NAT/Firewall Behavioral Requirements draft-audet-nat-behave-00 François Audet - Cullen Jennings -

Slides:

Advertisements

Similar presentations

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

Advertisements

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Internet Area IPv6 Multi-Addressing, Locators and Paths.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.

CSC458 Programming Assignment II: NAT Nov 7, 2014.

IPv6 Simple security capabilities. 50 issues from RFC 6092 edited by J. Woodyatt, Apple Presentation by Olle E. Johansson, Edvina AB.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings

Network Address Translation (NAT) Adj. Prof. Sasu Tarkoma.

Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Lesson 19: Configuring Windows Firewall

IOS Firewall IOS: Cisco’s Internetwork Operating System (the primary system running on Cisco’s routers) IOS Firewall: a stateful packet-filter firewall.

1 Enabling Secure Internet Access with ISA Server.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Chapter 8 PIX Firewall. Adaptive Security Algorithm (ASA)  Used by Cisco PIX Firewall  Keeps track of connections originating from the protected inside.

TURN draft-ietf-behave-turn-07 Philip Matthews, Avaya Jonathan Rosenberg, Cisco Rohan Mahy, Plantronics.

Load-Balance/Route Policy Advanced Routing. Outline How does it Work – When matching criteria, send via the route What does it Do – 2 real usage examples.

Lab 5: NAT CS144 Review Session 7 November 13 th, 2009 Roger Liao.

Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.

P2PSIP Charter Proposal Many people helped write this charter…

Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.

Greg Van Dyne December 4, Agenda Introduction Technical Overview Protocols Demonstration Future Trends References.

1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.

Module 12: Routing Fundamentals. Routing Overview Configuring Routing and Remote Access as a Router Quality of Service.

IPv4/IPv6 Coexistence Scenarios - Requirements for Translation Mechanisms. draft-ietf-v6ops-nat64-pb-statement-req-01 M. Bagnulo, F. Baker, I. van Beijnum.

03/07/2005IETF 62, Minneapolis NAT requirements for TCP (BEHAVE WG) draft-sivakumar-behave-nat-tcp-req-00.txt S.Sivakumar, K.Biswas, B.Ford.

Access Control List (ACL)

 network appliances to filter network traffic  filter on header (largely based on layers 3-5) Internet Intranet.

1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.

Network Address Translation External/ Internal/. OVERLOADING In Overloading, each computer on the private network is translated to the same IP address;

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

Karlstad University Firewall Ge Zhang. Karlstad University A typical network topology Threats example –Back door –Port scanning –…–…

Configuring the PIX Firewall Presented by Drew Spesard.

ACCESS CONTROL LIST.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 11: Network Address Translation for IPv4 Routing And Switching.

Unleashing the Power of IP Communications™ Calling Across The Boundaries Mike Burkett, VP Products September 2002.

Deploying IPv6, Now Christian Huitema Architect Windows Networking & Communications Microsoft Corporation.

Internet protocol Suite

Firewalls Check incoming and outgoing TCP/IP messages Try to roughly identify abnormal traffic Regulate Inbound and Outbound connections - Make your machine.

Introduction to Linux Firewall

Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.

Stateful Filtering and Stateful Inspection.  Stateful filtering has been used to define the stateful tracking of protocol information at Layer 4 and.

Access Control List (ACL) W.lilakiatsakun. Transport Layer Review (1) TCP (Transmission Control Protocol) – HTTP (Web) – SMTP (Mail) UDP (User Datagram.

© 2006 Intertex Data AB 1 Connect your LAN to the SIP world, while keeping your existing firewall*! The IX67 LAN SIParator (Part of the SIP Switch option.

Draft-ietf-behave-nat-udp-00 NAT Behavioral Requirements for Unicast UDP draft-ietf-behave-nat-upd-00 François Audet - Cullen Jennings.

Leone From global measurements to local management NATalyser inhome NAT detection Miguel Ángel Díaz, Francisco Valera.

Leone From global measurements to local management NATalyser inhome NAT detection Miguel Ángel Díaz, Francisco Valera.

TDC375 Autumn 03/04 John Kristoff - DePaul University 1 Network Protocols Internet Protocols Overview.

