0 NAT/Firewall NSLP Activities IETF 60th - August 2nd 2004 Cedric Aoun, Martin Stiemerling, Hannes Tschofenig.

Slides:



Advertisements
Similar presentations
SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.
Advertisements

Applicability Statement of NSIS Protocols in Mobile Environments draft-ietf-nsis-applicability-mobility-signaling-12.txt Takako Sanda, Xiaoming Fu, Seong-Ho.
IPv6 Privacy Hannes Tschofenig, Tara Whalen. Agenda Privacy Threats Layering Addressing Policy Questionnaire.
Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.
March 2009IETF 74 - NSIS1 Implementation of Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-02 Se Gi Hong*,
xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: LB1c-handover-issues.ppt Title: MIH Security – What is it? Date Submitted:
Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.
xxx IEEE MEDIA INDEPENDENT HANDOVER DCN: LB1c-handover-issues.ppt Title: MIH Security – What is it? Date Submitted:
1 IETF 64th meeting, Vancouver, Canada Design Options of NSIS Diagnostics NSLP Xiaoming Fu Ingo Juchem Christian Dickmann Hannes Tschofenig.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
IETF 62nd March 2005 GIMPS State machine draft-fu-nsis-ntlp-statemachine-01.txt Xiaoming Fu, Tseno Tsenov, Hannes Tschofenig, Cedric Aoun, Elwyn Davies.
Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-03) Sung-Hyuck Lee, Seong-Ho Jeong,
DISTRIBUTED PROCESS IMPLEMENTAION BHAVIN KANSARA.
Long-term Archive Service Requirements draft-ietf-ltans-reqs-00.txt.
NSIS Flow ID and packet classification issues Hong Cheng, Qijie Huang, Takako Sanda, Toyoki Ue IETF#63 August, 2005.
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
Sales Kickoff - ARCserve
A stateless Ping tool for simple tests of GIMPS implementations Christian Dickmann, Ingo Juchem, Sebastian Willert, Xiaoming Fu University of Göttingen.
NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) Authors: Hannes Tschofenig Henning Schulzrinne Maarten.
NSIS NATFW NSLP: A Network Firewall Control Protocol draft-ietf-nsis-nslp-natfw-08.txt IETF NSIS Working Group January 2006 M. Stiemerling, H. Tschofenig,
NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)
GIMPS * – The NSIS Transport Layer draft-ietf-nsis-ntlp-06.txt Slides: Robert Hancock, Henning.
NSIS IETF 56 MONDAY, March 17, 2003: Morning Session TUESDAY, March 18, 2003: Afternoon Sessions I.
0 NAT/Firewall NSLP IETF 61th November 2004 draft-ietf-nsis-nslp-natfw-04.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.
0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.
PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.
NTLP Design Considerations draft-mcdonald-nsis-ntlp-considerations-00.txt NSIS Interim Meeting – Columbia University February 2003.
IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: MIH_Handover primitives and scenarios Date Submitted: April, 30,
RMD – QSP draft-bader-nsis-rmd-diffserv-qsm-01.txt A.Bader, L. Westberg, G. Karagiannis, C. Kappler, T. Phelan, H. Tschofenig IETF-61, Nov. 8, 2004.
GIMPS * – The NSIS Transport Layer draft-ietf-nsis-ntlp-05.txt Slides: Robert Hancock, Henning.
AODV: Introduction Reference: C. E. Perkins, E. M. Royer, and S. R. Das, “Ad hoc On-Demand Distance Vector (AODV) Routing,” Internet Draft, draft-ietf-manet-aodv-08.txt,
Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-00) Sung-Hyuck Lee, Seong-Ho Jeong,
