1 / 11

NSIS Path-coupled Signaling for NAT/Firewall Traversal

NSIS Path-coupled Signaling for NAT/Firewall Traversal. Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel). History. Initial presentation on NAT/FW NSLP in Vienna Face-to-face design team meeting in Sep. 2003:. Current documents.

milt
Download Presentation

NSIS Path-coupled Signaling for NAT/Firewall Traversal

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)

  2. History • Initial presentation on NAT/FW NSLP in Vienna • Face-to-face design team meeting in Sep. 2003:

  3. Current documents • WG document (draft-ietf-nsis-nslp-natfw-00.txt) • 2 individual submissions (draft-aoun & draft-martin) • Author's agreement on the content of the WG document • The 2 individual submissions require additional thoughts

  4. Two modes of Operations • Create Mode • Create pinholes along the data path (might also create NAT bindings) • Exchange triggered by data sender (path-coupled) • Reserve Mode • For "Receiver behind a NAT" scenario • This mode is to enable reachability. • Reserves a NAT binding on the reverse path • Exchange triggered by data receiver!

  5. Create Mode of Operation • Send request for opening firewall pinholes and NAT bindings towards the destination of the data path • When a firewall is hit... • Packet filter is created (when authentication and authorization process succeeded) • Message is sent further along the path • When a NAT is hit... • Allocate NAT binding (when authentication and authorization process succeeded) • Change IP addresses/port numbers in NSIS message to the NAT binding

  6. NSIS Signaling example - Firewall (Bob sending data) Alice NSIS FW Bob Application-level signaling NSIS signaling data

  7. Reserve Mode of Operation • Used by data receiver located behind NAT • Data receiver sends NSIS reserve NSLP message • When it hits a NAT... • Create NAT binding • If NAT is at private to public boundary • Send back the allocated public binding • If NAT is at a private to private • Change NSIS message to the newly allocated binding and forward • The public NAT binding is transmitted to the NI through external means (application signaling) • Issues: • NAT binding might change the data path • Need to refresh state on both the outgoing path and the incoming path basically it uses 2 NSIS sessions for one data flow.

  8. Simple NAT Scenario(Bob sending data) Private address space Public Internet NSIS NAT Bob Alice Application-level signaling NSIS signaling (Reserve Mode) Data NSIS signaling (Create Mode)

  9. Reserve Mode of OperationApproaches • You need to "extend" the path to the "real end host". NAT needs to know where to forward a NSIS message it receives. • Approaches to communicate this information: • Implicit via some non-NSIS messages • Explicit via NSIS signaling • What info do you use to extend the path? • NSIS application state • True NAT binding • Reuse previously created state implicit state

  10. Assumptions • NTLP/QoS NSLP/X NSLP NAT is out of scope of this document • Combining NAT/FW and QoS signaling might be an optimization on NTLP level, but is not taken care of in NAT/FW NSLP • Other assumptions/constraints have been mentioned in Vienna.

  11. Open issues • Trust relationships and security issues (=> draft-martin-nsis-nslp-security-00.txt) • Migration and missing trust relationship issues (=> draft-aoun-nsis-nslp-natfw-migration-00.txt) • Requirements for the NTLP • Route change and mobility aspects • Get agreement on the security mechanisms • Adaptation to NTLP spec • Bit-level message format

More Related