Presentation is loading. Please wait.

Presentation is loading. Please wait.

Draft-ermagan-lisp-nat-traversal-00 Vina Ermagan, Dino Farinacci, Darrel Lewis, Fabio Maino, Jesper Skriver, Chris White Presenter: Vina Ermagan IETF.

Published byMervin Greer Modified over 6 years ago

Similar presentations

Presentation on theme: "Draft-ermagan-lisp-nat-traversal-00 Vina Ermagan, Dino Farinacci, Darrel Lewis, Fabio Maino, Jesper Skriver, Chris White Presenter: Vina Ermagan IETF."— Presentation transcript:

1 draft-ermagan-lisp-nat-traversal-00 Vina Ermagan, Dino Farinacci, Darrel Lewis, Fabio Maino, Jesper Skriver, Chris White Presenter: Vina Ermagan IETF 83, Paris – March 2012

2 Agenda Problem Overview and scope NAT Discovery xTR Registration
Multiple xTRs behind the NAT Map-Request handling Data Flow Message formats Q&A

3 LISP NAT Traversal – Overview and Scope
MS xTR Internet NAT xTR RTR LISP relies on the xTR being reachable at its RLOC and on ports 4341 and 4342, to receive LISP data and control traffic A NAT traversal mechanism is required to enable NAT discovery xTR reachability on port 4341 Scope: NAT traversal for the deployments where xTR is behind a NAT but its Map-Server is on the public side of the NAT

4 LISP NAT Traversal - Overview
MS xTR Internet NAT LISP DATA xTR RTR RTR: Re-encapsulating Tunnel Router RTR acts as a data plane proxy for LISP data traffic to and from the xTR behind the NAT This enables maintaining the LISP Control plane and Data plane separation

5 NAT Discovery MS NAT RTR
xTR Info-Request Info-Reply Src RLOC and Port from Info-Request RTR RLOC(s) NAT RTR xTR receives a new RLOC and sends Info-Request using the new RLOC to its Map-Server MS replies with an Info-Reply xTR compares the new RLOC and port with src RLOC and port from info-Reply to discover NAT device on the path If NAT exists, xTR picks one (or more) RTR RLOC from the Info-Reply and proceeds to Registration

6 xTR Registration MS NAT RTR Goals:
MS DB: site1-EID-prefix => RTR-RLOC NAT State: ITR-local, 4341 => addr’, p’ Reoriginated-Map-Register MS Site 1- xTR ITR-local, 4341 ECM-ed Map-Register Site1-EID-prefix => RTR-RLOC NAT addr’, p’ RTR RTR Cache: site1-EID-prefix => addr’, p’ -> RTR-RLOC,4342, ITR-local , Unverified Goals: Register RTR-RLOC for site-1-EID-prefix in MS RTR learn addr’, p’ associated with site1-EID-prefix Setup required NAT state Avoid creating new security threats due to gleaning an RLOC

7 xTR Registration MS NAT RTR Goals:
MS DB: site1-EID-prefix => RTR-RLOC NAT State: ITR-local, 4341 => addr’, p’ Reoriginated-Map-Register MS Site 1- xTR Map-Notify NAT Data-Map-Notify ECM-ed Map-Register ITR-local, 4341 addr’, p’ RTR RTR Cache: site1-EID-prefix => addr’, p’ -> RTR-RLOC,4342, ITR-local , Unverified Goals: Register RTR-RLOC for site-1-EID-prefix in MS RTR learn addr’, p’ associated with site1-EID-prefix Setup required NAT state Avoid creating new security threats due to gleaning an RLOC

8 xTR Registration – R bit
MS DB: site1-EID-prefix => RTR-RLOC NAT State: ITR-local, 4341 => addr’, p’ Map-Register MS Site 1- xTR ECM-ed Map-Register NAT Data-Map-Notify ITR-local, 4341 addr’, p’ Map-Notify RTR RTR Cache: site1-EID-prefix => addr’, p’ -> RTR-RLOC,4342, ITR-local

