Guidelines for IPFIX Implementations on Middleboxes Juergen Quittek, Martin Stiemerling 59th IETF meeting, IPFIX WG.

Slides:

Advertisements

Similar presentations

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

Advertisements

Firewalls and Network Address Translation (NAT) Chapter 7.

4: Network Layer4a-1 IPv6. 4: Network Layer4a-2 History of IPv6 r IETF began thinking about the problem of running out of IP addresses in 1991 r Requires.

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

CS 457 – Lecture 16 Global Internet - BGP Spring 2012.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

Network Layer IPv6 Slides were original prepared by Dr. Tatsuya Suda.

Understanding Internet Protocol

CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.

Working Connection Computer and Network Security - SSL, IPsec, Firewalls – (Chapter 17, 18, 19, and 23)

Defining Network Infrastructure and Security

P2P and NAT How to traverse NAT Davide Carboni ©

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

McGraw-Hill © ©The McGraw-Hill Companies, Inc., 2004 Chapter 31 Security Protocols in the Internet.

June 2007APTLD Meeting/Dubai ANYCAST Alireza Saleh.ir ccTLD

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Chapter 7 Firewalls. Firewall Definition  A network device that enforces network access control based upon a defined security policy.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

Chapter 6 Network Address Translation (NAT). Network Address Translation  Modification of source or destination IP address  Needed by networks using.

Circuit & Application Level Gateways CS-431 Dick Steflik.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

Proxy Servers CS-480b Dick Steflik Proxy Servers Part of an overall Firewall strategy Sits between the local network and the external network Originally.

Notes for IPv6 Terrance Lee. Transition Mechanisms for IPv6 Hosts and Routers (RFC 2893)

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

NetComm Wireless VPN Functionality Feature Spotlight.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Middleboxes & Network Appliances EE122 TAs Past and Present.

IP-adresses and subnet masks. Figure 19.9 Dotted-decimal notation.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

1 3 Web Proxies Web Protocols and Practice. 2 Topics Web Protocols and Practice WEB PROXIES  Web Proxy Definition  Three of the Most Common Intermediaries.

COMS W COMS W Lecture 8. NAT, DHCP & Firewalls.

SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.

IP Ports and Protocols used by H.323 Devices Liane Tarouco.

Chapter 6: Packet Filtering

1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.

CS 540 Computer Networks II Sandy Wang

Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.

Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.

Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.

Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.

C3 confidentiality classificationIntegrated M2M Terminals Introduction Vodafone MachineLink 3G v1.0 1 Vodafone MachineLink 3G VPN functionality Feature.

The Inter-network is a big network of networks.. The five-layer networking model for the internet.

Module 10: How Middleboxes Impact Performance

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

Firewalls and proxies Unit objectives

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.

Net Flow Network Protocol Presented By : Arslan Qamar.

Chapter 8 Network Security Thanks and enjoy! JFK/KWR All material copyright J.F Kurose and K.W. Ross, All Rights Reserved Computer Networking:

1 Lecture 13 IPsec Internet Protocol Security CIS CIS 5357 Network Security.

NetVizura A network traffic analysis tool. Agenda Why NetVizura is needed How NetVizura works Where NetVizura is deployed Use cases.

1 Network Address Translation. 2 Network Address Translation (NAT) Extension of original addressing scheme Motivated by exhaustion of IP address space.

1 IPSec: An Overview Dr. Rocky K. C. Chang 4 February, 2002.

K. Salah1 Security Protocols in the Internet IPSec.

IPFIX Requirements: Document Changes and New Issues Raised Jürgen Quittek, NEC Benoit Claise, Cisco Tanja Zseby, Sebstian Zander, FhG FOKUS.

Kittiphan Techakittiroj (25/06/59 19:10 น. 25/06/59 19:10 น. 25/06/59 19:10 น.) Network Address Translation Kittiphan Techakittiroj

H.323 NAT Traversal Problem particular to H.323(RAS->Q.931->H.245):  RAS from private network to public network can pass NAT  Q931 、 H.245 adopts the.

