RFC 3303 (rfc3303) - Page 2 of 34

Middlebox communication architecture and framework

RFC 3303           MIDCOM Architecture and Framework         August 2002


1. Introduction

   Intermediate devices requiring application intelligence are the
   subject of this document.  These devices are referred to as
   middleboxes throughout the document.  Many of these devices enforce
   application specific policy based functions such as packet filtering,
   VPN (Virtual Private Network) tunneling, Intrusion detection,
   security and so forth.  Network Address Translator service, on the
   other hand, provides routing transparency across address realms
   (within IPv4 routing network or across V4 and V6 routing realms),
   independent of applications.  Application Level Gateways (ALGs) are
   used in conjunction with NAT to examine and optionally modify
   application payload so the end-to-end application behavior remains
   unchanged for many of the applications traversing NAT middleboxes.
   There may be other types of services requiring embedding application
   intelligence in middleboxes for their operation.  The discussion
   scope of this document is however limited to Firewall and NAT
   services.  Nonetheless, the MIDCOM framework is designed to be
   extensible to support the deployment of new services.

   Tight coupling of application intelligence with middleboxes makes
   maintenance of middleboxes hard with the advent of new applications.
   Built-in application awareness typically requires updates of
   operating systems with new applications or newer versions of existing
   applications.  Operators requiring support for newer applications
   will not be able to use third party software/hardware specific to the
   application and are at the mercy of their middlebox vendor to make
   the necessary upgrade.  Further, embedding intelligence for a large
   number of application protocols within the same middlebox increases
   complexity of the middlebox and is likely to be error prone and
   degrade in performance.

   This document describes a framework in which application intelligence
   can be moved from middleboxes into external MIDCOM agents.  The
   premise of the framework is to devise a MIDCOM protocol that is
   application independent, so the middleboxes can stay focused on
   services such as firewall and NAT.  The framework document includes
   some explicit and implied requirements for the MIDCOM protocol.
   However, it must be noted that these requirements are only a subset.
   A separate requirements document lists the requirements in detail.

   MIDCOM agents with application intelligence can assist the
   middleboxes through the MIDCOM protocol in permitting applications
   such as FTP, SIP and H.323.  The communication between a MIDCOM agent
   and a middlebox will not be noticeable to the end-hosts that take
   part in the application, unless one of the end-hosts assumes the role
   of a MIDCOM agent.  Discovery of middleboxes or MIDCOM agents in the




Srisuresh, et al.            Informational