9 xTR Registration – R bit
MS DB: site1-EID-prefix => RTR-RLOC NAT State: ITR-local, 4341 => addr’, p’ Map-Register(R) MS Site 1- xTR Map-Notify(R=1) ECM-ed Map-Register(R=1) NAT ITR-local, 4341 Data-Map-Notify(R) addr’, p’ RTR RTR Cache: site1-EID-prefix => addr’, p’ -> RTR-RLOC,4342, ITR-local Sending the Map-Register/Map-Notify through the RTR allows the RTR to verify the EID-prefix-to-RLOC mapping when caching. Map-Notify (R=1): MS-RTR Authentication Data is appended at the end of the Map-Notify RTR verifies the MS-RTR Auth. Data for integrity protection and origin authentication of Map-Notify

10 xTR Registration – Instance ID
MS DB: site1-EID-prefix => RTR-RLOC NAT State: ITR-local, 4341 => addr’, p’ MS Site 1- xTR NAT Map-Register(R) ITR-local, 4341 addr’, p’ Map-Notify(R=1) ECM-ed Map-Register(R=1) Data-Map-Notify(R) Instance ID = 0xFFFFFF RTR RTR Cache: site1-EID-prefix => addr’, p’ -> RTR-RLOC,4342, ITR-local Instance ID 0xFFFFFF is used to identify a LISP control packet encapsulated in a LISP data header

11 Map-Request Handling MS NAT RTR
MS DB: site1-EID-prefix => RTR-RLOC NAT State: ITR-local, 4341 => addr’, p’ MS Site 1- xTR NAT Map-Register(R) ITR-local, 4341 addr’, p’ Map-Notify(R=1) ECM-ed Map-Register(R=1) xTR Map-Cache: 0/0 => RTR-RLOC Data-Map-Notify(R) RTR RTR Cache: site1-EID-prefix => addr’, p’ -> RTR-RLOC,4342, ITR-local By storing RTR-RLOC as default RLOC for data plane LISP traffic xTR encapsulates all LISP data packets to RTR By setting the proxy bit in Map-Register xTR can activate Map-Server Proxy Reply If proxy bit is not set in Map-Register: xTR periodically sends Info-Requests. MS encapsulates Map-Requests to xTR (not recommended)

12 xTR Registration – Multi xTR site
MS DB: site1-EID-prefix => RTR-RLOC NAT State: ITR-local, 4341 => addr’, p’ Map-Register(R,I) MS Site 1- xTR Map-Notify(R,I=1) ECM-ed Map-Register(R,I=1) NAT Data-Map-Notify(R,I) addr’, p’ RTR RTR Cache: site1-EID-prefix => addr’, p’ -> RTR-RLOC,4342, ITR-local , xTR-ID xTR-ID: 128 bit xTR-ID is appended at the end of the Map-Register message, Map-Register (R=1, I=1): RTR, and MS cache xTR-ID. MS includes xTR-ID in Map-Notify messages RTR uses xTR-ID in Map-Notify to identify destination xTR

13 Data Flow I MS NAT Internet RTR MS DB: site1-EID-prefix => RTR-RLOC
NAT State: ITR-local, 4341 => addr’, p’ MS Map-Req/Map-Rep xTR NAT Internet LISP DATA xTR RTR RTR Cache: site1-EID-prefix => addr’, p’ -> RTR-RLOC,4342, ITR-local

14 Data Flow II MS NAT Internet RTR MS DB:
site1-EID-prefix => RTR-RLOC NAT State: ITR-local, 4341 => addr’, p’ ITR-local, xxxx => addr’’, p’’ MS Map-Req/Map-Rep xTR NAT Internet LISP DATA xTR LISP DATA xTR Map-Cache: 0/0 => RTR-RLOC RTR RTR Cache: site1-EID-prefix => addr’, p’ -> RTR-RLOC,4342, ITR-local