NTLP Design Considerations draft-mcdonald-nsis-ntlp-considerations-00.txt NSIS Interim Meeting – Columbia University February 2003.
GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-ietf-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning Schulzrinne.
An NSLP for Quality of Service draft-buchli-nsis-nslp-00.txt draft-mcdonald-nsis-qos-nslp-00.txt draft-westberg-proposal-for-rsvpv2-nslp-00.txt Slides:
Draft-ietf-fecframe-config-signaling-02 1 FEC framework Configuration Signaling draft-ietf-fecframe-config-signaling-02.txt IETF 76 Rajiv Asati.
NSIS NAT/Firewall NSLP Martin Stiemerling, Hannes Tschofenig, Miquel Martin, Cedric Aoun NSIS WG, 59th IETF.
Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne.
NATFW NSLP Status draft-ietf-nsis-nslp-natfw-12.txt M. Stiemerling, H. Tschofenig, C. Aoun, and E. Davies NSIS Working Group,
1 ForCES Applicability Statement Alan Crouch Mark Handley Hormuzd Khosravi 65 th IETF Meeting, Dallas.
1 Border Gateway Protocol (BGP) and BGP Security Jeff Gribschaw Sai Thwin ECE 4112 Final Project April 28, 2005.
NATFW NSLP overview. Document history v00 - Jan 27th - Creation.
0 NAT/Firewall NSLP IETF 63th – August 2005 draft-ietf-nsis-nslp-natfw-07.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.
NSIS WG Meeting IETF 66 Montreal John Loughney (chair)
Extended QoS Authorization for the QoS NSLP Hannes Tschofenig, Joachim Kross.
NSIS QoS NSLP Authorzation Issues Hannes Tschofenig.
Lect 8 Tahani al jehain. Types of attack Remote code execution: occurs when an attacker exploits a software and runs a program that the user does not.
IETF 55 Nov A Two-Level Architecture for Internet Signaling draft-braden-2level-signal-arch-01.txt Bob Braden, Bob Lindell USC Information.
GIMPS * – The NSIS Transport Layer draft-ietf-nsis-ntlp-04.txt Slides: Robert Hancock, Henning.
NSIS NAT/Firewall Signaling NSIS Interim Meeting Romsey/UK, June 2004 Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.
NSIS Terminology Issues Robert Hancock IETF #55 - Atlanta November 2002.
NATFW NSLP Status draft-ietf-nsis-nslp-natfw-08.txt M. Stiemerling, H. Tschofenig, C. Aoun NSIS Working Group, 64th IETF meeting.
Applicability Statement of NSIS Protocols in Mobile Environments draft-ietf-nsis-applicability-mobility-signaling-06.txt Takako Sanda, Xiaoming Fu, Seong-Ho.
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials draft-bajko-nsis-fw-reqs-01 Gábor Bajkó IETF Interim May 2005.
DOTS Requirements Andrew Mortensen November 2015 IETF 94 1.
NSLP for Quality of Service Sven van den Bosch (ed) Georgios Karagiannis Andrew McDonald (et al.) draft-ietf-nsis-qos-nslp-02.txt Slides:
RSVP-TE Extensions to Realize Dynamic Binding of Associated Bidirectional LSP CCAMP/MPLS WG, IETF 79th, Beijing, China draft-zhang-mpls-tp-rsvpte-ext-associated-lsp-01.
1 NSIS: A New Extensible IP Signaling Protocol Suite Myungchul Kim Tel:
NSLP for Metering Configuration Signaling (Metering NSLP)
Preferred Alternatives for Tunnelling HIP (PATH)
A. Báder, L. Westberg, G. Karagiannis,
The 66th IETF meeting in Montreal, Canada
Extensions to Resource Reservation Protocol For Fast Reroute of Traffic Engineering GMPLS LSPs draft-ietf-teas-gmpls-lsp-fastreroute-06 Authors: Mike Taillon.
NSIS Operation Over IP Tunnels draft-shen-nsis-tunnel-01.txt
IEEE MEDIA INDEPENDENT HANDOVER
NSIS Operation Over IP Tunnels draft-ietf-nsis-tunnel-04.txt
Presentation transcript:

