0 NAT/Firewall NSLP IETF 63th – August 2005 draft-ietf-nsis-nslp-natfw-07.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

Slides:



Advertisements
Similar presentations
Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
Advertisements

Applicability Statement of NSIS Protocols in Mobile Environments draft-ietf-nsis-applicability-mobility-signaling-12.txt Takako Sanda, Xiaoming Fu, Seong-Ho.
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.
1 IETF 64th meeting, Vancouver, Canada Design Options of NSIS Diagnostics NSLP Xiaoming Fu Ingo Juchem Christian Dickmann Hannes Tschofenig.
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
RTSP NAT Traversal Update Magnus Westlund (Ericsson) Thomas Zeng (PVNS, an Alcatel company) IETF-60 MMUSIC WG draft-ietf-mmusic-rtsp-nat-03.txt.
SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.
CMSC 414 Computer and Network Security Lecture 26 Jonathan Katz.
NSIS based NetServ Signalling Protocol Design and Implementation Roberto Francescangeli Visiting PhD student.
NSIS Flow ID and packet classification issues Hong Cheng, Qijie Huang, Takako Sanda, Toyoki Ue IETF#63 August, 2005.
Firewalls Marin Stamov. Introduction Technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Polycom Conference Firewall Solutions. 2 The use of Video Conferencing Is Rapidly Growing More and More people are adopting IP conferencing Audio and.
A Brief Taxonomy of Firewalls
TUTORIAL # 2 INFORMATION SECURITY 493. LAB # 4 (ROUTING TABLE & FIREWALLS) Routing tables is an electronic table (file) or database type object It is.
March 7, 2005MOBIKE WG, IETF 621 Mobility Protocol Options for IKEv2 (MOPO-IKE) Pasi Eronen.
NSIS NATFW NSLP: A Network Firewall Control Protocol draft-ietf-nsis-nslp-natfw-08.txt IETF NSIS Working Group January 2006 M. Stiemerling, H. Tschofenig,
Firewall and Internet Access Mechanism that control (1)Internet access, (2)Handle the problem of screening a particular network or an organization from.
NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
0 NAT/Firewall NSLP IETF 61th November 2004 draft-ietf-nsis-nslp-natfw-04.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.
0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.
RMD – QSP draft-bader-nsis-rmd-diffserv-qsm-01.txt A.Bader, L. Westberg, G. Karagiannis, C. Kappler, T. Phelan, H. Tschofenig IETF-61, Nov. 8, 2004.
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
GIMPS * – The NSIS Transport Layer draft-ietf-nsis-ntlp-05.txt Slides: Robert Hancock, Henning.
1 Countering DoS Through Filtering Omar Bashir Communications Enabling Technologies
Interdomain Routing Security. How Secure are BGP Security Protocols? Some strange assumptions? – Focused on attracting traffic from as many Ases as possible.
0 NAT/Firewall NSLP Activities IETF 60th - August 2nd 2004 Cedric Aoun, Martin Stiemerling, Hannes Tschofenig.
NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig.
Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.
Packet-Marking Scheme for DDoS Attack Prevention
IETF-81, Quebec City, July 25-29, 2011
An NSLP for Quality of Service draft-buchli-nsis-nslp-00.txt draft-mcdonald-nsis-qos-nslp-00.txt draft-westberg-proposal-for-rsvpv2-nslp-00.txt Slides:
NSIS NAT/Firewall NSLP Martin Stiemerling, Hannes Tschofenig, Miquel Martin, Cedric Aoun NSIS WG, 59th IETF.
Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.
Information Security 493. Lab # 4 (Routing table & firewalls) Routing tables is an electronic table (file) or database type object that is stored in a.
Mobile IPv6 and Firewalls: Problem Statement Speaker: Jong-Ru Lin
Implications of Trust Relationships for NSIS Signaling (draft-tschofenig-nsis-casp-midcom.txt) Authors: Hannes Tschofenig Henning Schulzrinne.
Magnus Westerlund 1 The RTSP Core specification draft-ietf-mmusic-rfc2326bis-06.txt Magnus Westerlund Aravind Narasimhan Rob Lanphier Anup Rao Henning.
NSIS and Mobility Layer Split & Framework Issues Robert Hancock NSIS Interim Meeting – Columbia University February 2003.
1 © NOKIA FILENAMs.PPT/ DATE / NN Requirements for Firewall Configuration Protocol March 10 th, 2005 Gabor Bajko Franck Le Michael Paddon Trevor Plestid.
NATFW NSLP Status draft-ietf-nsis-nslp-natfw-12.txt M. Stiemerling, H. Tschofenig, C. Aoun, and E. Davies NSIS Working Group,
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
NATFW NSLP overview. Document history v00 - Jan 27th - Creation.
Role Of Network IDS in Network Perimeter Defense.
SIP Events: Changes and Open Issues IETF 50 / SIP Working Group Adam Roach
NSIS NAT/Firewall Signaling NSIS Interim Meeting Romsey/UK, June 2004 Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.
NATFW NSLP Status draft-ietf-nsis-nslp-natfw-08.txt M. Stiemerling, H. Tschofenig, C. Aoun NSIS Working Group, 64th IETF meeting.
MIDCOM MIB Juergen Quittek, Martin Stiemerling, Pyda Srisuresh 60th IETF meeting, MIDCOM session.
K. Salah1 Security Protocols in the Internet IPSec.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
1 © NOKIA Presentation_Name.PPT / DD-MM-YYYY / Initials draft-bajko-nsis-fw-reqs-01 Gábor Bajkó IETF Interim May 2005.
Guidelines for IPFIX Implementations on Middleboxes Juergen Quittek, Martin Stiemerling 59th IETF meeting, IPFIX WG.
25/09/ Firewall, IDS & IPS basics. Summary Firewalls Intrusion detection system Intrusion prevention system.
1 NSIS: A New Extensible IP Signaling Protocol Suite Myungchul Kim Tel:
MIDCOM Protocol Semantics 55th IETF
NSLP for Metering Configuration Signaling (Metering NSLP)
Preferred Alternatives for Tunnelling HIP (PATH)
A. Báder, L. Westberg, G. Karagiannis,
Firewall – Survey Purpose of a Firewall Characteristic of a firewall
Introduction to Networking
The 66th IETF meeting in Montreal, Canada
NSIS Operation Over IP Tunnels draft-shen-nsis-tunnel-01.txt
NSIS Operation Over IP Tunnels draft-ietf-nsis-tunnel-04.txt
Presentation transcript:

