140 likes | 268 Views
NAT/Firewall NSLP draft-ietf-nsis-nslp-natfw-06.txt. M. Stiemerling, H. Tschofenig, C. Aoun. Agenda. Mailing list discussion outcomes NATFW NSLP 06 updates Pending issues on issue tracker IETF 63 work plan. Mailing list discussions outcomes.
E N D
NAT/Firewall NSLPdraft-ietf-nsis-nslp-natfw-06.txt M. Stiemerling, H. Tschofenig, C. Aoun NSIS Interim meeting - Munich May 23,24 2005
Agenda • Mailing list discussion outcomes • NATFW NSLP 06 updates • Pending issues on issue tracker • IETF 63 work plan NSIS Interim meeting - Munich May 23,24 2005
Mailing list discussions outcomes • NATFW NSLP usage for synching TCP Sequence number between firewalls: • Feature was documented in draft-bajko-nsis-FW-reqs-00.txt • Requirement could be met by using a new optional object. Idea need to be better understood (Seq # window vs single seq?), problem applicable not only to TCP but other stateful protocols (SCTP) NSIS Interim meeting - Munich May 23,24 2005
Mailing list discussions outcomes • Rate limiting option: • Generated a lot of interesting discussions ! • Option use: • Could be used to mitigate flooding DOS attack (not DDOS) • Prevent users to use the network access for doing unauthorized applications (e.g., P2P file sharing instead of SIP calls). • No real consensus achieved on option support: • Various discussions on combining firewall and QoS signaling: • Challenges: • Different authorization models to get QoS resources or pinhole creation • Error handling complexity NSIS Interim meeting - Munich May 23,24 2005
NATFW NSLP 06 updates • Based on Interim editor meeting in Paris several updates were done: • Message Sequence Number object definition and usage • Currently MSN is a 32 bit word and we do not consider epoch usage to handle node restarts • Query and Diagnosis capabilities: • Cleaned up the previous Query capability section • Documented NAT and Firewall engine interaction with NATFW NSLP signaling (Annex A) • Miscellaneous editing nits fixes NSIS Interim meeting - Munich May 23,24 2005
NATFW NSLP 06 updates • Query and Diagnosis ReQuest (QDRQ): • Used for diagnosing NATFW NSLP session states: • Session setup succeeded but packets are not being received • “Optimistic Failure Recovery”, allow NI to know session status its initiated on downstream nodes: • Either NSLP level recovery • or overall system recovery • May not be realistic due to system recovery time, session might already been cleared out on downstream nodes NSIS Interim meeting - Munich May 23,24 2005
NATFW NSLP 06 updates • Query and Diagnosis ReQuest (QDRQ) -bis: • QDRQ used within a trusted network, message is either proxied implicitely or goes up to a maximum number of hops (MAXHOPS) • QDRQ usage for “Optimistic Failure Recovery” could provide: • Total recovery of sessions installed by the NI before session state loss on the NI • In case there are no alternate paths in the queried network • Partial recovery of sessions: • Due to alternate paths in the network • Issue: • QDRQ usage for NI session query relies on providing proof of ownership • This is not yet provided in the spec or anywhere in the NSIS suite NSIS Interim meeting - Munich May 23,24 2005
NATFW NSLP 06 updates QDRQ(SINGLE,HOP=0) QDRQ(SINGLE, HOP=1) NI NAT FW UP DOWN RESPONSE(HOP=1, Session_STS[DOWN, FW@]) RESPONSE(HOP=1, Session_STS[DOWN, FW@]) NSIS Interim meeting - Munich May 23,24 2005
NATFW NSLP 06 updates QDRQ(LIST, HOP=1, QDRQ-RESP[(SIDx,UP,NAT@), (SIDy,UP, NAT@)DOWN, FW@])) QDRQ(LIST,HOP=0) NI NAT FW (SIDx,UP) (SIDx,DOWN) (SIDy,UP) (SIDy,UP) RESPONSE(HOP=1, QDRQ-RESP[SIDx,UP,NAT@], QDRQ_RESP[SIDy,UP, NAT@], QDRQ_RESP[SIDx,DOWN,FW@], QDRQ_RESP[SIDy,UP,FW@]) RESPONSE(HOP=1, QDRQ-RESP[SIDx,UP,NAT@], QDRQ_RESP[SIDy,UP, NAT@], QDRQ_RESP[SIDx,DOWN,FW@], QDRQ_RESP[SIDy,UP,FW@]) NSIS Interim meeting - Munich May 23,24 2005
NATFW NSLP 06 updates NAT FW NI NAT FW Opportunistic usage of QDRQ with QDRQ Type LIST …. Not all the Session states could be recovered by the NI NSIS Interim meeting - Munich May 23,24 2005
Pending issues • Around 23 issues at: https://kobe.netlab.nec.de/roundup/nsis-natfw-nslp/ • 9 critical (7 being currently worked out): • Main ones: • Issue 34: Retransmission timers at NI • Issue 33: End to Middle Security association mode of operation • Issue 22: RESERVE mode handling with multiple CREATEs • Issue 7: Session ownership • Issue 25: Authentication and Authorization of NOTIFY messages • Issue 24: Authentication and authorization checks at the NSLP NSIS Interim meeting - Munich May 23,24 2005
Pending issues • Urgent: • Issue 31: NATFW NSLP Path Change Handling • Issue 31: Updating MRI Information • Issue 30: QUERY message use cases • Error case definition and classification: • Types: • Authorization and authentication • System error (maintenance, H/W, CPU overload, …) • Resource (no more memory, no more address or ports available) • Severity: • CRITICAL (no point to retry) • MINOR (might work with retry) NSIS Interim meeting - Munich May 23,24 2005
Pending Issues • PADDING Object: • Currently wasting a lot of bits … • Maybe a global PADDING object could be used for all NSLPs for 32 bit word alignement NSIS Interim meeting - Munich May 23,24 2005
IETF 63 work plan • Close all critical issues • Draft 07 by July 8th • Draft 08 by July 18th NSIS Interim meeting - Munich May 23,24 2005