NATFW NSLP Status draft-ietf-nsis-nslp-natfw-08.txt M. Stiemerling, H. Tschofenig, C. Aoun NSIS Working Group, 64th IETF meeting.

Slides:

Advertisements

Similar presentations

NSIS WG 71th IETF Philadelphia, PA, USA March 12, 2008 WG chairs:John Loughney Martin Stiemerling.

Advertisements

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

Dynamic Symmetric Key Provisioning Protocol (DSKPP)

Applicability Statement of NSIS Protocols in Mobile Environments draft-ietf-nsis-applicability-mobility-signaling-12.txt Takako Sanda, Xiaoming Fu, Seong-Ho.

FIPA Interaction Protocol. Request Interaction Protocol Summary –Request Interaction Protocol allows one agent to request another to perform some action.

Recommendations for IPv6 in 3GPP Standards draft-wasserman-3gpp-advice-00.txt IPv6-3GPP Design Team Salt Lake City IETF December 2001.

Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.

Intermediate TCP/IP TCP Operation.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

Doc.: IEEE /770r0 Submission July 2009 Slide 1 TGs Authenticated Encryption Function Date: Authors: Russ Housley (Vigil Security), et.

1 IETF 64th meeting, Vancouver, Canada Design Options of NSIS Diagnostics NSLP Xiaoming Fu Ingo Juchem Christian Dickmann Hannes Tschofenig.

Controlled Load Service QoS Model Cornelia Kappler Xiaoming Fu Bernd Schloer.

1 IETF 64th meeting, Vancouver, Canada Context Transfer Using GIST Xiaoming Fu John Loughney.

Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-03) Sung-Hyuck Lee, Seong-Ho Jeong,

Networks Evolving? Justin Champion C208 Ext:3723

Series DATA MANAGEMENT. 1 Why ? Alarm/Status Notification –Remote unattended sites »Pumping stations –Pharmaceutical/Plant maintenance.

PPSP Tracker Protocol draft-gu-ppsp-tracker-protocol PPSP WG IETF 82 Taipei Rui Cruz (presenter) Mário Nunes, Yingjie Gu, Jinwei Xia, David Bryan, João.

NSIS NATFW NSLP: A Network Firewall Control Protocol draft-ietf-nsis-nslp-natfw-08.txt IETF NSIS Working Group January 2006 M. Stiemerling, H. Tschofenig,

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)

1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.

0 NAT/Firewall NSLP IETF 61th November 2004 draft-ietf-nsis-nslp-natfw-04.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.

March 15, 2005 IETF #62 Minneapolis1 EAP Discovery draft-adrangi-eap-network-discovery-10.txt Farid Adrangi ( )

0 NAT/Firewall NSLP Activities IETF 60th - August 2nd 2004 Cedric Aoun, Martin Stiemerling, Hannes Tschofenig.

Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-00) Sung-Hyuck Lee, Seong-Ho Jeong,

ACHIEVING MULTIMEDIA QOS OVER HYBRID IP/PSTN INFRASTRUCTURES QOS Signalling and Media Gateway Control ITU-T SG13/SG16 Workshop on IP Networking and Mediacom.

WG Document Status 192nd IETF TEAS Working Group.

Draft-cordeiro-nsis-hypath-02 Luís Cordeiro

SIP working group IETF#70 Essential corrections Keith Drage.

An NSLP for Quality of Service draft-buchli-nsis-nslp-00.txt draft-mcdonald-nsis-qos-nslp-00.txt draft-westberg-proposal-for-rsvpv2-nslp-00.txt Slides:

ICOS BOF EAP Applicability Bernard Aboba IETF 62, Minneapolis, MN.

NSIS NAT/Firewall NSLP Martin Stiemerling, Hannes Tschofenig, Miquel Martin, Cedric Aoun NSIS WG, 59th IETF.

Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.

IETF-90 (Toronto) DHC WG Meeting Wednesday, July 23, GMT IETF-90 DHC WG1 Last Updated: 07/21/ :10 EDT.

Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne.

Magnus Westerlund 1 The RTSP Core specification draft-ietf-mmusic-rfc2326bis-06.txt Magnus Westerlund Aravind Narasimhan Rob Lanphier Anup Rao Henning.

Real-Time Streaming Protocol draft-ietf-mmusic-rfc2326bis-01.txt Magnus Westerlund.

IETF66 DIME WG John Loughney, Hannes Tschofenig and Victor Fajardo 3588-bis: Current Issues.

NATFW NSLP Status draft-ietf-nsis-nslp-natfw-12.txt M. Stiemerling, H. Tschofenig, C. Aoun, and E. Davies NSIS Working Group,

RFC3261 (Almost) Robert Sparks. SIPiT 10 2 Status of the New SIP RFC Passed IETF Last Call In the RFC Editor queue Author’s 48 hours review imminent IMPORTANT:

A Framework for Session Initiation Protocol User Agent Profile Delivery (draft-ietf-sipping-config-framework-11) SIPPING – IETF 68 Mar 19, 2007 Sumanth.

Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.

NSIS/NTLP Interoperability Testing to in Paris, France Martin Stiemerling — NEC Network Labs Europe NSIS.

NATFW NSLP overview. Document history v00 - Jan 27th - Creation.

0 NAT/Firewall NSLP IETF 63th – August 2005 draft-ietf-nsis-nslp-natfw-07.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

SIP Events: Changes and Open Issues IETF 50 / SIP Working Group Adam Roach

RFC 4068bis draft-ietf-mipshop-fmipv6-rfc4068bis-01.txt Rajeev Koodli.

