Diameter NAPT Control Application – Status Update (draft-ietf-dime-nat-control-15) Authors Frank Brockners Shwetha Bhandari

Slides:



Advertisements
Similar presentations
Message Sessions Draft-campbell-simple-im-sessions-01 Ben Campbell
Advertisements

SIP Interconnect Guidelines draft-hancock-sip-interconnect-guidelines-02 David Hancock, Daryl Malas.
Diameter Credit Control Application Tutorial - IETF67
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.
IPv6 Privacy Hannes Tschofenig, Tara Whalen. Agenda Privacy Threats Layering Addressing Policy Questionnaire.
Operating and Configuring Cisco IOS Devices © 2004 Cisco Systems, Inc. All rights reserved. Operating Cisco IOS Software INTRO v2.0—8-1.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
1 Improved DNS Server Selection for Multi-Homed Nodes draft-savolainen-mif-dns-server-selection-04 Teemu Savolainen (Nokia) Jun-ya Kato (NTT) MIF WG meeting.
IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.
Systems of Distributed Systems Module 2 -Distributed algorithms Teaching unit 3 – Advanced algorithms Ernesto Damiani University of Bozen Lesson 6 – Two.
Transaction. A transaction is an event which occurs on the database. Generally a transaction reads a value from the database or writes a value to the.
July 16, 2003AAA WG, IETF 571 AAA WG Meeting IETF 57 Vienna, Austria Wednesday, July 16,
CAPWAP Editor’s Report Pat R. Calhoun Cisco Systems, Inc.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.
-framework Brian Rosen. -11 version deals with IESG comments All comment resolved one way or another One open issue – spec(t)
Draft-campbell-dime-load- considerations-01 IETF 92 DIME Working Group Meeting Dallas, Texas.
User Manager Pro Suite Taking Control of Your Systems Joe Vachon Sales Engineer November 8, 2007.
Data Communications Implementation Team (DCIT)
DIME Rechartering Hannes Tschofenig & Dave Frascone.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIH_Handover primitives and scenarios Date Submitted: April, 30,
1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Lecture 4: Sun: 23/4/1435 Distributed Operating Systems Lecturer/ Kawther Abas CS- 492 : Distributed system & Parallel Processing.
Session Peering Protocol over SOAP I-D ( draft-ietf-drinks-spp-over-soap-01) draft-ietf-drinks-spp-over-soap-01 0 Presenter: Vikas Bhatia (On behalf of.
21-07-xxxx IEEE MEDIA INDEPENDENT HANDOVER DCN: xxxx Title: IETF Liaison Report Date Submitted: July 19, 2007 Presented at.
DNS SRV and NAPTR Use for SPEERMINT - Tom Creighton, Gaurav Khandpur Comcast SPEERMINT Intermin Meeting Philadelphia Sept
Chapter 3: Authentication, Authorization, and Accounting
Reconsidering Internet Mobility Alex C. Snoeren, Hari Balakrishnan, M. Frans Kaashoek MIT Laboratory for Computer Science.
SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.
Draft-ietf-dime-ikev2-psk-diameter-0draft-ietf-dime-ikev2-psk-diameter-08 draft-ietf-dime-ikev2-psk-diameter-09 in progress Diameter IKEv2 PSK: Pre-Shared.
Doc.: IEEE /0617r0 Submission May 2008 Tony Braskich, MotorolaSlide 1 Refining the Security Architecture Date: Authors:
