NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig.

Slides:

Advertisements

Similar presentations

NSIS Operation Over IP Tunnels draft-ietf-nsis-tunnel-04.txt Charles Shen, Henning Schulzrinne, Sung-Hyuck Lee, Jong Ho Bang IETF#71 – Philadelphia, USA.

Advertisements

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.

1 Route Optimization based on ND-Proxy for Mobile Nodes in IPv6 Mobile Networks Jaehoon Jeong, Kyeongjin Lee, Jungsoo Park, Hyoungjun Kim ETRI

1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level.

MOBILITY SUPPORT IN IPv6

Oct 26, 2004CS573: Network Protocols and Standards1 IP: Routing and Subnetting Network Protocols and Standards Autumn

NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:

By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

Internet Networking Spring 2003

1IETF-59 MANET WG Ad Hoc IP Address Autoconfiguration Jaehoon Jeong ETRI 3 rd February 2004 draft-jeong-adhoc-ip-addr-autoconf-01.txt.

Internetworking Devices that connect networks are called Internetworking devices. A segment is a network which does not contain Internetworking devices.

Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-03) Sung-Hyuck Lee, Seong-Ho Jeong,

IP Mobility Support Basic idea of IP mobility management o understand the issues of network-layer mobility support in IP network o understand the basic.

Internet Protocol Security (IPSec)

NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:

NSIS Flow ID and packet classification issues Hong Cheng, Qijie Huang, Takako Sanda, Toyoki Ue IETF#63 August, 2005.

IP/ICMP Translation Algorithm (IIT) Xing Li, Congxiao Bao, Fred Baker

IPv4-Embedded IPv6 Multicast Address draft-ietf-mboned-64-multicast-address-format IETF 84 Vancouver 1.

CS 6401 IPv6 Outline Background Structure Deployment.

Host Identity Protocol

PROS & CONS of Proxy Firewall

A Brief Taxonomy of Firewalls

Slide 1, Dr. Wolfgang Böhm, Mobile Internet, © Siemens AG 2001 Dr. Wolfgang Böhm Siemens AG, Mobile Internet Dr. Wolfgang.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Host Mobility for IP Networks CSCI 6704 Group Presentation presented by Ye Liang, ChongZhi Wang, XueHai Wang March 13, 2004.

Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.

NAT (Network Address Translation) Natting means "Translation of private IP address into public IP address ". In order to communicate with internet we must.

1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.

Basic Transition Mechanisms for IPv6 Hosts and Routers -RFC 4213 Kai-Po Yang

NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)

Fall 2005Computer Networks20-1 Chapter 20. Network Layer Protocols: ARP, IPv4, ICMPv4, IPv6, and ICMPv ARP 20.2 IP 20.3 ICMP 20.4 IPv6.

1 Path-decoupled signaling - towards a BOF in SF NSIS working group context Path-decoupled signalling - definition –Path-oriented.

0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

NTLP Design Considerations draft-mcdonald-nsis-ntlp-considerations-00.txt NSIS Interim Meeting – Columbia University February 2003.

RMD – QSP draft-bader-nsis-rmd-diffserv-qsm-01.txt A.Bader, L. Westberg, G. Karagiannis, C. Kappler, T. Phelan, H. Tschofenig IETF-61, Nov. 8, 2004.

IPSec IPSec provides the capability to secure communications across a LAN, across private and public wide area networks (WANs) and across the Internet.

0 NAT/Firewall NSLP Activities IETF 60th - August 2nd 2004 Cedric Aoun, Martin Stiemerling, Hannes Tschofenig.

NSIS Transport Layer draft-ietf-nsis-ntlp-01.txt Slides:

Network Address Translation Current problems with IP addresses:  Address depletion  Scaling in routing Solutions:  IPv6  CIDR  NAT.

NTLP Design Considerations draft-mcdonald-nsis-ntlp-considerations-00.txt NSIS Interim Meeting – Columbia University February 2003.

IPv6 Introduction Joe zhao SW2 Great China R&D Center ZyXEL Communications, Inc.

Multi-hop PANA IETF Currently: –“For simplicity, it is assumed that the PAA is attached to the same link as the device (i.e., no intermediary IP.

Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.

1 Network Address Translation. 2 Network Address Translation (NAT) Extension of original addressing scheme Motivated by exhaustion of IP address space.

0 NAT/Firewall NSLP IETF 63th – August 2005 draft-ietf-nsis-nslp-natfw-07.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

Mobile IP 순천향대학교 전산학과 문종식

IP Protocol CSE TCP/IP Concepts Connectionless Operation Internetworking involves connectionless operation at the level of the Internet Protocol.

