Title: NATFW NSLP Intra-realm communications and Migration considerations
1NATFW NSLP Intra-realm communications and
Migration considerations
- Cedric Aoun, Marcus Brunner, Miquel Martin
- Martin Stiemerling, Hannes Tschofenig
- IETF 58 Minneapolis
2Agenda
- NSIS NATFW NSLP role with NSIS unaware NATs
- NSIS protocol traversal of NSIS un-aware NATs and
Firewalls - Unilateral signaling - No NR on the far end host
- Open issues
3NSIS NATFW NSLP role with NSIS un-aware NATs
- An NSIS NATFW NSLP MUST be able to discover that
an NSIS un-aware NAT is deployed on the data path
- Once an NSIS un-aware NAT is discovered on the
data path then either 2 options would be
available - STUN
- Create a STUN like capability within the NATFW
NSLP
4NSIS NATFW NSLP role with NSIS unaware NATs
Net x
Alice
a.b.c.1/24
k.l.m.n/30
Phil
The net
a.b.c.e
Bob
e.f.g.h
a.b.c.d
STUN-like capability
NSIS NATFW NSLP un-aware NAT
NSIS NATFW NSLP signaling
Data Flow
5NSIS NATFW NSLP role with NSIS unaware NATs
Net x
Alternate path issues
Alice
a.b.c.129/25
k.l.m.n/30
Phil
The net
a.b.c.e
a.b.c.1/25
Bob
e.f.g.h
a.b.c.d
STUN-like capability
NSIS NATFW NSLP un-aware NAT
NSIS NATFW NSLP signaling
Data Flow
6NSIS protocol traversal of NSIS unaware NATs and
Firewalls
- NSIS un-aware NAT traversal
- QoS NSLP flow specification need to be taken from
STUN or STUN like approach - Qos NSLP responder could only receive messages if
the responder is listening on the same address
and port as the data flows (not practical) - NSIS messages traversing NSIS un-aware NATs would
require that NSIS is transported on top of widely
deployed transport protocols (de-multiplexing
requirement) - Example of troublesome transport approaches
- Raw IP
- SCTP (very rare NAT implementations support it)
7NSIS protocol traversal of NSIS unaware NATs and
Firewalls
- NSIS un-aware Firewall traversal
- NSIS signaling MUST be allowed to bypass (proper
identification of NSIS messages is required) - Data flows would need to use existing ACL
capabilities
8Unilateral Signaling
Net x
Alice
a.b.c.1/24
NSIS aware NAT/FW Qos NSLP
k.l.m.n/30
The net
a.b.c.e
NSIS aware NAT/FW Qos NSLP
e.f.g.h/30
a.b.c.1/24
Bob
a.b.c.d
9Migration NTLP requirements
- NSIS un-aware NAT
- NTLP to run in datagram mode with NTLP sent from
the source address and port on which the data
will be sent and received
10Open issues
- Are there known issues with RAO and existing
Firewall implementations? - Packets could be dropped because of the IP
option? - Unilateral signaling introduces a DoS attack,
there is no means to determine if the targeted NR
cant be reached because of lack of protocol
support or because the destination is not valid
11Open issues
- How to deal with NATFW NEs that dont have a
trust relation with the NI in the case of
uni-lateral signaling? - Unilateral operations require that last NATFW
NSLP in the path respond back on behalf on the
un-available NATFW NR - Does the NTLP play a role in this?
12Backup
13Intra-realm communications
Net x
Alice wants to talk to Bob
Alice
k.l.m.n/30
a.b.c.1/24
a.b.c.e
The net
Bob
NSIS aware NAT/FW
a.b.c.d
How to avoid useless resource spending on NAT and
Firewalls (potentially event Qos gates)? Let Bob
provide to Alice both his locally scoped and
global scoped addresses
14Intra-realm communications
Net x
Alice
Alice wants to talk Phil
a.b.c.1/24
NSIS aware NAT/FW Qos NSLP
k.l.m.n/30
The net
a.b.c.e
Bob
NSIS aware NAT/FW Qos NSLP
e.f.g.h/30
a.b.c.1/24
a.b.c.d
Local scoped address could obviously overlap, a
solution needs to be provided to handle that case
Phil
a.b.c.d
15Intra-realm communications
- Proposed solution
- Communicate several NR addresses to the NI
- The first response received from an NR will hint
the NR address to use for the rest of the
messages - NSIS messages need to be sent simultaneously and
not sequentially (I.e. dont wait for responses). - User application impacts
- Several NR addresses need to be provided
- NTLP impacts
- Although a messaging association was already
linked to a destination address, it needs to be
re-checked if applicable or not to avoid the
confusion of overlapped local scoped addresses