NSIS NAT/Firewall NSLP Martin Stiemerling, Hannes Tschofenig, Miquel Martin, Cedric Aoun NSIS WG, 59th IETF.

Slides:

Advertisements

Similar presentations

Applicability Statement of NSIS Protocols in Mobile Environments draft-ietf-nsis-applicability-mobility-signaling-12.txt Takako Sanda, Xiaoming Fu, Seong-Ho.

Advertisements

IPv6 Privacy Hannes Tschofenig, Tara Whalen. Agenda Privacy Threats Layering Addressing Policy Questionnaire.

Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.

1 Topic 2 – Lesson 4 Packet Filtering Part I. 2 Basic Questions What is packet filtering? What is packet filtering? What elements are inside an IP header?

NAT/Firewall Traversal April NAT revisited – “port-translating NAT”

STUN Date: Speaker: Hui-Hsiung Chung 1.

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

1 IETF 64th meeting, Vancouver, Canada Design Options of NSIS Diagnostics NSLP Xiaoming Fu Ingo Juchem Christian Dickmann Hannes Tschofenig.

NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:

Section 461.  ARP  Ghostbusters  Grew up in Lexington, KY  Enjoy stargazing, cycling, and mushroom hunting  Met Mario once (long time ago)

Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Session-ID Requirements for IETF84 draft-ietf-insipid-session-id-reqts-00 1 August 2012 Paul Jones, Gonzalo Salgueiro, James Polk, Laura Liess, Hadriel.

1 SIP WG meeting 73rd IETF - Minneapolis, MN, USA November, 2008 Return Routability Check draft-kuthan-sip-derive-00 Jiri

Company Confidential 1 © 2005 Nokia V1-Filename.ppt / yyyy-mm-dd / Initials Modification Proposals to Current TURN Spec Mikael Latvala.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Network Addressing Networking for Home and Small Businesses – Chapter.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Network Address Translation (NAT)

IPv6 Home Networking Architecture - update IETF homenet WG Interim meeting Philadelphia, 6 th Oct 2011 draft-chown-homenet-arch-00.

March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.

NAT Traversal Speaker: Chin-Chang Chang Date:

NSIS NATFW NSLP: A Network Firewall Control Protocol draft-ietf-nsis-nslp-natfw-08.txt IETF NSIS Working Group January 2006 M. Stiemerling, H. Tschofenig,

March 10, 2008SIPPING WG IETF-711 Secure Media Recording and Transcoding with the Session Initiation Protocol draft-wing-sipping-srtp-key-03 Dan Wing Francois.

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

EMEA Partners XTM Network Training

NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)

Chapter 15 DHCP. Dynamic Host Configuration Protocol An Application Layer Protocol A client server protocol that automatically provides an IP host with.

NSIS IETF 56 MONDAY, March 17, 2003: Morning Session TUESDAY, March 18, 2003: Afternoon Sessions I.

0 NAT/Firewall NSLP IETF 61th November 2004 draft-ietf-nsis-nslp-natfw-04.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

NTLP Design Considerations draft-mcdonald-nsis-ntlp-considerations-00.txt NSIS Interim Meeting – Columbia University February 2003.

GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning.

0 NAT/Firewall NSLP Activities IETF 60th - August 2nd 2004 Cedric Aoun, Martin Stiemerling, Hannes Tschofenig.

NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig.

7/6/20061 Speermint Use Case for Cable IETF 66 Yiu L. Lee JULY 2006.

1 SPEERMINT Use Cases for Cable IETF 66 Montreal 11 JULY 2006 Presented by Yiu L. Lee.

1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.

Simon Millard Professional Services Manager Aculab – booth 402 The State of SIP.

Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-00) Sung-Hyuck Lee, Seong-Ho Jeong,

NTLP Design Considerations draft-mcdonald-nsis-ntlp-considerations-00.txt NSIS Interim Meeting – Columbia University February 2003.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Lectu re 1 Recap: “Operational” view of Internet r Internet: “network of networks” m Requires sending, receiving of messages r protocols control sending,

Company Confidential 1 ICMPv6 Echo Replies for Teredo Clients draft-denis-icmpv6-generation-for-teredo-00 behave, IETF#75 Stockholm Teemu Savolainen.

Analysis and recommendation for the ULA usage draft-liu-v6ops-ula-usage-analysis-00 draft-liu-v6ops-ula-usage-analysis-00 Bing Liu(speaker), Sheng Jiang.

Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne.

NATFW NSLP Status draft-ietf-nsis-nslp-natfw-12.txt M. Stiemerling, H. Tschofenig, C. Aoun, and E. Davies NSIS Working Group,

Family Connection Collaborative Webs A Tool for Creating and Managing Web sites.

NATFW NSLP overview. Document history v00 - Jan 27th - Creation.

