NATFW NSLP overview

Document history v00 - Jan 27th - Creation

Agenda Introduction NATFW NSLP mode of operation Things to fix

Introduction NATFW NSLP scope - to be added later NATFW NSLP deployment scenarios:  DS behind NAT  DR behind NAT  Same for FW and for NATFW Intra-realm communications

a.b.c.d a.b.c.e Alice k.l.m.n/30 Bob a.b.c.1/24 NSIS aware NAT/FW The net Net x How to avoid useless resource spending on NAT and Firewalls (potentially event Qos gates)? Let Bob provide to Alice both his locally scoped and global scoped addresses Alice wants to talk to Bob

Intra-realm communications a.b.c.d a.b.c.e Alice k.l.m.n/30 Bob a.b.c.1/24 NSIS aware NAT/FW + Qos NSLP The net Phil Net x a.b.c.d e.f.g.h/30 Local scoped address could obviously overlap, a solution needs to be provided to handle that case Alice wants to talk Phil a.b.c.1/24 NSIS aware NAT/FW + Qos NSLP

Intra-realm communications Alice Bob Trudy NAT1 NATFW2 Sales/HR ISP x NAT3 Max Foo.com Need to avoid this path from being taken NAT Stacking Same problem but getting worst …

Intra-realm communications Alice Bob Trudy NAT1 NATFW2 Sales/HR ISP x NAT3 Max Foo.com Need to avoid this path from being taken NAT Stacking Preferred Path!!!

Intra-realm communications Alice Bob Trudy NAT1 NATFW2 Sales/HR ISP x NAT3 Max Foo.com NAT Stacking REA:[ ] 2-REA:[ | ] 3-REA:[ | | ] 4-REA:[ | | ]

Intra-realm communications Issues with the none optimal paths:  Aside being not optimal … Certain NATs do not support the required loopback behavior Proposed solution:  Communicate several NR addresses to the NI The first response received from an NR will hint the NR address to use for the rest of the messages NSIS messages need to be sent simultaneously and not sequentially (I.e. don’t wait for responses).

Intra-realm communications Proposed solution - continued:  Communicate several NR addresses to the NI The first response received from an NR will hint the NR address to use for the rest of the messages NSIS messages need to be sent simultaneously and not sequentially (I.e. don’t wait for responses).  The reserve message needs to be intercepted by intermediate NATs (before reaching the edge NAT) These intermediate NATs need to provide the translated address as well  User application impacts: Several NR addresses need to be provided  NTLP impacts: Although a messaging association was already linked to a destination address, it needs to be re-checked if applicable or not to avoid the confusion of overlapped local scoped addresses

NSIS NATFW NSLP life cycle NSIS NATFW activated Start NR behind NAT Discovery Idle Behind a NAT? NRBNAT=0NRBNAT=1 Idle

NSIS NATFW NSLP life cycle: NI Idle Initiator event Send Create message To all provided recipients* Run Timer & wait for response Path-Succeeded** Error msg Any other messages Drop Stateinstalled St-Instl-Flure Snd-CREATE n=MAXRTX Timeout n-- n>0 yes no Inform upper layers Idle

NSIS NATFW NSLP life cycle: NI Stateinstalled Trigger test Waiting for statechange triggers Inform upper layers Modify? Run STRF** timer ST-Refresh ST-delete timeout Received delete Any other msgs Drop Snd-CREATE St-Instl-Flure Inform upper layers Negotiate yes Idle no ST-Delete Inform upper layers Reason? Upper layer requested Idle Received delete msg Send delete msg Idle

NSIS NATFW NSLP life cycle: NI Send Refresh* ST-Refresh Stateinstalled Modify N=MAXRTXMDFY Send Modify** Run Timer & wait for response Path-Succeeded*** Error msg Any other messages Drop Stateinstalled MD-St-Instl-Flure Timeout n-- n>0 yes no MD-St-Instl-Flure Inform upper layers MD-St-Instl-Flure Stateinstalled Keep existing state? ST-Delete

NSIS NATFW NSLP life cycle: NR NR-Idle Check NRBNAT Initiator event Pasv-Listen 0 1 Active-Listen Send reserve msg n=MAXRTX-RSV Run Timer & wait for response Received RSV Ack Error msg* Any other messages Drop PASV-Listen Timeout n-- n>0 yes no PASV-Listen Inform upper layers