March 20th, 2001 SIP WG meeting 50th IETF SIP WG meeting Overlap signalling handling

IETF 62 NSIS WG1 Porgress Report: Metering NSLP (M-NSLP) Georg Carle, Falko Dressler, Changpeng Fan, Ali Fessi, Cornelia Kappler, Andreas Klenk, Juergen.

NSIS NAT/Firewall Signaling NSIS Interim Meeting Romsey/UK, June 2004 Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

Draft-ietf-pim-port-03 wglc. WGLC responses Thomas suggested a long list of changes, mostly editorial –I believe I addressed all Dimitri also had comments.

Draft-ietf-nsis-qos-nslp-05.txt G. Karagiannis, A. McDonald, S. Van den Bosch.

Applicability Statement of NSIS Protocols in Mobile Environments draft-ietf-nsis-applicability-mobility-signaling-06.txt Takako Sanda, Xiaoming Fu, Seong-Ho.

1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials draft-bajko-nsis-fw-reqs-01 Gábor Bajkó IETF Interim May 2005.

I2rs Requirements for NETCONF IETF 93. Requirement Documents

SIP wg Items Jonathan Rosenberg dynamicsoft Caller Preferences: Changes Discussion of Redirects –Previous draft only proxy –Nothing different for redirect.

PANA Issues and Resolutions

An IPv6 Flow Label Specification Proposal

IETF 78 Ken Rehor on behalf of the team

A. Báder, L. Westberg, G. Karagiannis,

IETF-59 P-IMAP Draft Overview ( Stéphane H. Maes – Jean.

IKEv2 Mobility and Multihoming Protocol (MOBIKE)

The 66th IETF meeting in Montreal, Canada

Migration-Issues-xx Where it’s been and might be going

NSIS Operation Over IP Tunnels draft-shen-nsis-tunnel-01.txt

NSIS Operation Over IP Tunnels draft-ietf-nsis-tunnel-04.txt

Technical Issues with draft-ietf-mpls-bfd-directed

Georgios Karagiannis, Tom Taylor, Kwok Chan, Michael Menth

Presentation transcript:

NATFW NSLP Status draft-ietf-nsis-nslp-natfw-08.txt M. Stiemerling, H. Tschofenig, C. Aoun NSIS Working Group, 64th IETF meeting

Document Status General protocol semantics quite stable  Except NOTIFY, TRACE, and REA-F Draft undergoes all over text finishing Supplementary documents are closed  Migration draft  Intra-realm draft  Security threats  LE-MRM Diff to NATFW issue tracker

Issue Solved (1) Authentication and Authorization of NOTIFY messages (I25)  NOTIFY messages MUST only be forwarded if they have received in an already established messaging association for the particular session. NOTIFY messages MUST NOT be accepted and handled(forwarded) if they are received outside a session and messaging association. RESERVE mode handling with multiple CREATEs (I22, I20)  Introduced NONCE object  Can differentiate between proxy CREATE (has NONCE) and NI CREATE Missing Transport Layer Port information for REA (I48)  Port information missed - fixed.

Issue Solved (2) Session ownership (I7)  -07 had purposed built key (PBK) approach  Considered too heavy weight during last meeting  Removed PBK  Relies now on session ID Exact semantics of UCREATE (I38)  As agreed: Now a REA for firewalls (REA-F)  Like REA but with path-coupled MRM Keep Port Parity field/semantics (I28) Port Range Parameter Field (I29)  Usage of RFC 3605 (I29 & I28)

Open Issues in Tracker 24 issues in tracker  4 marked as critical  4 marked as urgent  2 marked as bug  14 marked as feature or wish Most issues are editorial things to fix Some are done and waiting for final confirmation (mail to list!) Here are the problems...  Message sequence number wrap around (I47)  NOTIFY storms (56)

MSN wrap around Message sequence numbers  End-to-end significance  Chosen per session  Chosen randomly by NI/NI+  QoS’ RSN has local significance NI/NI+ reboots are detected easily  New SID + MSN  Neighbour reboot detection not needed, all dependent on NI/NI+ 07: Once the MSN has reached the maximum value, the next value it takes is zero. 08: Implement RFC 1982 Serial Number Arithmetic, Section 3.2 comparison

NR NI NF2NF1NF3 NSLP Session Notification Storms Single NATFW session NF3 fails NF2 detects and sends 1 NOTIFY NOTIFY X

NR NI NF2NF1NF3 NSLP Session X NOTIFY Notification Storms Single NATFW session NF3 fails NF2/NF3 are responsible for X sessions NF2 detects and sends X NOTIFY back to NF1

Notification Storm NI/NI+ is session root Asynchronous notifications are sent to NI/NI+ Storm affects more core than edge  Will occur between core NAT/Firewall  Will fade out towards the Nis Mitigation needed  Draft says: may generate NOTIFY  An aggregated NOTFIY for all sessions

Diagnosis Removed old QDRQ part  Defined an extension set of diagnosis/query capabilities  No real use cases New lightweight diagnosis  Called: TRACE  Traceroute of NATFW NSLP in a session  Returns list of NATFW nodes  Nodes MAY add their identifiers  Not every node/network may reveal this information  Identifiers = IP addresses  Needs considerations about scoping

Way Forward Snapshot version is available here (pre 09):   Contains all comments by Elwyn  Currently editorial changes to -08 Fixing urgent/critical/bug issues first Talking with 3GPP2 group (Gabot et all) about their requirements Publish new revision by mid of December

Thank you! Question?