Multi-hop PANA IETF Currently: –“For simplicity, it is assumed that the PAA is attached to the same link as the device (i.e., no intermediary IP.
Diameter NAPT Control Application: Discussion on naming of involved entities Frank Brockners.
1 HRPD Roamer Authentication Zhibi Wang, Sarvar Patel, Simon Mizikovsky, Nancy Lee.
D-Link TSD 2009 workshop D-Link Net-Defends Firewall Training ©Copyright By D-Link HQ TSD Benson Wu.
Emu wg, IETF 70 Steve Hanna, EAP-TTLS draft-funk-eap-ttls-v0-02.txt draft-hanna-eap-ttls-agility-00.txt emu wg, IETF 70 Steve Hanna,
IETF 57 PANA WG PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
1 draft-sidr-bgpsec-protocol-05 Open Issues. 2 Overview I received many helpful reviews: Thanks Rob, Sandy, Sean, Randy, and Wes Most issues are minor.
IETF68 DIME WG Open Issues for RFC3588bis Victor Fajardo (draft-ietf-dime-rfc3588bis-02.txt)
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Session Identifier Date Submitted: February xx, 2006 Presented.
Diameter NAPT Control Application – Status Update (draft-ietf-dime-nat-control-05) Authors Frank Brockners Shwetha Bhandari
© 2005 Cisco Systems, Inc. All rights reserved. BGP v3.2—5-1 Customer-to-Provider Connectivity with BGP Connecting a Multihomed Customer to a Single Service.
DSLF Subscriber Auth Requirements and IETF PANA Protocol PANA WG Chairs IETF 70 Dec 7, 2007 – Vancouver, Canada.
Nov. 9, 2004IETF61 PANA WG PANA Specification Last Call Issues Yoshihiro Ohba, Alper Yegin, Basavaraj Patil, D. Forsberg, Hannes Tschofenig.
Diameter NAT Control Application (draft-brockners-diameter-nat-control-00.txt) IETF 74, March 2009 Presenter: Wojciech Dec
Diameter SIP Application
RFC 4068bis draft-ietf-mipshop-fmipv6-rfc4068bis-01.txt Rajeev Koodli.
Diameter Maintenance and Extensions Working Group Requirement of Session State Machine for Diameter Server Initiated Session Tina TSOU (ITU-T Q. 5/11 Rapporteur)
DM Collaboration – OMA & BBF: Deployment Scenarios Group Name: WG5 - MAS Source: Tim Carey, ALU, Meeting Date:
SDP Security Descriptions for Media Streams draft-ietf-mmusic-sdescriptions-02.txt November 14, 2003 Flemming Andreasen Mark Baugher.
Design Guidelines for IPv6 Networks draft-matthews-v6ops-design-guidelines Philip Matthews Alcatel-Lucent.
BGP. BGP Configuration Create Fabric ASN Enable BGP on a given Tenant & VRF Create BGP Neighbor and associated config eBGP Vs iBGP Route Maps BGP over.
Thoughts on the LMAP protocol(s) LMAP Interim meeting, Dublin, 15 th September 2014 Philip Eardley Al Morton Jason Weil 1.
Draft-gu-ppsp-tracker-protocol-04 Presenter : Gu Yingjie IETF-81, Quebec, July, 2011.
Open issues with PANA Protocol
PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)
draft-ietf-simple-message-sessions-00 Ben Campbell
Peer-to-peer networking
CARD Designteam A. Singh, D. Funato, H. Chaskar, M. Liebsch
2018 Huawei H Real Questions Killtest
Multi-addressed Multipath TCP
Chapter 2: Static Routing
RFC PASSporT Construction 6.2 Verifier Behavior
NMDA Q & A draft-dsdt-nmda-guidelines &
MIF DHCPv6 Route Option Update
Presentation transcript:

