ ----- | SATP | ---------- | SATP | -----
##### ----------- ----------- #####
| UDP | ---------- | UDP |
- client 1 ----------- -> |server 3| -> ----------- client 2
- | IPv4 | ---------- | IPv4 |
- ----------- -----------
- | ... | anycast | ... |
+ unicast ----------- -> |router 3| -> ----------- unicast
+ host 1 | IPv4 | ---------- | IPv4 | host 2
+ ----------- anycast -----------
+ | ... | hosts | ... |
Figure 1
- In tunneling mode the payload of the anytun packet is transmitted
- from one unicast host to the anycast server. This server makes a
+ In this scenario the payload of a SATP packet is transmitted from one
+ unicast host to one of the anycast routers. This router makes a
routing descision based on the underlying protocol and transmits a
- new anytun package to one or more clients depending on the routing
- descition. The server MAY also route the packet to a directly
- connected network or a service running on the server, but please
- note, that this is only usefull for anycast host services like DNS
- and that the services HAVE TO be running on all servers in order to
- work.
+ new SATP package to one or more unicast hosts depending on the
+ routing descition.
+
+
+
+
@@ -225,53 +225,53 @@ Gsenger Expires September 2, 2007 [Page 4]
Internet-Draft secure anycast tunneling protocol (satp) March 2007
-2.1.2. tunneling from client to a server connected network
+2.1.2. tunneling from unicast hosts to anycast networks
An example of anytun used in open tunnel mode
-----------
- | RTP | ----------
- ----------- -> |server 1| ->
+ | DNS | ----------
+ ----------- -> |router 1| -> -> DNS server
| UDP | ---------- -----------
- ----------- | RTP |
- ----- | IPv6 | ---------- ----------- -----
- | | -> ----------- -> |server 2| -> | UDP* | -> | |
- ----- | anytun | ---------- ----------- -----
- ##### ----------- | IPv6* | #####
+ ----------- | DNS |
+ ----- | IPv6 | ---------- -----------
+ | | -> ----------- -> |router 2| -> | UDP | -> DNS server
+ ----- | SATP | ---------- -----------
+ ##### ----------- | IPv6 |
| UDP | ---------- -----------
- client 1 ----------- -> |server 3| -> | ... | host
- | IPv4 | ---------- not using
- ----------- anytun
+ unicast ----------- -> |router 3| -> | ... | -> DNS server
+ host | IPv4 | ----------
+ -----------
| ... | anycast
- *changed source address
- or port
Figure 2
- In open tunnel mode only one of two clients talking to each other
- over the servers MUST use the anytun protocol. When a client using
- the anytun protocol wants to tunnel data, it is building a connection
- to the anycast servers using the anytun protocol. The anycast
- servers relay the encapsulated packages directly to the destination
- without using the anytun protocol. The source address of the
- datagramm HAS TO be changed to the anycast address of the server.
- The anytun servers act like a source NAT router, therefor for the
- destination it saems that it is talking to the client directly.
-
-2.2. Transport modes
-
- Anytun does not define wich lower layer protocols HAVE TO be used,
- but it's most likely used on top of udp. This section should only
- discuss some issues on udp in combination with anycasting and
- tunnels.
-
-
+ When a client using the anytun protocol wants to tunnel data, it is
+ building a connection to the anycast servers using the anytun
+ protocol. The anycast servers relay the encapsulated packages
+ directly to the destination without using the anytun protocol. The
+ source address of the datagramm HAS TO be changed to the anycast
+ address of the server. The anytun servers act like a source NAT
+ router, therefor for the destination it saems that it is talking to
+ the client directly.
+2.1.3. redundant tunnel connection of 2 networks
+ An example of anytun used in open tunnel mode
+ Router ----------- ---------------Router
+ / \ / \
+ Network - Router ------------x Network
+ A \ / \ / B
+ Router ----------- ---------------Router
+ | packets | packets | packets |
+ plaintext | get | take a | get | plaintext
+ packets | de/encrypted | random | de/encrypted | packets
+ |de/encapsulated| path |de/encapsulated|
+ Figure 3
@@ -281,6 +281,19 @@ Gsenger Expires September 2, 2007 [Page 5]
Internet-Draft secure anycast tunneling protocol (satp) March 2007
+ Network A has multible routers, that act as gateway/tunnel endpoint
+ to another network B. This is done to build e redundant encrpted
+ tunnel connection between the to networks. All tunnel endpoints of
+ network A share the same anycast address and all tunnel endpoints of
+ network B share another anycast address.
+
+2.2. Transport modes
+
+ Anytun does not define wich lower layer protocols HAVE TO be used,
+ but it's most likely used on top of udp. This section should only
+ discuss some issues on udp in combination with anycasting and
+ tunnels.
