0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

Slides:



Advertisements
Similar presentations
NSIS Operation Over IP Tunnels draft-ietf-nsis-tunnel-04.txt Charles Shen, Henning Schulzrinne, Sung-Hyuck Lee, Jong Ho Bang IETF#71 – Philadelphia, USA.
Advertisements

Applicability Statement of NSIS Protocols in Mobile Environments draft-ietf-nsis-applicability-mobility-signaling-12.txt Takako Sanda, Xiaoming Fu, Seong-Ho.
Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
1 Improved DNS Server Selection for Multi-Homed Nodes draft-savolainen-mif-dns-server-selection-04 Teemu Savolainen (Nokia) Jun-ya Kato (NTT) MIF WG meeting.
Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.
IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.
1 IETF 64th meeting, Vancouver, Canada Design Options of NSIS Diagnostics NSLP Xiaoming Fu Ingo Juchem Christian Dickmann Hannes Tschofenig.
Mobility Support in NSIS 57th IETF Meeting, July 13-18, Vienna Xiaoming Fu Henning Schulzrinne Hannes Tschofenig.
NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:
Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-03) Sung-Hyuck Lee, Seong-Ho Jeong,
Host Identity Protocol
Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.
PPSP Tracker Protocol draft-gu-ppsp-tracker-protocol PPSP WG IETF 82 Taipei Rui Cruz (presenter) Mário Nunes, Yingjie Gu, Jinwei Xia, David Bryan, João.
NSIS NATFW NSLP: A Network Firewall Control Protocol draft-ietf-nsis-nslp-natfw-08.txt IETF NSIS Working Group January 2006 M. Stiemerling, H. Tschofenig,
NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)
NSIS IETF 56 MONDAY, March 17, 2003: Morning Session TUESDAY, March 18, 2003: Afternoon Sessions I.
0 NAT/Firewall NSLP IETF 61th November 2004 draft-ietf-nsis-nslp-natfw-04.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIH_Handover primitives and scenarios Date Submitted: April, 30,
RMD – QSP draft-bader-nsis-rmd-diffserv-qsm-01.txt A.Bader, L. Westberg, G. Karagiannis, C. Kappler, T. Phelan, H. Tschofenig IETF-61, Nov. 8, 2004.
GIMPS * – The NSIS Transport Layer draft-ietf-nsis-ntlp-05.txt Slides: Robert Hancock, Henning.
CP-a Emergency call stage 2 requirements - A presentation of the requirements from 3GPP TS Keith Drage.
QoS NSLP draft-ietf-nsis-qos-nslp-06.txt Slides: Sven van den Bosch, Georgios Karagiannis, Andrew McDonald.
March 15, 2005 IETF #62 Minneapolis1 EAP Discovery draft-adrangi-eap-network-discovery-10.txt Farid Adrangi ( )
0 NAT/Firewall NSLP Activities IETF 60th - August 2nd 2004 Cedric Aoun, Martin Stiemerling, Hannes Tschofenig.
Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-01) Sung-Hyuck Lee, Seong-Ho Jeong,
NSIS Transport Layer draft-ietf-nsis-ntlp-01.txt Slides:
Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-00) Sung-Hyuck Lee, Seong-Ho Jeong,
IPv6 Site-Local Discussion Bob Hinden & Margaret Wasserman IETF 56 San Francisco March 2003.
An NSLP for Quality of Service draft-buchli-nsis-nslp-00.txt draft-mcdonald-nsis-qos-nslp-00.txt draft-westberg-proposal-for-rsvpv2-nslp-00.txt Slides:
Draft-ietf-fecframe-config-signaling-02 1 FEC framework Configuration Signaling draft-ietf-fecframe-config-signaling-02.txt IETF 76 Rajiv Asati.
NSIS NAT/Firewall NSLP Martin Stiemerling, Hannes Tschofenig, Miquel Martin, Cedric Aoun NSIS WG, 59th IETF.
Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne.