NSIS NAT/Firewall Signaling NSIS Interim Meeting Romsey/UK, June 2004 Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

GIST NAT traversal and Legacy NAT traversal for GIST AND

Lecture 13 IP V4 & IP V6. Figure Protocols at network layer.

1 NSIS: A New Extensible IP Signaling Protocol Suite Myungchul Kim Tel:

Instructor Materials Chapter 9: NAT for IPv4

ECSE-6600: Internet Protocols

Routing and Switching Essentials v6.0

Network Virtualization

Instructor Materials Chapter 9: NAT for IPv4

NSIS Operation Over IP Tunnels draft-shen-nsis-tunnel-01.txt

IEEE MEDIA INDEPENDENT HANDOVER

NSIS Operation Over IP Tunnels draft-ietf-nsis-tunnel-04.txt

IPv4 Addressing By, Ishivinder Singh( ) Sharan Patil ( )

Editors: Bala’zs Varga, Jouni Korhonen

IEEE MEDIA INDEPENDENT HANDOVER

Presentation transcript:

NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig

{Andreas.Pashalidis, Types of NAT Need to consider different types of NAT, i.e. NAT that 1. modify only IP addresses (“port-preserving”) 2. modify IP addresses and port numbers 3. use a single public IP address 4. dynamically allocate IP addresses to flows 5. are NSIS-aware 1. do not implement the NSLP that is being signalled 2. do implement the NSLP that is being signalled 6. Are NSIS-unaware

{Andreas.Pashalidis, Types of NAT Need to consider different types of NAT, i.e. NAT that 1. modify only IP addresses (“port-preserving”) 2. modify IP addresses and port numbers 3. use a single public IP address 4. dynamically allocate IP addresses to flows 5. are NSIS-aware 1. do not implement the NSLP that is being signalled 2. do implement the NSLP that is being signalled 6. Are NSIS-unaware Draft assumes type (2) and (4) NAT: types (1) and (3) are special cases. Type (6) NATs not (yet?) considered. Cascades of NATs considered, but no “parallel” NATs.

{Andreas.Pashalidis, Two approaches GIST-aware NAT translates GIST header fields (both D and C mode) in a way that is consistent with the translation it applies to the IP header in data flow. GIST-aware NAT adds information into GIST discovery messages; GIST peers then use this information in order to map subsequent signalling to data flows.

{Andreas.Pashalidis, Advantages Signalling messages and data flow consistent throughout the network. NATs remain transparent  NAT-awareness at non-NAT GIST nodes not required. NATs do not “generate mess” that must be “cleaned up” elsewhere. NATs do minimal extra work. Works in the presence of IPsec/TLS.

{Andreas.Pashalidis, Disadvantages Does not work in the presence of IPsec/TLS. NATs need to keep per-flow state (which they do anyway). Non-NAT GIST nodes must be NAT-aware. Internal network details may be revealed to the Internet via the original MRI.

{Andreas.Pashalidis, Disadvantages Does not work in the presence of IPsec/TLS. NATs need to keep per-flow state (which they do anyway). Non-NAT GIST nodes must be NAT-aware. Internal network details are revealed to the Internet via the original MRI. Depending on environment, one approach may be better than the other (?)

{Andreas.Pashalidis, Which approach is taken? Both; depending on whether or not TLS/IPsec is required — NATs transparently maintain consistency throughout Non-NAT GIST nodes less complicated  easier deployment (?) Cascades of NATs handled  easier testing (?) — GIST peers handle NAT-induced inconsistency Necessary in order to provide IPsec/TLS; in such installations GIST peers already interact with IPsec/TLS, key management, OCSP. Thus, NAT handling is another such overhead.

{Andreas.Pashalidis, Scope — Coordination of GIST and address translation in the NAT (NATs are routers too) ? — Coordination of NSLP functionality with NAT functionality (i.e. flow identification before or after translation) ? — Security considerations Installation of bindings as a result of signalling. NAT vs NSIS policies; conflict avoidance ?

{Andreas.Pashalidis, Open issues When should a (bidirectional) NAT binding be installed? — When signalling exists in one direction? — When signalling exists in both directions? — Compatibility with GIST spec — GIST/NSLP unaware NATs

{Andreas.Pashalidis, Conclusion NAT traversal at the GIST layer… — involves addressing many (sub)cases — raises “new” security concerns — is likely to require a document of considerable length Is draft a reasonable basis for further discussion? Feedback solicited!