Presentation is loading. Please wait.

Presentation is loading. Please wait.

Middlebox Communication Framework and Requirements Jiri Kuthan GMD-Fokus Jonathan Rosenberg dynamicsoft December.

Published byZoe Miller Modified over 9 years ago

Similar presentations

Presentation on theme: "Middlebox Communication Framework and Requirements Jiri Kuthan GMD-Fokus Jonathan Rosenberg dynamicsoft December."— Presentation transcript:

1 Middlebox Communication Framework and Requirements Jiri Kuthan GMD-Fokus kuthan@fokus.gmd.de Jonathan Rosenberg dynamicsoft jdrosen@dynamicsoft.com December 2000, 49th IETF, MidCom BOF

2 49th IETF Meetingdraft-kuthan-midcom-framework-00.txt 2 Outline zBackground ytransparency loss yALGs embedded in intermediate network devices zSuggestion: decomposition of intermediate network devices zDriver: co-existence of firewalls, NATs, NAT-PTs with applications using session control protocols zMissing piece: protocol between ALGs and intermediate network devices zConclusions

3 49th IETF Meetingdraft-kuthan-midcom-framework-00.txt 3 Background: ALGs zLoss of Transparency (RFC2775) zALGs are one of the mechanisms that assist applications in traversing network realms (IPv4, IPv6, NAT, FW,...) zALGs are embedded ymaintainability not very good (numerous application protocols, V1, V2, V3,...) yapplication-awareness is likely to affect performance yneither end-2-end nor hop-by-hop security supported zDecomposition desired: ALGs stay but not in network devices zCase study: firewall/NAT traversal of applications relying on session control

4 49th IETF Meetingdraft-kuthan-midcom-framework-00.txt 4 Ultimately Secure Firewall Installation Instructions: For best effect install the firewall between the CPU unit and the wall outlet. Place the jaws of the firewall across the power cord, and bear down firmly. Be sure to wear rubber gloves while installing the firewall or assign the task to a junior system manager. If the firewall is installed properly, all the lights on the CPU will turn dark and the fans will grow quiet. This indicates that the system has entered a secure state. For Internet use install the firewall between the demarc of the T1 to the Internet. Place the jaws of the firewall across the T1 line lead, and bear down firmly. When your Internet service provider's network operations center calls to inform you that they have lost connectivity to your site, the firewall is correctly installed. (© Marcus Ranum)

5 49th IETF Meetingdraft-kuthan-midcom-framework-00.txt 5 Static Filtering Policy is not Enough zFiltering policy in firewalls can be set up anywhere in the range between the ultimate (see previous slide) and completely open firewall (see what Microsoft suggests to enable NetMeeting in networks with firewalls) zThe problem: all these policies static; they prohibit dynamic conditions such as sessions established using a session control protocol (SIP, H.323, RTSP) zNote: such protocols are not a bug, they are a feature needed by many applications

6 49th IETF Meetingdraft-kuthan-midcom-framework-00.txt 6 Application-awareness to Deal with Dynamic Conditions zTo make firewalls understand dynamic conditions, they need to understand them -> Application Level Gateways yfirewalls w/ALGs transparent, i.e. no firewall support in end- devices needed zTraditional ALGs are embedded zProblems: ymaintainability not very good (numerous application protocols, V1, V2, V3,...) yapplication-awareness is likely to affect performance yneither end-2-end nor hop-by-hop security supported

7 49th IETF Meetingdraft-kuthan-midcom-framework-00.txt 7 Suggestion: Decomposition zWe suggest using externalized ALGs accessing the intermediate network devices such as firewalls/NA(P)Ts/NAT-PTs via a generic control protocol zBenefits: yintermediate network devices need to speak a single control protocol; ALG may be supplied by third parties easily yexisting application-awareness (e.g., SIP proxies) may be reused (as opposed to duplicating it in network devices) yhop-by-hop security works

8 49th IETF Meetingdraft-kuthan-midcom-framework-00.txt 8 Missing Piece zProtocol for communicating control data associated with IP/transport-layer data flows or aggregates of them between intermediate packet processing devices and external controllers: Flow State Control Protocol (FCP) zApplication-independent zControl data: {packet matching expression, pass/drop, packet counter,...} zExtensible (new per-flow state members may be added) zSecure zExamples: - udp From 193.174.154.10:44444 To 195.113.150.66:55555 Pass - udp From 10.0.0.1:44444 To 195.113.150.66:55555 Modify source_ip=FEDC:BA98:7654:3210:FEDC:BA98:7654:3210

