NATFW NSLP overview

1
NATFW NSLP overview
2
Document history

• v00 - Jan 27th - Creation

3
Agenda

• Introduction
• NATFW NSLP mode of operation
• Things to fix

4
Introduction

• NATFW NSLP scope - to be added later
• NATFW NSLP deployment scenarios
• DS behind NAT
• DR behind NAT
• Same for FW and for NATFW
• Intra-realm communications

5
Intra-realm communications
Net x
Alice wants to talk to Bob
Alice
k.l.m.n/30
a.b.c.1/24
a.b.c.e
The net
Bob
NSIS aware NAT/FW
a.b.c.d
How to avoid useless resource spending on NAT and
Firewalls (potentially event Qos gates)? Let Bob
provide to Alice both his locally scoped and
global scoped addresses
6
Intra-realm communications
Net x
Alice
Alice wants to talk Phil
a.b.c.1/24
NSIS aware NAT/FW Qos NSLP
k.l.m.n/30
The net
a.b.c.e
Bob
NSIS aware NAT/FW Qos NSLP
e.f.g.h/30
a.b.c.1/24
a.b.c.d
Local scoped address could obviously overlap, a
solution needs to be provided to handle that case
Phil
a.b.c.d
7
Intra-realm communications
Sales/HR
NAT Stacking
Alice
ISP x
NATFW2
NAT1
Trudy
Bob
NAT3
Need to avoid this path from being taken
Foo.com
Max
Same problem but getting worst
8
Intra-realm communications
Sales/HR
NAT Stacking
137.121.5.8
Alice
ISP x
10.1.2.3
NATFW2
NAT1
Trudy
Bob
NAT3
192.168.1.2
Preferred Path!!!
Need to avoid this path from being taken
Foo.com
Max
9
Intra-realm communications
Sales/HR
NAT Stacking
Alice
ISP x
10.1.2.3
137.121.5.8
NATFW2
NAT1
Trudy
Bob
NAT3
192.168.1.2
Foo.com
Max
10
Intra-realm communications

• Issues with the none optimal paths
• Aside being not optimal
• Certain NATs do not support the required loopback
  behavior
• Proposed solution
• Communicate several NR addresses to the NI
• The first response received from an NR will hint
  the NR address to use for the rest of the
  messages
• NSIS messages need to be sent simultaneously and
  not sequentially (I.e. dont wait for responses).

11
Intra-realm communications

• Proposed solution - continued
• Communicate several NR addresses to the NI
• The first response received from an NR will hint
  the NR address to use for the rest of the
  messages
• NSIS messages need to be sent simultaneously and
  not sequentially (I.e. dont wait for responses).
• The reserve message needs to be intercepted by
  intermediate NATs (before reaching the edge NAT)
• These intermediate NATs need to provide the
  translated address as well
• User application impacts
• Several NR addresses need to be provided
• NTLP impacts
• Although a messaging association was already
  linked to a destination address, it needs to be
  re-checked if applicable or not to avoid the
  confusion of overlapped local scoped addresses