Defining Network Infrastructure and Network Security Lesson 8.

Firewalls, Network Address Translators(NATs), and H.323

MIDCOM Protocol Semantics 55th IETF

Network Address Translation (NAT)

Network Address Translation (NAT)

Network Address Translation (NAT)

DHCP: Dynamic Host Configuration Protocol

Chapter 4: outline 4.1 Overview of Network layer data plane

Presentation transcript:

Guidelines for IPFIX Implementations on Middleboxes Juergen Quittek, Martin Stiemerling 59th IETF meeting, IPFIX WG

IETF 59 IPFIX WG2 Middleboxes “A middlebox is defined as any intermediary device performing functions other than the normal, standard functions of an IP router on the datagram path between a source host and destination host.” (RFC3234)

IETF 59 IPFIX WG3 Middleboxes in RFC NAT, 2. NAT-PT, 3. SOCKS gateway, 4. IP tunnel endpoints, 5. packet classifiers, markers, schedulers, 6. transport relay, 7. TCP performance enhancing proxies, 8. load balancers that divert/munge packets, 9. IP firewalls, 10. application firewalls, 11. application-level gateways, 12. gatekeepers / session control boxes, 13. transcoders, 14. proxies, 15. caches, 16. modified DNS servers, 17. content and applications distribution boxes, 18. load balancers that divert/munge URLs, 19. application-level interceptors, 20. application-level multicast, 21. involuntary packet redirection, 22. anonymizers. Bold printed middleboxes act per packet do not modify application level payload do not insert additional packets Only those are considered.

IETF 59 IPFIX WG4 Middlebox Traffic Flow Scenarios Uni-directional traffic flow traversing a middlebox Uni-directional traffic flow traversing a middlebox with multicast function Bi-directional unicast traffic traversing a middlebox Bi-directional traffic flow traversing a tunnel endpoint TT’ Middlebox TT’’ T’ T’’’ Middlebox T_lT_r Middlebox T_lT_r2 T_r1 T_r3

IETF 59 IPFIX WG5 Location of Observation Point MUST clearly indicate location of observation point Observation point located within middlebox:  Leads to ambiguous result since packet properties may change in middlebox  Example NAT: must be clear if reported source IP address was observed before or after address translation Observation point should be located outside of the middlebox Observation point at composed middleboxes  May be inside  But MUST be located between middlebox functions

IETF 59 IPFIX WG6 Reporting Flow-related Mbox Internals Even if observation point is located outside of middlebox reporting middlebox internals might be desirable. Recommendations given for  Packet dropping middleboxes  Middleboxes changing DSCP  Middleboxes changing addresses  IP addresses and port numbers  Tunnel endpoints

IETF 59 IPFIX WG7 Packet Dropping Middleboxes SHOULD report number of dropped packets per reported flow Considered middleboxes: 1. NAT, 2. NAT-PT, 3. SOCKS gateway, 5. packet classifiers, markers, schedulers, 9. IP firewalls, 10. application firewalls

IETF 59 IPFIX WG8 Middleboxes changing DSCP SHOULD report beside observed value of the DSCP also the value of the DSCP on the ‘other’ side if the middlebox Considered middleboxes: 5. Packet markers

IETF 59 IPFIX WG9 Middleboxes changing addresses SHOULD report beside observed value also the ‘translated’ value  Translated value means value on other side of middlebox, independent of flow direction Considered middleboxes: 1. NAT 2. NAPT 3. SOCKS gateway 21. Involuntary packet redirection Those middleboxes potentially modify:  IP version field  IP source and destination address field  TCP source and destination port number  UDP source and destination port number

IETF 59 IPFIX WG10 Tunnel endpoints SHOULD report corresponding tunnel ID Middlebox T_lT_r2 T_r1 T_r3 Report Tunnel ID Report nothing

IETF 59 IPFIX WG11 Open Issues Do NATS change DSCP? Investigate security implications of reporting middlebox internals Shall this become an IPFIX WG work item?