Presentation is loading. Please wait.

Presentation is loading. Please wait.

NAT Behavioral Requirements for Unicast UDP

Published byReynold Hart Modified over 6 years ago

Similar presentations

Presentation on theme: "NAT Behavioral Requirements for Unicast UDP"— Presentation transcript:

1 NAT Behavioral Requirements for Unicast UDP
draft-ietf-behave-nat-udp-03 François Audet - Cullen Jennings - draft-ietf-behave-nat-udp-03

2 draft-ietf-behave-nat-udp-03
Status draft-ietf-behave-nat-udp-00 presented at IETF 62 Went through Working Group Last Call 3rd minor release since then (-01, 02, -03) Integrates all decisions made in IETF 62 and on mailing list since then No major outstanding issue draft-ietf-behave-nat-udp-03

3 Summary of changes from -00
Applicability Statement: clarified that it applies to Traditional NAT (used to include Bi-directional and Twice-NAT) Removed some verbiage about “large Enterprise NAT” Terminology Simplified name of behaviors, e.g., “External NAT mapping is endpoint address dependent” to “Address Dependent Mapping” draft-ietf-behave-nat-udp-03

4 Summary of changes from -00
List Requirements in flow of text, with justification, as they naturally occur in document for ease of reading Requirement summary section remains Combined “Mapping Refresh Scope” and “Mapping Refresh Direction” section in new “Mapping Refresh” section draft-ietf-behave-nat-udp-03

5 Summary of changes from -00
Removed completely section describing relationship between explicit behaviors described in this document and old broken “Cone/Symmetric” terminology Editorial clarifications for ICMP and fragmentations sections draft-ietf-behave-nat-udp-03

6 Summary of changes from -00
Old REQ-3 It is RECOMMENDED that a NAT have a "Port assignment" behavior of "No port preservation". a) NAT MAY use a "Port assignment" behavior of "Port preservation". b) A NAT MUST NOT have a "Port assignment" behavior of "Port overloading". c) If the host's source port was in the range , it is RECOMMENDED the NAT's source port also be in the same range. If the host's source port was in the range , it is RECOMMENDED that the NAT's source port also be in that range. New REQ-3 A NAT MUST NOT have a "Port assignment" behavior of "Port overloading". a) If the host's source port was in the range , it is RECOMMENDED the NAT's source port be in the same range. If the host's source port was in the range , it is RECOMMENDED that the NAT's source port be in that range. draft-ietf-behave-nat-udp-03

7 Summary of changes from -00
Deleted REQ-6b The NAT mapping Refresh Direction MUST have a "NAT refresh method behavior" of "Per mapping" (i.e. refresh all sessions active on a particular mapping). draft-ietf-behave-nat-udp-03

8 Summary of changes from -00
Old REQ-7 It is RECOMMENDED that a NAT have an "External filtering is endpoint address dependent" behavior. New REQ-7 If application transparency is most important, it is RECOMMENDED that a NAT have "Endpoint independent filtering" behavior. If a more stringent filtering behavior is most important, it is RECOMMENDED that a NAT have "Address dependent filtering" behavior. a) The filtering behavior MAY be an option configurable by theadministrator of the NAT. draft-ietf-behave-nat-udp-03

9 Summary of changes from -00
Old REQ-9 If a NAT includes ALGs, it is RECOMMENDED that all of those ALGs be disabled by default. a) If a NAT includes ALGs, it is RECOMMENDED that the NAT allow the user to enable or disable each ALG separately. New REQ-9 If a NAT includes ALGs, it is RECOMMENDED that all of those ALGs (except for DNS [19] and FTP [18]) be disabled by default. a) If a NAT includes ALGs, it is RECOMMENDED that the NAT allow the NAT administrator to enable or disable each ALG separately. draft-ietf-behave-nat-udp-03

10 Summary of changes from -00
Old REQ-11 It is RECOMMENDED that a NAT support ICMP Destination Unreachable. a) The ICMP timeout SHOULD be greater than 2 seconds. New REQ-11 Receipt of any sort of ICMP message MUST NOT destroy the NAT mapping. a) The NAT's default configuration SHOULD NOT filter ICMP messages based on their source IP address. b) It is RECOMMENDED that a NAT support ICMP Destination Unreachable messages. draft-ietf-behave-nat-udp-03

11 draft-ietf-behave-nat-udp-03
Open issues One outstanding issue REQ-7a: Should the “MAY” be a “SHOULD” Let’s decide once and for all I believe I forgot to remove completely section 5.2 as agreed. Objections to do so? Next step? draft-ietf-behave-nat-udp-03

Download ppt "NAT Behavioral Requirements for Unicast UDP"

Similar presentations

Access Control List (ACL)

Access Control List (ACL)
CSC458 Programming Assignment II: NAT Nov 7, 2014.

CSC458 Programming Assignment II: NAT Nov 7, 2014.
IPv6 Simple security capabilities. 50 issues from RFC 6092 edited by J. Woodyatt, Apple Presentation by Olle E. Johansson, Edvina AB.

IPv6 Simple security capabilities. 50 issues from RFC 6092 edited by J. Woodyatt, Apple Presentation by Olle E. Johansson, Edvina AB.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings

1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings
Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera.

Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 10 Access Control Lists CCNA2: Module 11.

WXES2106 Network Technology Semester /2005 Chapter 10 Access Control Lists CCNA2: Module 11.
CS682 – Network Management and Security Session 5.

CS682 – Network Management and Security Session 5.
Chapter 2 Internet Protocol DoD Model Four layers: – Process/Application layer – Host-to-Host layer – Internet layer – Network Access layer.

Chapter 2 Internet Protocol DoD Model Four layers: – Process/Application layer – Host-to-Host layer – Internet layer – Network Access layer.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.

Implementing Standard and Extended Access Control List (ACL) in Cisco Routers.
4: Addressing Working At A Small-to-Medium Business or ISP.

4: Addressing Working At A Small-to-Medium Business or ISP.
Lab 5: NAT CS144 Review Session 7 November 13 th, 2009 Roger Liao.

Lab 5: NAT CS144 Review Session 7 November 13 th, 2009 Roger Liao.
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
Introduction to Network Address Translation

Introduction to Network Address Translation
Dean Cheng Jouni Korhonen Mehamed Boucadair

Dean Cheng Jouni Korhonen Mehamed Boucadair
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.

1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs work ► Creating ACLs ► The function of a wildcard mask.

Access Control List (ACL) W.lilakiatsakun. ACL Fundamental ► Introduction to ACLs ► How ACLs work ► Creating ACLs ► The function of a wildcard mask.

Similar presentations

Ads by Google