12
NSIS NATFW NSLP life cycle
Start
NSIS NATFW activated
NR behind NAT Discovery
Behind a NAT?
NRBNAT0
NRBNAT1
Idle
Idle
13
NSIS NATFW NSLP life cycle NI
Snd-CREATE nMAXRTX
Idle
Send Create message To all provided recipients
Initiator event
Run Timer wait for response
Snd-CREATE
Timeout n--
Path-Succeeded
Error msg
Any other messages
ngt0
Stateinstalled
yes
no
Drop
St-Instl-Flure
Inform upper layers
Idle
14
NSIS NATFW NSLP life cycle NI
Stateinstalled
St-Instl-Flure
Inform upper layers
Negotiate
no
yes
Idle
Run STRF timer
Snd-CREATE
ST-Delete
Waiting for statechange triggers
Reason?
Received delete msg
Upper layer requested
Trigger test
Drop
Inform upper layers
Send delete msg
Modify?
Received delete
timeout
ST-delete
ST-Refresh
Idle
Idle
15
NSIS NATFW NSLP life cycle NI
ST-Refresh
Modify NMAXRTXMDFY
Send Refresh
Send Modify
Stateinstalled
Run Timer wait for response
Timeout n--
MD-St-Instl-Flure
Path-Succeeded
Error msg
Any other messages
ngt0
Inform upper layers
Stateinstalled
yes
no
Drop
MD-St-Instl-Flure
Keep existing state?
MD-St-Instl-Flure
Stateinstalled
ST-Delete
16
NSIS NATFW NSLP life cycle NR
Active-Listen
NR-Idle
Initiator event
Send reserve msg nMAXRTX-RSV
Check NRBNAT
Run Timer wait for response
1
0
Pasv-Listen
Active-Listen
Timeout n--
Received RSV Ack
Error msg
Any other messages
ngt0
yes
Inform upper layers
no
Drop
Inform upper layers
Inform upper layers
PASV-Listen
PASV-Listen
PASV-Listen
17
NSIS NATFW NSLP life cycle NR
PASV-Listen
Received msg
Check msg
Received Create msg
Any other messages
Delete
NR-Rcv-Create
Recvd Error msg
Received Delete msg
Drop
Modify
NR-Mod-ST
Inform upper layers
Inform upper layers
PASV-Listen
??
Send Delete confirm?
NR-Idle
NR-Idle
NR-Idle
18
NSIS NATFW NSLP life cycle NR
NR-Rcv-create
Inform upper layers
Send create-ack nMAXRTX-CRACK
yes
Validate
?
Run Timer wait for response
no
?
Send Error msg
Error related to create ack
?
Timeout n--
Any other msgs
Received create-ack Ack
NR-Idle
PASV-Listen
ngt0
yes
Inform upper layers
Inform upper layers
no
Inform upper layers
NR-Idle
PASV-Listen
NR-Idle
19
NSIS NATFW NSLP life cycle NR
NR-Mod-ST
Inform upper layers
Send mod-ack nMAXRTX-MODACK
yes
Validate
?
Run Timer wait for response
no
?
Send Error msg
Error related to Mod ack
?
Timeout n--
Any other msgs
Received mod-ack Ack
NR-Idle
PASV-Listen
ngt0
yes
Inform upper layers
Inform upper layers
no
Inform upper layers
NR-Idle
PASV-Listen
NR-Idle
20
NSIS NATFW NSLP life cycle NF
NF-Idle
Received msg
Msg type
Reserve-msg
Create-msg
Any other msg
NF-Rcv-RSV
NF-Rcv-Create
Drop
NF-Idle
21
NSIS NATFW NSLP life cycle NF
NF-Rcv-Create
Should we send create with error flag
downstream???
No
Validate-authz
Yes
Available resources
No
Yes
NF-ST-Install
Forward create
Send error upstream
Wait for confirmation Timer
NF-Idle
Received other msg
timeout
Received error
Drop
Received create-ack No authz
Received Authz create-ack
Send error- last node no authz
NF-State-Install
Send error - no authz
Forward error
Forward
NF-Idle
NF-Idle
NF-Idle
NF-ST-Installed
22
NSIS NATFW NSLP life cycle NF
NF-NATBINDRSV nRCVMAX
NF-Rcv-RSV
NF-Idle
Send error
timeout
NAT?
Received anything else
Wait for Create
No
Received Create
yes
Forward
NF-Rcv-Create
Edge NAT
ngt0
yes
Drop n--
No
No
Local bind update
NF-Idle
Create-msg
Rcv-bind update
Drop
Send bind-update
Forward
Drop
Rcv upstream error
Forward
Send error
Wait for RSV-Ack
NF-NATBINDRSV
Local System failure
Send RSV-Ack
NF-Idle
NF-NATBINDRSV
timeout
Delete bind/Send error
Delete bind/forward
Append RSV-ack
NF-NATBINDRSV
Send RSV-Ack
NF-Idle
NF-Idle
NF-NATBINDRSV
NF-NATBINDRSV
23
NSIS NATFW NSLP life cycle NF
NF-ST-Install
Waiting for Create ack?
Other msg
Drop
Local system error
Create-msg ack
Send error
Timeout
Rcv Error msg
Forward
NF-Idle
Send create ack with last NF flag
NF-ST-Installed
NF-Idle
NF-ST-Installed
24
NSIS NATFW NSLP life cycle NF
NF-ST-Installed
Received msg
Msg check
Any other msg
Local system error
Rcv delete
Rcv error msg
Send error/delete state
NF-ST-Installed
Delete state/forward
Forward
NF-Idle
Rcv Refresh
Rcv modify msg
Delete state
NF-Idle
Forward
NF-Rcv-Modify
NF-Idle
NF-ST-Installed
25
NSIS NATFW NSLP life cycle NF
NF-Rcv-Mod
Available resources
No
No
Validate-authz
yes
Send error upstream/keep existing
Yes
Forward mod
NF-ST-Installmod
NF-ST-Installed
Received msg
Check msg
Received other msg
Received Authz mod-ack
Received create-ack No authz
Drop
Received error
NF-State-Install
Send error - no authz
Forward error
Forward
NF-Idle
NF-ST-Installedmod
NF-Idle
26
NSIS NATFW NSLP life cycle NF
NF-ST-Installmod
Waiting for mod ack?
Other msg
Drop
Local system error
mod-msg ack
Send error
NF-ST-Installedmod
NF-ST-Installedmod
Timeout
Rcv Error msg
NF-Idle
Rcv fatal Error msg
Forward
Change state
Was I the last NF?
Delete state/forward
Policy check
NF-ST-Installed
yes
NF-ST-Installed
Send mod ack with last NF flag
NF-Idle
NF-ST-Installed
27
Things to fix

• How to benefit more from the user apps triggering
  the NATFW NI/NR? Particularly for key management
  and messaging association parameter negotiation?
• Provide means to prevent local NEs to respond
  instead of remote NEs having the same local
  scoped address