9 A MidCom Network +--------+ Administrator-Maintained Zone | App. | | Policy | +---------+ SIP | Server |~~~~~~~~~| SIP +_____________ | +--------+ ________| Proxy | \ | / +---------+.. +----+---------------+ | : FCP +------+-----------+ |_______ | RSTP +----------+ :...........| | Per-Flow | | SIP | ____| RSTP |..............| | State | | | / | Proxy |______________| FCP | Table | |_______ | | +----------+ | unit | -------- | | | | FTP +---------+.............| | ACL | | | | _____|FTP Proxy|_____________+------+-----------+ |_______ | | / +---------+ | Intermediate | | | | -----| Network |------- +-----------+ /-----| Device |------- +-----------+| data streams // +----+---------------+ +-----------+||----------->----// | |end-devices||------------<----- | +-----------+ (RTP, ftp-data, etc.) | Inside | Outside Legend: ---- raw data streams ____ application control protocols.... FCP ~~~~ policy protocol

10 49th IETF Meetingdraft-kuthan-midcom-framework-00.txt 10 Summary: We have... zproblem statement, which is suboptimal deployability of embedded ALGs that help applications to traverse various realms, such as IPv4, IPv6, networks behind NATs, FWs zsolution, which is control of per-flow states zextensibility, which allows to use the same solution for other purposes related to control of flow processing

11 49th IETF Meetingdraft-kuthan-midcom-framework-00.txt 11 Conclusions zFCP makes traversal of applications across different realms easier by making ALGs better deployable. zDisclaimer: FCP does not fix loss of transparency; it makes it easier to live with and it may help transition to IPv6. zAre we going to form a new WG that will deal with this kind of protocol?

12 49th IETF Meetingdraft-kuthan-midcom-framework-00.txt 12 Information Resources zAuthors yJiri Kuthan, kuthan@fokus.gmd.de yJonathan Rosenberg, jdrosen@dynamicsoft.com zMailing list where FCP has been discussed yfoglamps@lists.panix.com yTo subscribe, send email to majordomo@lists.panix.com with “subscribe foglamps” in the body of message yArchive: http://www.fokus.gmd.de/glone/ietf/foglamps/ zThe requirements and framework I-D: ydraft-kuthan-midcom-framework-00.txt

Download ppt "Middlebox Communication Framework and Requirements Jiri Kuthan GMD-Fokus Jonathan Rosenberg dynamicsoft December."

Similar presentations

SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
Jonathan Rosenberg Chief Scientist

Jonathan Rosenberg Chief Scientist
www.dynamicsoft.com Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
TANDBERG Video Communication Server March 2008. TANDBERG Video Communication Server Background  SIP is the future protocol of video communication and.

TANDBERG Video Communication Server March TANDBERG Video Communication Server Background  SIP is the future protocol of video communication and.
Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.
NAT/Firewall Traversal April 2009. NAT revisited – “port-translating NAT”

NAT/Firewall Traversal April NAT revisited – “port-translating NAT”
SIP Traversal over NAT Problems and Solutions Mr. Ting-Yun Chi May 2,2006 (Taiwan,NICI IPv6 R&D Division)

SIP Traversal over NAT Problems and Solutions Mr. Ting-Yun Chi May 2,2006 (Taiwan,NICI IPv6 R&D Division)
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
IP Telephony Traversal Across Decomposed Firewalls/NATs Jiri Kuthan GMD-Fokus.

IP Telephony Traversal Across Decomposed Firewalls/NATs Jiri Kuthan GMD-Fokus.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
RTSP NAT Traversal Update Magnus Westlund (Ericsson) Thomas Zeng (PVNS, an Alcatel company) IETF-60 MMUSIC WG draft-ietf-mmusic-rtsp-nat-03.txt.

RTSP NAT Traversal Update Magnus Westlund (Ericsson) Thomas Zeng (PVNS, an Alcatel company) IETF-60 MMUSIC WG draft-ietf-mmusic-rtsp-nat-03.txt.
SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Similar presentations

Ads by Google