NSIS NATFW NSLP life cycle: NR PASV-Listen Check msg Received msg NR-Rcv-Create Received Create msg Delete Any other messages Drop Modify NR-Mod-ST Received Delete msg Inform upper layers NR-Idle Send Delete confirm?* ?? Recvd Error msg NR-Idle Inform upper layers PASV-Listen NR-Idle

NSIS NATFW NSLP life cycle: NR NR-Rcv-create Validate Inform upper layers yes Send create-ack n=MAXRTX-CRACK Run Timer & wait for response Received create-ack Ack PASV-Listen NR-Idle Timeout n-- n>0 yes no NR-Idle Inform upper layers no ? ? ? Send Error msg NR-Idle Error related to create ack PASV-Listen Inform upper layers Any other msgs

NSIS NATFW NSLP life cycle: NR Validate Inform upper layers yes Send mod-ack n=MAXRTX-MODACK Run Timer & wait for response Received mod-ack Ack PASV-Listen Timeout n-- n>0 yes no NR-Idle Inform upper layers no ? ? ? NR-Mod-ST Send Error msg NR-Idle Error related to Mod ack PASV-Listen Inform upper layers Any other msgs

NSIS NATFW NSLP life cycle: NF Reserve-msg NF-Idle Drop NF-Rcv-Create Received msg Msg type Create-msg Any other msg NF-Idle NF-Rcv-RSV

NSIS NATFW NSLP life cycle: NF NF-Rcv-Create Wait for confirmation Timer No Yes Forward create Validate-authz timeout Send error- last node no authz NF-Idle NF-ST-Installed Received Authz create-ack Received error Forward error* NF-Idle Drop Received other msg NF-ST-Install NF-State-Install Forward Send error - no authz NF-Idle Received create-ack No authz Available resources Yes No Send error upstream NF-Idle Should we send create with error flag downstream???

NSIS NATFW NSLP life cycle: NF NF-Rcv-RSV Forward Edge NAT Create-msg No NF-Idle Received Create No Wait for Create* NAT? No Forward yes Drop Send RSV-Ack NF-NATBINDRSV Wait for RSV-Ack timeout Send RSV-Ack NF-NATBINDRSV Append RSV-ack NF-NATBINDRSV NF-NATBINDRSV n=RCVMAX NF-Rcv-Create Received anything else Drop n-- Send bind-update** Local bind update NF-NATBINDRSV Delete bind/Send error NF-Idle Local System failure Rcv-bind update Forward NF-NATBINDRSV Rcv upstream error Delete bind/forward NF-Idle Send error NF-Idle timeout n>0 yes Drop NF-Idle Send error

NSIS NATFW NSLP life cycle: NF NF-ST-Install Forward NF-ST-Installed Waiting for Create ack? Create-msg ack Rcv Error msg NF-Idle Timeout Send create ack with last NF flag NF-ST-Installed Other msg Drop Local system error Send error NF-Idle

NSIS NATFW NSLP life cycle: NF NF-ST-Installed Rcv Refresh Rcv delete Forward Msg check Delete state NF-Idle Received msg Delete state/forward Rcv modify msg Rcv error msg Local system error NF-ST-Installed Send error/delete state NF-Idle Forward* NF-Rcv-Modify NF-Idle Any other msg NF-ST-Installed

NSIS NATFW NSLP life cycle: NF NF-Rcv-Mod Check msg No Yes Forward mod Validate-authz NF-ST-Installedmod Received Authz mod-ack Received error Forward error* NF-Idle Drop Received other msg NF-ST-Installmod NF-State-Install Forward Send error - no authz NF-Idle Received create-ack No authz Received msg yes Available resources No Send error upstream/keep existing NF-ST-Installed

NSIS NATFW NSLP life cycle: NF NF-ST-Installed NF-ST-Installmod Forward NF-ST-Installedmod Waiting for mod ack? mod-msg ack Rcv Error msg* Timeout Send mod ack with last NF flag*** NF-ST-Installed Other msg Drop Local system error Send error NF-Idle NF-ST-Installedmod Change state NF-Idle NF-ST-Installed Rcv fatal Error msg** Delete state/forward Was I the last NF? Policy check yes

Things to fix How to benefit more from the user apps triggering the NATFW NI/NR? Particularly for key management and messaging association parameter negotiation? Provide means to prevent local NEs to respond instead of remote NEs having the same local scoped address