Presentation is loading. Please wait.

Presentation is loading. Please wait.

NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)

Published byBriana Holt Modified over 9 years ago

Similar presentations

Presentation on theme: "NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)"— Presentation transcript:

1 NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)

2 History Initial presentation on NAT/FW NSLP in Vienna Face-to-face design team meeting in Sep. 2003:

3 Current documents WG document (draft-ietf-nsis-nslp-natfw- 00.txt) 2 individual submissions (draft-aoun & draft-martin) Author's agreement on the content of the WG document The 2 individual submissions require additional thoughts

4 Two modes of Operations Create Mode –Create pinholes along the data path (might also create NAT bindings) –Exchange triggered by data sender (path-coupled) Reserve Mode –For "Receiver behind a NAT" scenario –This mode is to enable reachability. –Reserves a NAT binding on the reverse path –Exchange triggered by data receiver!

5 Create Mode of Operation Send request for opening firewall pinholes and NAT bindings towards the destination of the data path When a firewall is hit... –Packet filter is created (when authentication and authorization process succeeded) –Message is sent further along the path When a NAT is hit... –Allocate NAT binding (when authentication and authorization process succeeded) –Change IP addresses/port numbers in NSIS message to the NAT binding

6 NSIS Signaling example - Firewall (Bob sending data) data NSIS FW NSIS signaling Application-level signaling Alice Bob

7 Reserve Mode of Operation Used by data receiver located behind NAT Data receiver sends NSIS reserve NSLP message When it hits a NAT... –Create NAT binding –If NAT is at private to public boundary Send back the allocated public binding –If NAT is at a private to private Change NSIS message to the newly allocated binding and forward The public NAT binding is transmitted to the NI through external means (application signaling) Issues: –NAT binding might change the data path –Need to refresh state on both the outgoing path and the incoming path basically it uses 2 NSIS sessions for one data flow.

8 Simple NAT Scenario (Bob sending data) Bob Public Internet Alice Private address space Data NSIS signaling (Reserve Mode) Application-level signaling NSIS NAT NSIS signaling (Create Mode)

9 Reserve Mode of Operation Approaches You need to "extend" the path to the "real end host". NAT needs to know where to forward a NSIS message it receives. Approaches to communicate this information: –Implicit via some non-NSIS messages –Explicit via NSIS signaling What info do you use to extend the path? –NSIS application state –True NAT binding –Reuse previously created state implicit state

10 Assumptions NTLP/QoS NSLP/X NSLP NAT is out of scope of this document Combining NAT/FW and QoS signaling might be an optimization on NTLP level, but is not taken care of in NAT/FW NSLP Other assumptions/constraints have been mentioned in Vienna.

11 Open issues Trust relationships and security issues (=> draft-martin-nsis-nslp-security-00.txt ) Migration and missing trust relationship issues (=> draft-aoun-nsis-nslp-natfw-migration-00.txt ) Requirements for the NTLP Route change and mobility aspects Get agreement on the security mechanisms Adaptation to NTLP spec Bit-level message format

Download ppt "NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)"

Similar presentations

Applicability Statement of NSIS Protocols in Mobile Environments draft-ietf-nsis-applicability-mobility-signaling-12.txt Takako Sanda, Xiaoming Fu, Seong-Ho.

Applicability Statement of NSIS Protocols in Mobile Environments draft-ietf-nsis-applicability-mobility-signaling-12.txt Takako Sanda, Xiaoming Fu, Seong-Ho.
Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?

Mobile IPv6. Why study Mobility in IPv6? What is so different about Mobile IPv6 ?
1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
STUN Date: 2011-05-25 Speaker: Hui-Hsiung Chung 1.

STUN Date: Speaker: Hui-Hsiung Chung 1.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.

Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 IETF 64th meeting, Vancouver, Canada Design Options of NSIS Diagnostics NSLP Xiaoming Fu Ingo Juchem Christian Dickmann Hannes Tschofenig.

1 IETF 64th meeting, Vancouver, Canada Design Options of NSIS Diagnostics NSLP Xiaoming Fu Ingo Juchem Christian Dickmann Hannes Tschofenig.
NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:

NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
CS 672 1 Summer 2003 Lecture 9. CS 672 2 Summer 2003 FILTERSPEC Object FILTERSPEC Object defines filters for selecting a subset of data packets in a session.

CS Summer 2003 Lecture 9. CS Summer 2003 FILTERSPEC Object FILTERSPEC Object defines filters for selecting a subset of data packets in a session.
NSIS Flow ID and packet classification issues Hong Cheng, Qijie Huang, Takako Sanda, Toyoki Ue IETF#63 August, 2005.

NSIS Flow ID and packet classification issues Hong Cheng, Qijie Huang, Takako Sanda, Toyoki Ue IETF#63 August, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.
1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?

1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?
NAT Traversal Speaker: Chin-Chang Chang Date:2007.4.9.

NAT Traversal Speaker: Chin-Chang Chang Date:
NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) Authors: Hannes Tschofenig Henning Schulzrinne Maarten.

NSIS Authentication, Authorization and Accounting Issues (draft-tschofenig-nsis-aaa-issues-00.txt) Authors: Hannes Tschofenig Henning Schulzrinne Maarten.

Similar presentations

Ads by Google