Draft-ietf-behave-nat-00 NAT/Firewall Behavioral Requirements draft-ietf-behave-nat-00 François Audet - Cullen Jennings -

© 2001, Cisco Systems, Inc. CSPFA 2.0—5-1 Chapter 5 Cisco PIX Firewall Translations.

1 Requirements of Carrier Grade NAT (CGN) draft-nishitani-cgn-00.txt draft-shirasaki-isp-shared-addr-00.txt NTT Communications Corporation Shin Miyakawa.

HIP-Based NAT Traversal in P2P-Environments

Firewalls, Network Address Translators(NATs), and H.323

Fortinet VoIP Security June 2007 Carl Windsor.

CSC458 Programming Assignment II: NAT

Cisco IOS Firewall Context-Based Access Control Configuration

NAT Behavioral Requirements for Unicast UDP

CIS 82 Routing Protocols and Concepts Chapter 11 NAT

POOJA Programmer, CSE Department

Data Thursday. Port Forwarding II HG520c

Chapter 11: Network Address Translation for IPv4

Windows Firewall Adem Enes POLAT

Request for Comments(RFC) 3489

Presentation transcript:

NAT/Firewall Behavioral Requirements draft-audet-nat-behave-00 François Audet - Cullen Jennings -

Background Authors realized that they both were drafting very similar requirements for NAT/FW vendors to facilitate peer-to-peer media (VoIP, etc.) NAT/FW vendors would like guidance on implementation NAT/FW that do not break applications such as Voice Over IP & gaming

Goals of document Define terminology for NAT/FW behavior –Current terminology is “confusing” at best Define Requirements for NAT/FW behavior –Simple requirements suitable for consumer- grade NAT/FWs

NAT/FW Behavior UDP NAT behavior –Address and Port binding –Port Assignment –Bind Refresh direction –Bind Refresh scope UDP Firewall behavior –Filtering of unsolicited packets –Filter Refresh

Other Behaviors Hairpinning behavior Deterministic properties ICMP behavior Fragmentation behavior TCP behavior Multicast and IGMP behavior

Requirements REQ-1: A NAT MUST have an "External NAT Binding is endpoint independent" behavior (NB=I). REQ-2: It is RECOMMENDED that a NAT have a "No port preservation" behavior. –REQ-2a: A NAT MAY use a "Port preservation" behavior. –REQ-2b: A NAT MUST NOT have a "Port overloaded" behavior.

Requirements (cont.) REQ-3: A dynamic NAT UDP binding timer MUST NOT expire in less than 2 minutes. –REQ-3a: The value of the NAT UDP binding timer MAY be configurable. –REQ-3b: A default value of 5 minutes for the NAT UDP binding timer of 5 minutes is RECOMMENDED. REQ-4: The NAT UDP timeout binding MUST have a NAT refresh direction behavior of "Outbound" (i.e. based on outbound traffic only). –REQ-4a: The NAT UDP timeout binding MUST have a NAT refresh method behavior of "Per binding" (i.e. refresh all sessions active on a particular bind).

Requirements (cont.) REQ-5: It is RECOMMENDED that a firewall have an "External filtering is endpoint address dependent" behavior. (EF=AD) REQ-5a: A firewall MAY have an "External filtering is endpoint independent" behavior. (EF=I) –REQ-5b: A firewall MAY have an "External filtering is endpoint address and port dependent" behavior. (EF=APD) REQ-6: The firewall UDP filter timeout behavior MUST be the same as the NAT UDP binding timeout.

Requirements (cont.) REQ-7: A NAT/FW MUST support Hairpinning" behavior. –REQ-7a: A NAT/FW Hairpinning NAT behavior MUST be "External source IP address and port". REQ-8: A NAT MUST have the capability to turn off individually all ALGs it supports, except for DNS and IPsec. –REQ-8a: Any NAT ALG for SIP MUST be turned off by default. REQ-9: A NAT/firewall MUST have deterministic behavior.

Requirements (cont.) REQ-10: The TCP binding timeout for NATs and the filter rule timeout for firewalls MUST be greater than 7800 seconds. REQ-11: A NAT/firewall SHOULD support forwarding fragmented packets (SF). REQ-12: A NAT/FW MUST support ICMP Destination Unreachable (SU). –REQ-12a: The ICMP timeout SHOULD be greater than 2 seconds. REQ-13: A NAT/FW SHOULD support forwarding multicast packets (SM).

Discussion Others behaviors?