1 © NOKIA FILENAMs.PPT/ DATE / NN Requirements for Firewall Configuration Protocol March 10 th, 2005 Gabor Bajko Franck Le Michael Paddon Trevor Plestid.
NATFW NSLP Status draft-ietf-nsis-nslp-natfw-12.txt M. Stiemerling, H. Tschofenig, C. Aoun, and E. Davies NSIS Working Group,
E2EKey Resource Group Name: SEC WG Source: Qualcomm Inc., Wolfgang Granzow & Phil Hawkes Meeting Date: SEC#20.3, Agenda Item: End-to-End Security.
NATFW NSLP overview. Document history v00 - Jan 27th - Creation.
Mobility Discussion (Mobility and Internet Signaling Protocols -00) NSIS Interim Meeting in UK June 3, 2004.
0 NAT/Firewall NSLP IETF 63th – August 2005 draft-ietf-nsis-nslp-natfw-07.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.
Diameter SIP Application
Diameter Group Signaling Thursday, March 6 th, 2014 draft-ietf-diameter-group-signaling-03 Mark Jones, Marco Liebsch, Lionel Morand IETF 89 London, U.K.
Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.
IETF 55 Nov A Two-Level Architecture for Internet Signaling draft-braden-2level-signal-arch-01.txt Bob Braden, Bob Lindell USC Information.
GIMPS * – The NSIS Transport Layer draft-ietf-nsis-ntlp-04.txt Slides: Robert Hancock, Henning.
59th IETF Seoul, Korea Quarantine Model Overview “Quarantine model overview for ipv6 network security” draft-kondo-quarantine-overview-00.txt Satoshi kondo.
NSIS NAT/Firewall Signaling NSIS Interim Meeting Romsey/UK, June 2004 Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.
NATFW NSLP Status draft-ietf-nsis-nslp-natfw-08.txt M. Stiemerling, H. Tschofenig, C. Aoun NSIS Working Group, 64th IETF meeting.
MIDCOM MIB Juergen Quittek, Martin Stiemerling, Pyda Srisuresh 60th IETF meeting, MIDCOM session.
Applicability Statement of NSIS Protocols in Mobile Environments draft-ietf-nsis-applicability-mobility-signaling-06.txt Takako Sanda, Xiaoming Fu, Seong-Ho.
San Diego, November 2006 IETF 67 th – mip6 WG Goals for AAA-HA interface (draft-ietf-mip6-aaa-ha-goals-03) Gerardo Giaretta Ivano Guardini Elena Demaria.
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials draft-bajko-nsis-fw-reqs-01 Gábor Bajkó IETF Interim May 2005.
PMIPv6 multicast handover optimization by the Subscription Information Acquisition through the LMA (SIAL) Luis M. Contreras Telefónica I+D Carlos J. Bernardos.
IETF Provisioning of Symmetric Keys (keyprov) WG Update WG Chairs: Phillip Hallam-Baker Hannes Tschofenig Presentation by Mingliang Pei 05/05/2008.
1 NSIS: A New Extensible IP Signaling Protocol Suite Myungchul Kim Tel:
Netconf Notifications Sharon Chisholm Hector Trevino IETF 67 November 2006.
Session-Independent Policies draft-ietf-sipping-session-indep-policy-02 Volker Hilt Jonathan Rosenberg Gonzalo.
Open issues with PANA Protocol
MIDCOM Protocol Semantics 55th IETF
PANA Issues and Resolutions
NSLP for Metering Configuration Signaling (Metering NSLP)
Kumiko Ono End-to-middle Security in SIP draft-ietf-sipping-e2m-sec-reqs-04 draft-ono-sipping-end2middle-security-03 Kumiko Ono.
A. Báder, L. Westberg, G. Karagiannis,
draft-jeyatharan-netext-pmip-partial-handoff-02
NAT Behavioral Requirements for Unicast UDP
IKEv2 Mobility and Multihoming Protocol (MOBIKE)
The 66th IETF meeting in Montreal, Canada
NSIS Operation Over IP Tunnels draft-shen-nsis-tunnel-01.txt
NSIS Operation Over IP Tunnels draft-ietf-nsis-tunnel-04.txt
Presentation transcript:

