12/14/00IETF 49 - Pyda Srisuresh1 Framework for interfacing with NAT Pyda Srisuresh.

Slides:

Advertisements

Similar presentations

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

Advertisements

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Voice over IP Fundamentals

CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.

STUN Date: Speaker: Hui-Hsiung Chung 1.

Deployment Considerations for Dual-stack Lite draft-lee-softwire-dslite-deployment-00 Yiu Lee, Roberta Magione, Carl Williams, Christian Jacquenet Mohamed.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

NAT (Network Address Translator) Atif Karamat In the name of God the most merciful and the most compassionate.

1 Comnet 2010 Communication Networks Recitation 7 Lookups & NAT.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

Chapter 6 Network Address Translation (NAT). Network Address Translation  Modification of source or destination IP address  Needed by networks using.

Circuit & Application Level Gateways CS-431 Dick Steflik.

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

BY- NIKHIL TRIPATHI 12MCMB10.  What is a FIREWALL?  Can & Can’t in Firewall perspective  Development of Firewalls  Firewall Architectures  Some Generalization.

Network Address Translation (NAT) CS-480b Dick Steflik.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

RSIP Address Sharing with End-to-End Security Mike Borella, 3Com Corp. Gabriel Montenegro, Sun Microsystems March 2000.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Intranet, Extranet, Firewall. Intranet and Extranet.

COMS W COMS W Lecture 8. NAT, DHCP & Firewalls.

IP Ports and Protocols used by H.323 Devices Liane Tarouco.

9/11/2015Home Networking1 Bob.test Have Road Runner Unhappy about reports of constant probes of machines Policy decision –I want to prevent unauthorized.

NECP: the Network Element Control Protocol IETF WREC Working Group November 11, 1999.

Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.

03/20/01Pyda Srisuresh - Jasmine Networks1 Framework for interfacing with NAT Pyda Srisuresh.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.

Crossing firewalls Liane Tarouco Leandro Bertholdo RNP POP/RS.

Session Initiation Protocol (SIP). What is SIP? An application-layer protocol A control (signaling) protocol.

1 實驗九：建置網路安全閘道器教師：助教：. 2 Outline  Background  Proxy – Squid  Firewall – IPTables  VPN – OpenVPN  Experiment  Internet gateway  Firewall  VPN.

Module 10: How Middleboxes Impact Performance

Network Address Translation External/ Internal/. OVERLOADING In Overloading, each computer on the private network is translated to the same IP address;

Firewalls and proxies Unit objectives

1 Network Address Translation (NAT) and Dynamic Host Configuration Protocol (DHCP) Relates to Lab 7. Module about private networks and NAT.

Securing Data Transmission and Authentication. Securing Traffic with IPSec IPSec allows us to protect our network from within IPSec secures the IP protocol.

Bjorn Landfeldt, The University of Sydney 1 NETS 3303 IPv6 and migration methods.

Firewall Technology and InterCell Communication Peter T. Dinsmore Trusted Information Systems Network Associates Inc 3060 Washington Rd (Rt. 97) Glenwood,

Mar 27, 2000IETF 47 - Pyda Srisuresh1 Secure Remote Access with L2TP Pyda Srisuresh.

MIDCOM MIB Juergen Quittek, Martin Stiemerling, Pyda Srisuresh 60th IETF meeting, MIDCOM session.

Chapter 11 – Cloud Application Development. Contents Motivation. Connecting clients to instances through firewalls. Cloud Computing: Theory and Practice.

Guidelines for IPFIX Implementations on Middleboxes Juergen Quittek, Martin Stiemerling 59th IETF meeting, IPFIX WG.

Kittiphan Techakittiroj (25/06/59 19:10 น. 25/06/59 19:10 น. 25/06/59 19:10 น.) Network Address Translation Kittiphan Techakittiroj

KAPLAN SCHOOL OF INFORMATION SYSTEMS AND TECHNOLOGY IT375 Window Enterprise Administration Course Name – IT Introduction to Network Security Instructor.

Firewalls, Network Address Translators(NATs), and H.323

أمن المعلومات لـ أ. عبدالرحمن محجوب حمد mtc.edu.sd أمن المعلومات Information Security أمن المعلومات Information Security  أ. عبدالرحمن محجوب  Lec (5)

CompTIA Security+ Study Guide (SY0-401)

Network Address Translation (NAT)

CONNECTING TO THE INTERNET

Network Address Translation

Instructor Materials Chapter 9: NAT for IPv4

Network Address Translation (NAT)

Routing and Switching Essentials v6.0

Session Initiation Protocol (SIP)

Introducing To Networking

CompTIA Security+ Study Guide (SY0-401)

Routing and Switching Essentials v6.0

Instructor Materials Chapter 9: NAT for IPv4

Firewalls Routers, Switches, Hubs VPNs

Introduction to Network Security

Chapter 11: Network Address Translation for IPv4

Network Address Translation (NAT)

Presentation transcript:

12/14/00IETF 49 - Pyda Srisuresh1 Framework for interfacing with NAT Pyda Srisuresh

12/14/00IETF 49 - Pyda Srisuresh2 Objective Identify service-neutral resources within an intermediate device of interest to ext. agents Identify NAT service specific resources. Illustrate resource interface mechanism for NAT service through an API. Provide a framework for the development of one or more protocols by which external agents can interface with NAT.