+
2.2.1. Using UDP
An example of anytun used with udp as transport
@@ -300,7 +313,7 @@ Internet-Draft secure anycast tunneling protocol (satp) March 2007
----------- -----------
| ... | anycast | ... |
- Figure 3
+ Figure 4
When using UDP no flow controll or retransmission is done, neigther
by UDP nor anytun. The encapsulated protocol HAS TO take care of
@@ -308,6 +321,22 @@ Internet-Draft secure anycast tunneling protocol (satp) March 2007
datagram, so a packet gets discarded if there is a biterror in the
payload
+
+
+
+
+
+
+
+
+
+
+
+Gsenger Expires September 2, 2007 [Page 6]
+
+Internet-Draft secure anycast tunneling protocol (satp) March 2007
+
+
2.2.2. Using lightUDP
An example of anytun used with udp transport
@@ -327,15 +356,7 @@ Internet-Draft secure anycast tunneling protocol (satp) March 2007
----------- -----------
| ... | anycast | ... |
- Figure 4
-
-
-
-
-Gsenger Expires September 2, 2007 [Page 6]
-
-Internet-Draft secure anycast tunneling protocol (satp) March 2007
-
+ Figure 5
The difference between normal UDP and lightUDP is, that the udp size
is not set to the length of the full packet, but to the lenght of the
@@ -359,6 +380,19 @@ Internet-Draft secure anycast tunneling protocol (satp) March 2007
2.3. Protocol specification
+
+
+
+
+
+
+
+
+Gsenger Expires September 2, 2007 [Page 7]
+
+Internet-Draft secure anycast tunneling protocol (satp) March 2007
+
+
2.3.1. Header format
Protocol Format
@@ -366,7 +400,7 @@ Internet-Draft secure anycast tunneling protocol (satp) March 2007
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
- | sequence number | |
+ | sender ID | sequence number | |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |
| | .... payload ... | |
@@ -380,31 +414,25 @@ Internet-Draft secure anycast tunneling protocol (satp) March 2007
| |
+- Encrypted Portion* Authenticated Portion ---+
- Figure 5
-
-
-
-
-
-
+ Figure 6
-Gsenger Expires September 2, 2007 [Page 7]
-
-Internet-Draft secure anycast tunneling protocol (satp) March 2007
+2.3.2. sender ID
+ The sender ID is a 16bit unsigned integer in network byte order. It
+ HAS TO be unique for every sender sharing the same anycast address
-2.3.2. sequence number
+2.3.3. sequence number
- The sequenze number is a 32bit unsigned integer in network byte
+ The sequenze number is a 16bit unsigned integer in network byte
order. It starts with a random value and is increased by 1 for every
sent packet. After the maximum value, it starts over from 0. This
overrun causes the ROC to be increased.
-2.3.3. payload
+2.3.4. payload
A packet of the type payload type (e.g. an IP packet).
-2.3.4. padding (OPTINAL)
+2.3.5. padding (OPTINAL)
Padding of max 255 ocitets. None of the pre-defined encryption
transforms uses any padding; for these, the plaintext and encrypted
@@ -414,14 +442,21 @@ Internet-Draft secure anycast tunneling protocol (satp) March 2007
present, than the padding count field MUST be set to the padding
lenght.
-2.3.5. padding count
+
+
+Gsenger Expires September 2, 2007 [Page 8]
+
+Internet-Draft secure anycast tunneling protocol (satp) March 2007
+
+
+2.3.6. padding count
The number of octets of the padding field. This field is optional.
It's presents is signaled by the key management and not by this
protocol. If this field isn't present, the padding field MUST NOT be
present as well.
-2.3.6. payload type field
+2.3.7. payload type field
The payload type field defines the payload protocol. ETHER TYPE
protocol numerbers are used.
@@ -438,13 +473,34 @@ Internet-Draft secure anycast tunneling protocol (satp) March 2007
6558 transparent ethernet bridging
86DD IPv6
- Figure 6
+ Figure 7
-Gsenger Expires September 2, 2007 [Page 8]
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Gsenger Expires September 2, 2007 [Page 9]
Internet-Draft secure anycast tunneling protocol (satp) March 2007
@@ -500,7 +556,7 @@ Appendix A. The appan
-Gsenger Expires September 2, 2007 [Page 9]
+Gsenger Expires September 2, 2007 [Page 10]
Internet-Draft secure anycast tunneling protocol (satp) March 2007
@@ -556,7 +612,7 @@ Internet-Draft secure anycast tunneling protocol (satp) March 2007
-Gsenger Expires September 2, 2007 [Page 10]
+Gsenger Expires September 2, 2007 [Page 11]
Internet-Draft secure anycast tunneling protocol (satp) March 2007
@@ -612,7 +668,7 @@ Author's Address
-Gsenger Expires September 2, 2007 [Page 11]
+Gsenger Expires September 2, 2007 [Page 12]
Internet-Draft secure anycast tunneling protocol (satp) March 2007
@@ -668,5 +724,5 @@ Acknowledgment
-Gsenger Expires September 2, 2007 [Page 12]
+Gsenger Expires September 2, 2007 [Page 13]