0 NAT/Firewall NSLP Activities IETF 60th - August 2nd 2004 Cedric Aoun, Martin Stiemerling, Hannes Tschofenig

1 NAT/Firewall NSLP updates WG document has significantly improved and integrated prior analysis done in the accompanying ephemeral drafts NAT / Firewall NSLP - v01 -> v03 Security Threats for NAT/FW NSLP v01 Migration Draft v01 -> v02 Intra-realm considerations v00 -> v01 NAT/Firewall NSLP Security Problems Documents introduced after IETF 59

2 NATFW NSLP WG document updates Editorial changes:  increased readability, shortened section 2 and moved security discussions into one section  New terminology for Reserve External Address messages destination address: Opportunistic Address  New section: Section 4: NTLP requirements

3 NATFW NSLP WG document updates New messages and message processing changes: CREATE - Creates, maintains and deletes a NATFW NSLP session and all its associated policy rule states Reserve External Address (REA) RESPONSE - integrates all semantics of the previous response messages with usage of various response object types NOTIFY - asynchronous event notification message TRIGGER - Message used by NR to update and refresh policy rule state installed by NR requested CREATE. Allows deployments with one end initiative NSIS messages but not the other  CREATE messages sent from the far-end (i.e., not triggered) take precedence on triggered CREATE and no loner require TRIGGER messages to be sent by NR QUERY - query message used for diagnosis and potential NI misbehavior detection

4 NATFW NSLP WG document updates Protocol can signal policy rules with ‘drop‘ action  Feedback requested from WG on this as it has limited applicability Different response types - hinted by the RESPONSE_TYPE object: RESPONSE (usual case) CREATE:  A) Sent only if the responding node is not the message destination I.e.no NR on the other end  B) Sent by node meeting the scope  Sent either on the existing pinned down reverse or a new separate one  CREATE could be sent with a specific source address (if provided in the message triggering the CREATE) or the responding node address No RESPONSE(no RESPONSE_TYPE object inserted) case of NOTIFY messages and session states deleting CREATE messages

5 NR behind a NAT - existing capability DS Public Internet NAT Private address NR No NI | space | | REA[CREATE, DISC] | | |< | | | RESPONSE[Error/Success] | | | > | | |CREATE | | | > | | | RESPONSE[Error/Success] | | | > | | | | NR acts autonomously without Any DS NSIS capability knowledge No restriction on authorized data senders address

6 NR Behind NAT - extensions Foo.com Public Internet Bar.com DS NAT Firewall NR No NI | | TRIGGER[DSinfo] TRIGGER[DSinfo]< | < | | |CREATE | | | >|CREATE | | | > | | | RESPONSE[SUCCESS] | | < | RESPONSE[SUCCESS] | |< | | Refresh period expiry | or updates to Data Sender information | | | | | TRIGGER[DSinfo] TRIGGER[DSinfo]< | < | | | |CREATE | | >|CREATE | | | >| | | RESPONSE[SUCCESS] | | < | RESPONSE[SUCCESS] | |< | | NR acts autonomously without Any DS NSIS capability knowledge Authorized data sender address is limited to known DS address and port (if available to the user application layer)

7 NATFW NSLP WG document updates Session refresh still handled end to end  Refreshes only generated by NI and not by intermediate NE  BUT when intermediate NE requests lifetime changes  They also provide the associated Message Refresh Rate Allows the support of different relations between state lifetime and message refresh rate CREATE(lt=60s) CREATE(lt=20s) | | >| NSLP | > | | | NI | | | | NR | | |< | forwarder |< | | RESPONSE RESPONSE (lt=15s MRR=3s) (lt=15s MRR=3s) lt = lifetime MRR = Message Refresh Rate

8 NATFW NSLP WG document updates NATFW NSLP’s NTLP requirements:  Ability to detect that the NSIS Responder does not support NATFW NSLP  Detection of NATs and their support of the NSIS NATFW NSLP.  Message origin authentication and message integrity protection Will depend on used security approach: hop by hop or end to end  Detection of routing changes  Protection against malicious announcement of fake path changes  Transport of user application correlation information. This requirement allows NSLP NATFW to check that the message was solicited by prior application message exchanges before an NTLP messaging association is established between an NR and the upstream NF.

9 Open issues Procedural:  Authors sent protocol operations changes to mailing list but no comments were received? No news = GOOD NEWS :-) ? Should a REA always trigger a CREATE message? Should triggered CREATE messages be always sent on a new reverse path (and not the pinned down one)? Should TRIGGER messages require a RESPONSE?  In case a CREATE is not received by the NR it would know if the TRIGGER was received by its target

10 Open issues Usage of TRIGGER and REA variant for NRs behind Firewalls  Currently not discussed in the document, relates to: Scenarios where one end-host supports the protocol Drop action handling  Would have more issues with route asymmetry as no path anchoring provided as is the case with NR behind NAT scenario  In case the host was the application initiator it would send the CREATE triggering a CREATE, but if it wasn’t the application initiator TRIGGER would certainly be useful Message and object format alignment to NTLP and Qos NSLP  Do we have agreement on the format?  Extensibility handling and its integration in the object format Twice NAT handling Security issues - discussed in security presentation

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.