Presentation is loading. Please wait.

Presentation is loading. Please wait.

NAT/Firewall Behavioral Requirements draft-audet-nat-behave-00 François Audet - Cullen Jennings -

Published byJoshua Riley Modified over 8 years ago

Similar presentations

Presentation on theme: "NAT/Firewall Behavioral Requirements draft-audet-nat-behave-00 François Audet - Cullen Jennings -"— Presentation transcript:

1 NAT/Firewall Behavioral Requirements draft-audet-nat-behave-00 François Audet - audet@nortelnetworks.com Cullen Jennings - fluffy@cisco.com

2 Background Authors realized that they both were drafting very similar requirements for NAT/FW vendors to facilitate peer-to-peer media (VoIP, etc.) NAT/FW vendors would like guidance on implementation NAT/FW that do not break applications such as Voice Over IP & gaming

3 Goals of document Define terminology for NAT/FW behavior –Current terminology is “confusing” at best Define Requirements for NAT/FW behavior –Simple requirements suitable for consumer- grade NAT/FWs

4 NAT/FW Behavior UDP NAT behavior –Address and Port binding –Port Assignment –Bind Refresh direction –Bind Refresh scope UDP Firewall behavior –Filtering of unsolicited packets –Filter Refresh

5 Other Behaviors Hairpinning behavior Deterministic properties ICMP behavior Fragmentation behavior TCP behavior Multicast and IGMP behavior

6 Requirements REQ-1: A NAT MUST have an "External NAT Binding is endpoint independent" behavior (NB=I). REQ-2: It is RECOMMENDED that a NAT have a "No port preservation" behavior. –REQ-2a: A NAT MAY use a "Port preservation" behavior. –REQ-2b: A NAT MUST NOT have a "Port overloaded" behavior.

7 Requirements (cont.) REQ-3: A dynamic NAT UDP binding timer MUST NOT expire in less than 2 minutes. –REQ-3a: The value of the NAT UDP binding timer MAY be configurable. –REQ-3b: A default value of 5 minutes for the NAT UDP binding timer of 5 minutes is RECOMMENDED. REQ-4: The NAT UDP timeout binding MUST have a NAT refresh direction behavior of "Outbound" (i.e. based on outbound traffic only). –REQ-4a: The NAT UDP timeout binding MUST have a NAT refresh method behavior of "Per binding" (i.e. refresh all sessions active on a particular bind).

8 Requirements (cont.) REQ-5: It is RECOMMENDED that a firewall have an "External filtering is endpoint address dependent" behavior. (EF=AD) REQ-5a: A firewall MAY have an "External filtering is endpoint independent" behavior. (EF=I) –REQ-5b: A firewall MAY have an "External filtering is endpoint address and port dependent" behavior. (EF=APD) REQ-6: The firewall UDP filter timeout behavior MUST be the same as the NAT UDP binding timeout.

9 Requirements (cont.) REQ-7: A NAT/FW MUST support Hairpinning" behavior. –REQ-7a: A NAT/FW Hairpinning NAT behavior MUST be "External source IP address and port". REQ-8: A NAT MUST have the capability to turn off individually all ALGs it supports, except for DNS and IPsec. –REQ-8a: Any NAT ALG for SIP MUST be turned off by default. REQ-9: A NAT/firewall MUST have deterministic behavior.

10 Requirements (cont.) REQ-10: The TCP binding timeout for NATs and the filter rule timeout for firewalls MUST be greater than 7800 seconds. REQ-11: A NAT/firewall SHOULD support forwarding fragmented packets (SF). REQ-12: A NAT/FW MUST support ICMP Destination Unreachable (SU). –REQ-12a: The ICMP timeout SHOULD be greater than 2 seconds. REQ-13: A NAT/FW SHOULD support forwarding multicast packets (SM).

11 Discussion Others behaviors?

Download ppt "NAT/Firewall Behavioral Requirements draft-audet-nat-behave-00 François Audet - Cullen Jennings -"

Similar presentations

SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
www.dynamicsoft.com Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
Internet Area IPv6 Multi-Addressing, Locators and Paths.

Internet Area IPv6 Multi-Addressing, Locators and Paths.
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
CSC458 Programming Assignment II: NAT Nov 7, 2014.

CSC458 Programming Assignment II: NAT Nov 7, 2014.
IPv6 Simple security capabilities. 50 issues from RFC 6092 edited by J. Woodyatt, Apple Presentation by Olle E. Johansson, Edvina AB.

IPv6 Simple security capabilities. 50 issues from RFC 6092 edited by J. Woodyatt, Apple Presentation by Olle E. Johansson, Edvina AB.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Network Address Translation for IPv4  Connecting.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Lecture15: Network Address Translation for IPv4 Connecting Networks.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.

Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings

1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings
Network Address Translation (NAT) 8.10.2007 Adj. Prof. Sasu Tarkoma.

Network Address Translation (NAT) Adj. Prof. Sasu Tarkoma.
Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera.

Leone From global measurements to local management UC3M: inHome NAT detection RFC recommender ICMP UDP TCP Miguel Ángel Díaz, Francisco Valera.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.

Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing Base on RFC 2827 Lector Kirill Motul.
1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &

1 Some TCP/IP Basics....NFSDNSTELNETSMTPFTP UDPTCP IP and ICMP Ethernet, serial line,..etc. Application Layer Transport Layer Network Layer Low-level &
SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
IOS Firewall IOS: Cisco’s Internetwork Operating System (the primary system running on Cisco’s routers) IOS Firewall: a stateful packet-filter firewall.

IOS Firewall IOS: Cisco’s Internetwork Operating System (the primary system running on Cisco’s routers) IOS Firewall: a stateful packet-filter firewall.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

Similar presentations

Ads by Google