0 NAT/Firewall NSLP IETF 63th – August 2005 draft-ietf-nsis-nslp-natfw-07.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun

1 Solved Issues NATFW NSLP issue trac ker  Solved Issues  I2: Installation of packet filters (in addition to pinholes)  I3: Wildcarding of policy rules  I10: Twice NAT handling  I12: Specific IANA port number for REA message  I17: Enable NSLP to carry TCP sequence numbers?  I19: Add new reference for RSVP/Firewall traversal  I31: NATFW NSLP Path Change Handling  I37: Proxy mode selection for DR behind NAT or Firewall

2 Route-Change Handling Node detecting route change generates NOTIFY NOTIFY propagates to NI NI takes action depending on session  Sending CREATE/REA/UCREATE message Requires NI to act but keeps NFs simple

3 Route-Change Handling Node detecting route change generates NOTIFY NOTIFY propagates to NI NI takes action depending on session  Sending CREATE/REA/UCREATE message Requires NI to act but keeps NFs simple NSLP Session X NOTIFY NR NI NF CREATE

4 Proxy mode selection for DR behind NAT or Firewall Draft -06 discussed only possible solutions New text in draft -07:  It is RECOMMENDED that a DR behind NATs uses the proxy mode of operation by default, unless the DR knows that the DS is NSIS aware.

5 Open Issues In total 17 open issues Some open issues  Port range parameter field (I29)  Keep port parity field/semantics (I28)  Session ownership (I7)  Exact semantics of UCREATE (I38)

6 Issues 29/28: L4-Ports Issue 29: Port range parameter field  Some applications, such as RTP, require to run on two subsequent port numbers  Suggestion: Applications should use RFC 3605 and close issue Issue 28: Keep port parity field/semantics  As issue 29, some applications need not only 2 subsequent port numbers but keeping port parity too.  Suggestion: close issue.

7 Session Ownership Current draft uses a public/private key mechanism to sign each message  Session ID and signature are used to prove ownership  Purpose-built keys (PBK)  Section 3.8 “Session Ownership” Puts heavy computational burden on NSLP nodes Recent changes discussed on Tuesday  No public/private key since too heavy  Relying on random session ID  Gives protection against off-path attackers  On-path attackers are hard to handle if present at session setup (without validating their claimed role in the network by using a security infrastructure)

8 NR behind Firewall Protection In the case of a NR behind a firewall the current draft says:  Firewall NATFW NSLP must allow incoming NSIS signaling traffic towards an NR. Effectively this is a nice chance to attack any NSIS enabled hosts in an otherwise protected network Suggestion to change:  remove above requirement.  DR/NR must tell firewall its willingness to receive NSIS signaling  NR behind firewall must run a “firewall REA”  “firewall REA” = upstream message finding firewall & telling NSIS willingness  “firewall REA” could be an extended UCREATE The right firewall could be potentially known by out of band methods (real- time notification of out of bound peak packet rate for specific flow type)

9 Semantics of UCREATE Proxy Mode for Data Receiver behind Firewall Used to block particular incoming data flows Can be used as “firewall REA”

10 Conclusions Draft is stable in most parts Currently changing parts  Security  UCREATE semantics  REA objects and semantics  Mapping of policy rules to middlebox resources  Error code details and classification  Diagnosis procedures Diff between -06 and -07:

11 Thank you. Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.