1

NAT/Firewall NSLPNAT/Firewall NSLP

IETF 62th – March 2005draft-ietf-nsis-nslp-natfw-05.txt

Martin Stiemerling, Hannes Tschofenig, Cedric Aoun

2

IPR ClaimIPR Claim

• Received IPR claim of Nortel December 14th

• Nortel Networks U.S. Patent No. 6,772,210, entitled "Method and apparatus for exchanging communications between telephone number based devices in an internet protocol environment", may contain claims that are believed may be necessary for practicing the resulting IETF Standard based on this Internet Draft.

• Claim is here https://datatracker.ietf.org/public/ipr_detail_show.cgi?&ipr_id=506

• We are not lawyers, but there MAY be prior art!

3

Editorial Changes in -05Editorial Changes in -05

• Several editorial changes Moved Miquel to the author’s list in the text body Integrated many comments from Elwyn

• Merged Query message into a single section 3.3.6 Was Section 3.3.6 and 3.3.7

• Aligned object format presentation to GIMPS I-D• Added in Section 3.5 the compatibility bits

described in GIMPS NATFW NSLP limits usage to MANDATORY, OPTIONAL,

FORWARD REFRESH bit combination not used, NFs do not refresh

on their own

4

Editorial Changes in -05Editorial Changes in -05

• Changed Response Type Object to Proxy Support Object

• Removed scoping object (not needed anywhere)• NOTIFY (per WG decision – IETF 61)

Removed NOTIFY target object NOTIFY messages are sent upstream only (Section 3.3.5)

• Added appendix on "Object ID allocation for testing"

• Added text about how REA is activated to Section 3.3.2

• Updated security considerations

5

Security Consideration Section Update

Security Consideration Section Update

• Resolved remaining issues in the NAT/FW threats document see mailing list, data receiver behind a NAT

• NAT/FW threats document incorporated into main document Was draft-fessi-nsis-natfw-threats-02

• Updated threat model and security solution text GIMPS security between neighboring NSLP nodes Usage of authorization tokens Authentication and authorization of an initiator towards non-

neighboring nodes based on CMS

• Open issues: Mobility handling and security (based on old I-D) More details Security object formats

6

Protocol Changes in -05Protocol Changes in -05

• Introduced notion of ‘deny’ policy rules• Reworked Section 3.3.8 and 3.3.9 (proxy mode)

Section 3.3.7 Proxy Mode for Data Receiver behind NAT Section 3.3.8 Proxy Mode for Data Sender behind Middleboxes Proxy mode is no longer the default mode (see later)

• Added DSInfo description to section about REA Information about data sender Limit possible CREATE message senders and local filters

• Since REA incorporates the DSInfo semantics, the TRIGGER message has been removed

• Added section about finding upstream firewalls(UCREATE) Section 3.3.9 Proxy Mode for Data Receiver behind Firewall

• More details on next slides...

7

Proxy Mode - NR sideProxy Mode - NR side

• Data receiver behind NAT

8

Issues on DR behind NAT Proxy Mode

Issues on DR behind NAT Proxy Mode

• Issues with not using the proxy mode as default NI+(i.e. NR) needs to know the NATFW NSLP capabilities Impact on applications as they would need to advertise

their NSIS capabilities

• Proxy mode used and far endhost supports the NSLP how to handle the existing NSLP sessions triggered by the REA? One created by a CREATE message sent by the Edge NAT one created by a CREATE message sent by the far

endhost’s NI DR to decide whether the proxy mode signaling session

needs to be terminated based on an e2e signaling session.

9

On the Security of Data Receiver behind a NATOn the Security of Data Receiver behind a NAT

DataSender NAT/

FW

DataReceiver

• Treat the signaling sessions (1) and (2) independently (authorization issue)

• Do not update state established on the NAT/FW (created by the proxy mode signaling session) based on an e2e signaling session.

• Proxy mode triggers a CREATE to deal with routing asymmetry and firewalls between the NAT/FW and the DR.

(1) End-to-End Signaling

(2) Proxy ModeSignaling

10

Proxy Mode - NI sideProxy Mode - NI side

• Data sender behind NAT or Firewall

11

Blocking TrafficBlocking Traffic

• Proxy Mode for Data Receiver behind Firewall• Used to block particular incoming data flows

12

Open IssuesOpen Issues

• Security• Details on UCREATE

Protocol details just new Need review Multihomed scenarios: several Firewalls

parallel• There is an issue tracker

https://kobe.netlab.nec.de/roundup/nsis-natfw-nslp/index

• You can register yourself a the tracker!• A diff between -04 and -05 at:• http://www.stiemerling.org/ietf/nsis/draft-ietf-nsis-nslp-natfw-05-diff-to-04.html