Diameter NAPT Control Application – Status Update (draft-ietf-dime-nat-control-15) Authors Frank Brockners Shwetha Bhandari Vaneeta Singh Victor Fajardo

Key DISCUSS items from IESG 1.Behavior (and potential conflict resolution) in case a single NAT-device is controlled by multiple Controllers (possibly using different protocols). 2.Behavior in case of unexpected/unplanned termination of Diameter session.

#1 – Single NAT-device, multiple controllers Issue –In case multiple controllers (potentially using even different protocols, i.e. DNCA in parallel with SNMP and Operator-CLI) control a single device, conflicting NAT-bindings could be configured for a single endpoint. Approach in -15 –Conflicts cannot occur, because the draft *requires* that only a single controller is responsible for a single endpoint: “DNCA can be deployed in different ways. DNCA supports deployments with "n" NAT-controllers and "m" NAT-devices, with n and m equal to or greater than 1. For DNCA, the session representing a particular endpoint is atomic. Any deployment MUST ensure that for every given endpoint only a single NAT-controller and only a single NAT-device are active at any point in time. This is to ensure that NAT-devices controlled by multiple NAT-controllers do not receive conflicting control requests for a particular endpoint, or would be unclear which NAT-controller to send accounting information to.”

#1 – Single NAT-device, multiple controllers Discussion –How realistic is the approach in -15? Example: Operator runs DNCA, but e.g. for testing purposes wants to use CLI to configure additional bindings? Possible approaches –Leave solution as is. –Allow multiple controllers to control bindings and parameters for a single endpoint. Add operational considerations to the draft for this case: Only allow a multiple controller scenario for the case where multiple controllers use *different* control mechanisms/protocols. I.e. we’ll not cover the case where multiple DNCA NAT-Controllers control a single endpoint The NAT-device needs to allow the operator to configure a policy which defines which control mechanism takes precedence in case of conflicts.

#1 – Single NAT-device, multiple controllers DNCA can be deployed in different ways. DNCA supports deployments with "n" NAT-controllers and "m" NAT-devices, with n and m equal to or greater than 1. From a DNCA perspective an operator MUST ensure that the session representing a particular endpoint is atomic. Any deployment MUST ensure that for any given endpoint only a single DNCA NAT-controller and is active at any point in time. This is to ensure that NAT-devices controlled by multiple DNCA NAT-controllers do not receive conflicting control requests for a particular endpoint, or would be unclear which NAT-controller to send accounting information to.

#1 – Single NAT-device, multiple controllers Deployment Scenarios: Operational considerations MAY require an operator to use alternate control mechanisms or protocols such as SNMP or manual configuration via a Command-Line-Interface to apply per-endpoint NAT- specific configuration, like for example static NAT-bindings. For these cases, the NAT-device MUST allow the operator to configure a policy how configuration conflicts are resolved. Such a policy could for example specify that manually configured NAT-bindings using the Command-Line- Interface always take precedence over those configured using DNCA.

#2 - Unexpected/unplanned termination of Diameter session Issue –The behavior in case the DNCA peer in the NAT-device or NAT- controller crashes isn’t fully specified. Stale NAT-bindings in the NAT-device may result in case the Diameter session is lost. Requirement –Mechanism at the NAT device to detect the Diameter session being aborted and take action to “cleanup” the existing state for the session. –Note that the “cleanup” action can be used for DoS attacks, because loss of the Diameter session immediately leads to a loss of connectivity: Operator should be given the option to configure how quickly the state is cleaned up, i.e. cleanup can be immediate following a session abort detection or timer based.

#2 - Unexpected/unplanned termination of Diameter session Session Establishment/Management: Authorization-Lifetime AVP (RFC 3588 Section 8.9) in the NC-Request MUST be used to specify the validity of the NAT-bindings at the time of its creation. The validity of the NAT-bindings associated with a DNCA session MUST be extended after successful re-authorization of the session. When Diameter session is detected to be dead (e.g. due to failure in reauthorization, due to a note from Diameter watchdog etc.), NAT-bindings pertaining to that session will be cleaned up after a configured grace period or after a period as specified in Auth-Grace-Period AVP in NC- Request message. The grace period can be configured as zero or higher based on operator preference.

#2 - Unexpected/unplanned termination of Diameter session Failure cases of the DNCA Diameter peers: If session reauthorization fails NAT-bindings pertaining to that session MUST be cleaned up after a configured grace period or after a period as specified in Auth-Grace-Period AVP in NC- Request message. The grace period can be configured as zero or higher based on operator preference.

#2 - Unexpected/unplanned termination of Diameter session Security section: In addition, the operator needs to consider security threats resulting from unplanned termination of the DNCA session. Unplanned session termination, which could e.g. happen due to an attacker taking down the NAT-controller, leads to the NAT-device cleaning up the state associated with this session after a grace period. If the grace period is set to zero, the endpoint will experience an immediate loss of connectivity to services reachable through the NAT-device following the termination of the DNCA session.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.