0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun

1 IPR Claim Received IPR claim of Nortel December 14th Nortel Networks U.S. Patent No. 6,772,210, entitled "Method and apparatus for exchanging communications between telephone number based devices in an internet protocol environment", may contain claims that are believed may be necessary for practicing the resulting IETF Standard based on this Internet Draft. Claim is here  We are not lawyers, but there MAY be prior art!

2 Editorial Changes in -05 Several editorial changes  Moved Miquel to the author’s list in the text body  Integrated many comments from Elwyn Merged Query message into a single section  Was Section and Aligned object format presentation to GIMPS I-D Added in Section 3.5 the compatibility bits described in GIMPS  NATFW NSLP limits usage to MANDATORY, OPTIONAL, FORWARD  REFRESH bit combination not used, NFs do not refresh on their own

3 Editorial Changes in -05 Changed Response Type Object to Proxy Support Object Removed scoping object (not needed anywhere) NOTIFY (per WG decision – IETF 61)  Removed NOTIFY target object  NOTIFY messages are sent upstream only (Section 3.3.5) Added appendix on "Object ID allocation for testing" Added text about how REA is activated to Section Updated security considerations

4 Security Consideration Section Update Resolved remaining issues in the NAT/FW threats document  see mailing list, data receiver behind a NAT NAT/FW threats document incorporated into main document  Was draft-fessi-nsis-natfw-threats-02 Updated threat model and security solution text  GIMPS security between neighboring NSLP nodes  Usage of authorization tokens  Authentication and authorization of an initiator towards non-neighboring nodes based on CMS Open issues:  Mobility handling and security (based on old I-D)  More details  Security object formats

5 Protocol Changes in -05 Introduced notion of ‘deny’ policy rules Reworked Section and (proxy mode)  Section Proxy Mode for Data Receiver behind NAT  Section Proxy Mode for Data Sender behind Middleboxes  Proxy mode is no longer the default mode (see later) Added DSInfo description to section about REA  Information about data sender  Limit possible CREATE message senders and local filters Since REA incorporates the DSInfo semantics, the TRIGGER message has been removed Added section about finding upstream firewalls (UCREATE)  Section Proxy Mode for Data Receiver behind Firewall More details on next slides...

6 Proxy Mode - NR side Data receiver behind NAT

7 Issues on DR behind NAT Proxy Mode Issues with not using the proxy mode as default  NI+(i.e. NR) needs to know the NATFW NSLP capabilities  Impact on applications as they would need to advertise their NSIS capabilities Proxy mode used and far endhost supports the NSLP how to handle the existing NSLP sessions triggered by the REA?  One created by a CREATE message sent by the Edge NAT  one created by a CREATE message sent by the far endhost’s NI  DR to decide whether the proxy mode signaling session needs to be terminated based on an e2e signaling session.

8 On the Security of Data Receiver behind a NAT Data Sender NAT/ FW Data Receiver Treat the signaling sessions (1) and (2) independently (authorization issue) Do not update state established on the NAT/FW (created by the proxy mode signaling session) based on an e2e signaling session. Proxy mode triggers a CREATE to deal with routing asymmetry and firewalls between the NAT/FW and the DR. (1) End-to-End Signaling (2) Proxy Mode Signaling

9 Proxy Mode - NI side Data sender behind NAT or Firewall

10 Blocking Traffic Proxy Mode for Data Receiver behind Firewall Used to block particular incoming data flows

11 Open Issues Security Details on UCREATE  Protocol details just new  Need review  Multihomed scenarios: several Firewalls parallel There is an issue tracker You can register yourself a the tracker! A diff between -04 and -05 at:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.