0 NAT/Firewall NSLP IETF 63th – August 2005 draft-ietf-nsis-nslp-natfw-07.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

March 20th, 2001 SIP WG meeting 50th IETF SIP WG meeting Overlap signalling handling

IETF 55 Nov A Two-Level Architecture for Internet Signaling draft-braden-2level-signal-arch-01.txt Bob Braden, Bob Lindell USC Information.

IETF 62 NSIS WG1 Porgress Report: Metering NSLP (M-NSLP) Georg Carle, Falko Dressler, Changpeng Fan, Ali Fessi, Cornelia Kappler, Andreas Klenk, Juergen.

NSIS NAT/Firewall Signaling NSIS Interim Meeting Romsey/UK, June 2004 Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

NSIS Terminology Issues Robert Hancock IETF #55 - Atlanta November 2002.

NATFW NSLP Status draft-ietf-nsis-nslp-natfw-08.txt M. Stiemerling, H. Tschofenig, C. Aoun NSIS Working Group, 64th IETF meeting.

MIDCOM MIB Juergen Quittek, Martin Stiemerling, Pyda Srisuresh 60th IETF meeting, MIDCOM session.

Applicability Statement of NSIS Protocols in Mobile Environments draft-ietf-nsis-applicability-mobility-signaling-06.txt Takako Sanda, Xiaoming Fu, Seong-Ho.

Source NAT Configuration Example Alcatel-Lucent Security Products Configuration Example Series.

SOSIMPLE: A Serverless, Standards- based, P2P SIP Communication System David A. Bryan and Bruce B. Lowekamp College of William and Mary Cullen Jennings.

FIREWALLS By k.shivakumar 08k81f0025. CONTENTS Introduction. What is firewall? Hardware vs. software firewalls. Working of a software firewalls. Firewall.

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

Networking for Home and Small Businesses – Chapter 5

MIDCOM Protocol Semantics 55th IETF

Preferred Alternatives for Tunnelling HIP (PATH)

Introduction to Networking

Delivery, Forwarding, and Routing of IP Packets

Presentation transcript:

NSIS NAT/Firewall NSLP Martin Stiemerling, Hannes Tschofenig, Miquel Martin, Cedric Aoun NSIS WG, 59th IETF

Content Current Changes in -01  Reorder sections  Mainly editorial changes Stacking Policy rule lifetime handling NATFW reserve address or ‘find the last NAT’

Stacking: Problem Alice Bob Trudy NAT1 NATFW2 Sales/HR ISP x NAT3 Max Foo.com Need to avoid this path from being taken NAT Stacking Preferred Path!!!

Stacking Record external addresses at each traversed NAT  Unless it reaches edge NAT  Proposal made during last IETF meeting Alice Bob Trudy NAT1 NATFW2 Sales/HR ISP x NAT 3 Max Foo.com NAT Stacking REA:[ ] 2-REA:[ | ] 3-REA:[ | | ] 4-REA:[ | | ]

Stacking: Pros and Cons Pros  End hosts can (probably) optimise their data flow route  End hosts could learn about NAT location  Actually sort of NAT trace route Cons  Probably reveals topology to users and other hosts  NATFW messages will grow on-path  Each NAT includes its IP addresses  Security problem  malicious NAT may change IP address information of already passed NATs)

Policy rule lifetime handling Lifetime is associated to each policy rule  Policy rule removed automatically after lifetime expiration  Soft-state maintenance through prolong message Current: End-to-end lifetime maintenance  NSIS Initiator chooses lifetime  NATFW NSLP can accept or deny complete request, no way of telling acceptable lifetime Planned: End-to-end take what you want  Initiator proposes lifetime  NATFW NSLP may change to proposal to their needs on the way  Initiator can accept or cancel policy rule Create (lt=120min) NSIS Initiator NF/Middlebox NSIS Receiver 12 OK 120min too long Set to 60 min Create (lt=60min) OK

Policy Rule Lifetime Handling Current lifetime process  Simple  NI must start trying (polling) to find the right lifetime value  Can result in several create message attempts Propose lifetime process  More parts of the message change (not only flow information changes)  NI gets immediately minimum acceptable lifetime  Probably only one message and middleboxes are configured

Find the last NAT NATFW reserves external address message  Reserves IP address/port at most external NAT (edge NAT)  Gives host a chance to receive data originated in public network  Usable for example for SIP (early media) Currently NATFW NSLP is searching for the last NAT  Give NSLP message a target (SIP server) and the last NAT will return public address  Reuse reservation for later create message coming from public network Is it appropriate to let the NSLP find the last NAT?  Reserve message is send to fake target  Reserve message runs opposite way of data to come later Or is it ‘special routing’ better done by the NTLP

More Questions or Comments? Thanks.