12/14/00IETF 49 - Pyda Srisuresh3 Intermediate Devices Network Address Translator devices (NAT) Proxy Servers Security Gateways, Tunnel terminators Firewalls Server-load Balancers QOS enforcement devices Etc...

12/14/00IETF 49 - Pyda Srisuresh4 Data flow across NATs End-to-End Session Private network traffic Private Network Boundary ClientServer Internet traffic NAT Ext. Agent

12/14/00IETF 49 - Pyda Srisuresh5 Proxy traffic across NAT Device Proxy server Target server Proxy-client Aplication User’s view of Session Proxy Exchange Server’s view of Session NAT Router

12/14/00IETF 49 - Pyda Srisuresh6 Router-to-Router Tunnel data flow Router End-to-End Session Client Server Trusted Network Boundary Trusted Network Boundary Internet T u n n e l Ext. Agent

12/14/00IETF 49 - Pyda Srisuresh7 NAT Elements NAT Descriptor ID, Nat-Type, Address map and Type specific parameters. BIND Descriptor ID, Bind-Type, specific addresses (ports) bound, Lease time, Controlling Agent ID etc. SESSion Descriptor ID, Session Direction, Original and Translated session tuples, Application Tag, Controlling BIND- ID, Termination heuristic, Controlling agent ID etc.

12/14/00IETF 49 - Pyda Srisuresh8 External Agents Application Level Gateways (ALGs) Intermediate Application proxies RSIP (I.e., RSA-IP & RSAP-IP) clients. Backup-NAT devices Management utilities enforcing NAT policies

12/14/00IETF 49 - Pyda Srisuresh9 External Agent Descriptor Agent ID Agent Type Agent Call-back Requirements Agent Call-back functions Agent Accessibility Information

12/14/00IETF 49 - Pyda Srisuresh10 Interface to external agents Service-neutral interface to external agents Functions applicable to any type of stateful IP service on an intermediate device - NAT, firewall, Server-load balancers, Security Gateways etc. Resource interface based on session identities. Versatile interface to allow addressing a specific instance of a service on a device that supports multiple instances of a variety of services. Asynchronous Call-back from device to ext. agents. NAT-service specific interface Functions manipulating NAT specific resources. I.e., BINDs and NAT specific session parameters.

12/14/00IETF 49 - Pyda Srisuresh11 Service-neutral interface Query available services on device service_enquire_Identity(service_type, &service_info) Register agent with select services on device service_register_agent(service_id, &agent_info) Session based manipulation and enquiries service_set_sess(), service_free_sess(), service_enquire_sess_range() etc. Asynchronous call-back to ext. agents agent_callback_event(event_type, &event_info) agent_callback_periodic(info_type, length, &info) agent_callback_packet(sess_id, pkt_direction, packet)

12/14/00IETF 49 - Pyda Srisuresh12 NAT-Service specific interface NAT service Identity NAT service type (Basic NAT, NAPT, RSIP etc.) Address Maps, RSIP tunnel-type supported etc. NAT specific session parameters Translated session tuples, BIND ID, Pkt mod funcs NAT BIND manipulations and enquiries nat_set_bind(), nat_free_bind(), nat_enquire_address_bind() Asynchronous Callback Interface Packet redirection to external agents BIND notification, NAT specific statistics notification

12/14/00IETF 49 - Pyda Srisuresh13 FTP-ALG Registration process FTP-ALGNAT service_enquire_Identity() OK. Return NAT Descriptor that includes nat-id. service_register_agent(nat_id, &ftp_alg_descriptor) OK. Return an agent-ID.

12/14/00IETF 49 - Pyda Srisuresh14 ALG interaction when FTP is active FTP-ALGNAT ftp_alg_pkt_notify(nat_id, agent_id, sess_id, pkt_direction, pkt) service_enquire_sess_info(nat_id, agent_id, &sess_info) nat_enquire_address_bind(nat_id, agent_id, &bind_info) nat_set_bind(nat_id, agent_id, &bind_info) service_set_sess(nat_id, agent_id, &sess_info)

12/14/00IETF 49 - Pyda Srisuresh15 FTP session termination notification FTP-ALGNAT ftp_alg_notify(nat-id, agent-id, SESSION- TERMINATED, sess-id) service_free_sess_bundle(nat_id, agent-id, sess-id)