NATFW NSLP Intra-realm communications and Migration considerations - PowerPoint PPT Presentation

About This Presentation
Title:

NATFW NSLP Intra-realm communications and Migration considerations

Description:

NSIS NATFW NSLP design team. 3. NSIS NATFW NSLP role with NSIS un-aware NATs ... NSIS NATFW NSLP design team. 6. NSIS protocol traversal of NSIS unaware NATs ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 16
Provided by: cedricaoun1
Learn more at: https://www.ietf.org
Category:

less

Transcript and Presenter's Notes

Title: NATFW NSLP Intra-realm communications and Migration considerations


1
NATFW NSLP Intra-realm communications and
Migration considerations
  • Cedric Aoun, Marcus Brunner, Miquel Martin
  • Martin Stiemerling, Hannes Tschofenig
  • IETF 58 Minneapolis

2
Agenda
  • NSIS NATFW NSLP role with NSIS unaware NATs
  • NSIS protocol traversal of NSIS un-aware NATs and
    Firewalls
  • Unilateral signaling - No NR on the far end host
  • Open issues

3
NSIS NATFW NSLP role with NSIS un-aware NATs
  • An NSIS NATFW NSLP MUST be able to discover that
    an NSIS un-aware NAT is deployed on the data path
  • Once an NSIS un-aware NAT is discovered on the
    data path then either 2 options would be
    available
  • STUN
  • Create a STUN like capability within the NATFW
    NSLP

4
NSIS NATFW NSLP role with NSIS unaware NATs
Net x
Alice
a.b.c.1/24
k.l.m.n/30
Phil
The net
a.b.c.e
Bob
e.f.g.h
a.b.c.d
STUN-like capability
NSIS NATFW NSLP un-aware NAT
NSIS NATFW NSLP signaling
Data Flow
5
NSIS NATFW NSLP role with NSIS unaware NATs
Net x
Alternate path issues
Alice
a.b.c.129/25
k.l.m.n/30
Phil
The net
a.b.c.e
a.b.c.1/25
Bob
e.f.g.h
a.b.c.d
STUN-like capability
NSIS NATFW NSLP un-aware NAT
NSIS NATFW NSLP signaling
Data Flow
6
NSIS protocol traversal of NSIS unaware NATs and
Firewalls
  • NSIS un-aware NAT traversal
  • QoS NSLP flow specification need to be taken from
    STUN or STUN like approach
  • Qos NSLP responder could only receive messages if
    the responder is listening on the same address
    and port as the data flows (not practical)
  • NSIS messages traversing NSIS un-aware NATs would
    require that NSIS is transported on top of widely
    deployed transport protocols (de-multiplexing
    requirement)
  • Example of troublesome transport approaches
  • Raw IP
  • SCTP (very rare NAT implementations support it)

7
NSIS protocol traversal of NSIS unaware NATs and
Firewalls
  • NSIS un-aware Firewall traversal
  • NSIS signaling MUST be allowed to bypass (proper
    identification of NSIS messages is required)
  • Data flows would need to use existing ACL
    capabilities

8
Unilateral Signaling
Net x
Alice
a.b.c.1/24
NSIS aware NAT/FW Qos NSLP
k.l.m.n/30
The net
a.b.c.e
NSIS aware NAT/FW Qos NSLP
e.f.g.h/30
a.b.c.1/24
Bob
a.b.c.d
9
Migration NTLP requirements
  • NSIS un-aware NAT
  • NTLP to run in datagram mode with NTLP sent from
    the source address and port on which the data
    will be sent and received

10
Open issues
  • Are there known issues with RAO and existing
    Firewall implementations?
  • Packets could be dropped because of the IP
    option?
  • Unilateral signaling introduces a DoS attack,
    there is no means to determine if the targeted NR
    cant be reached because of lack of protocol
    support or because the destination is not valid

11
Open issues
  • How to deal with NATFW NEs that dont have a
    trust relation with the NI in the case of
    uni-lateral signaling?
  • Unilateral operations require that last NATFW
    NSLP in the path respond back on behalf on the
    un-available NATFW NR
  • Does the NTLP play a role in this?

12
Backup
13
Intra-realm communications
Net x
Alice wants to talk to Bob
Alice
k.l.m.n/30
a.b.c.1/24
a.b.c.e
The net
Bob
NSIS aware NAT/FW
a.b.c.d
How to avoid useless resource spending on NAT and
Firewalls (potentially event Qos gates)? Let Bob
provide to Alice both his locally scoped and
global scoped addresses
14
Intra-realm communications
Net x
Alice
Alice wants to talk Phil
a.b.c.1/24
NSIS aware NAT/FW Qos NSLP
k.l.m.n/30
The net
a.b.c.e
Bob
NSIS aware NAT/FW Qos NSLP
e.f.g.h/30
a.b.c.1/24
a.b.c.d
Local scoped address could obviously overlap, a
solution needs to be provided to handle that case
Phil
a.b.c.d
15
Intra-realm communications
  • Proposed solution
  • Communicate several NR addresses to the NI
  • The first response received from an NR will hint
    the NR address to use for the rest of the
    messages
  • NSIS messages need to be sent simultaneously and
    not sequentially (I.e. dont wait for responses).
  • User application impacts
  • Several NR addresses need to be provided
  • NTLP impacts
  • Although a messaging association was already
    linked to a destination address, it needs to be
    re-checked if applicable or not to avoid the
    confusion of overlapped local scoped addresses
Write a Comment
User Comments (0)
About PowerShow.com