RFC 3303 (rfc3303) - Page 2 of 34
Middlebox communication architecture and framework
Alternative Format: Original Text Document
RFC 3303 MIDCOM Architecture and Framework August 2002
1. Introduction
Intermediate devices requiring application intelligence are the
subject of this document. These devices are referred to as
middleboxes throughout the document. Many of these devices enforce
application specific policy based functions such as packet filtering,
VPN (Virtual Private Network) tunneling, Intrusion detection,
security and so forth. Network Address Translator service, on the
other hand, provides routing transparency across address realms
(within IPv4 routing network or across V4 and V6 routing realms),
independent of applications. Application Level Gateways (ALGs) are
used in conjunction with NAT to examine and optionally modify
application payload so the end-to-end application behavior remains
unchanged for many of the applications traversing NAT middleboxes.
There may be other types of services requiring embedding application
intelligence in middleboxes for their operation. The discussion
scope of this document is however limited to Firewall and NAT
services. Nonetheless, the MIDCOM framework is designed to be
extensible to support the deployment of new services.
Tight coupling of application intelligence with middleboxes makes
maintenance of middleboxes hard with the advent of new applications.
Built-in application awareness typically requires updates of
operating systems with new applications or newer versions of existing
applications. Operators requiring support for newer applications
will not be able to use third party software/hardware specific to the
application and are at the mercy of their middlebox vendor to make
the necessary upgrade. Further, embedding intelligence for a large
number of application protocols within the same middlebox increases
complexity of the middlebox and is likely to be error prone and
degrade in performance.
This document describes a framework in which application intelligence
can be moved from middleboxes into external MIDCOM agents. The
premise of the framework is to devise a MIDCOM protocol that is
application independent, so the middleboxes can stay focused on
services such as firewall and NAT. The framework document includes
some explicit and implied requirements for the MIDCOM protocol.
However, it must be noted that these requirements are only a subset.
A separate requirements document lists the requirements in detail.
MIDCOM agents with application intelligence can assist the
middleboxes through the MIDCOM protocol in permitting applications
such as FTP, SIP and H.323. The communication between a MIDCOM agent
and a middlebox will not be noticeable to the end-hosts that take
part in the application, unless one of the end-hosts assumes the role
of a MIDCOM agent. Discovery of middleboxes or MIDCOM agents in the
Srisuresh, et al. Informational