15 Message Formats: Info-Request
|Type=7 |R| Reserved | | Nonce | | Nonce | | Key ID | Authentication Data Length | ~ Authentication Data ~ | TTL | | Reserved | EID mask-len | EID-prefix-AFI | | EID-prefix | | AFI = | <Nothing Follows AFI=0> |

16 Message Formats: Info-Reply
|Type=7 |R| Reserved | | Nonce | | Nonce | | Key ID | Authentication Data Length | ~ Authentication Data ~ | TTL | | Reserved | EID mask-len | EID-prefix-AFI | | EID-prefix | +-> | | AFI = | Rsvd | Flags | | | | Type = | Rsvd2 | n | N | MS UDP Port Number | ETR UDP Port Number | A T | AFI = x | Global ETR RLOC Address | L | AFI = x | MS RLOC Address | C A | AFI = x | Private ETR RLOC Address ... | F | | AFI = x | RTR RLOC Address | | | AFI = x | RTR RLOC Address n ... |

17 Map-Register (xTR->RTR->MS)
/ | IPv4 or IPv6 Header | \ | Src_RLOC = xTR_local , Dst_RLOC = RTR_RLOC | / | Source Port = | Dest Port = | UDP \ | UDP Length | UDP Checksum | LH |Type=8 |S| Reserved | \ | Src_RLOC = xTR local , Dst_RLOC = Map-Server_RLOC | / | Source Port = xxxx | Dest Port = | LCM |Type=3 |P|R|I| LISP Map-Register Message , xTR-ID | xTR/MN Map-Register (xTR->RTR->MS) Legend: Green: Fields to be cached by RTR Red : Fields that are new, or are important to NAT Traveral NAT / | IPv4 or IPv6 Header | \ | Src_RLOC = addr’ , Dst_RLOC = RTR_RLOC | / | Source Port = P’ | Dest Port = | UDP \ | UDP Length | UDP Checksum | LH |Type=8 |S| Reserved | \ | Src_RLOC = xTR_local , Dst_RLOC = Map-Server_RLOC | / | Source Port = xxxx | Dest Port = | LCM |Type=3 |P|R|I| LISP Map-Register Message , xTR-ID | RTR MS / | IPv4 or IPv6 Header | OH | | \ | Src_RLOC = RTR_RLOC , Dst_RLOC = Map-Server_RLOC | / | Source Port = xxxx | Dest Port = | UDP \ | UDP Length | UDP Checksum | LCM |Type=3 |P|R|I| LISP Map-Register Message | ~ xTR-ID ~

18 Map-Notify (xTR<-RTR<-MS)
/ | IPv4 or IPv6 Header | \ | Src_RLOC = RTR_RLOC , Dst_RLOC = xTR_local | / | Source Port = | Dest Port = | UDP \ | UDP Length | UDP Checksum | L |N|L|E|V|I| | Nonce/Map-Version | I \ S / | Instance ID = 0xFFFFFF | P \ | Src_RLOC = Map-Server_RLOC , Dst_RLOC = xTR_local | / | Source Port = | Dest Port = | LCM |Type=4 |R|I| LISP Map-Notify Message | ~ MS-RTR Authentication Key/Length/Data ~ xTR/MN Map-Notify (xTR<-RTR<-MS) Legend: Green: fields that are fetched from RTR cache Red : fields that are new, or are important to NAT Traversal NAT / | IPv4 or IPv6 Header | \ | Src_RLOC = RTR_RLOC , Dst_RLOC = addr’ | / | Source Port = | Dest Port = P’ | UDP \ | UDP Length | UDP Checksum | L |N|L|E|V|I| | Nonce/Map-Version | I \ S / | Instance ID = 0xFFFFFF | P / | IPv4 or IPv6 Header | | \ | Src_RLOC = Map-Server_RLOC , Dst_RLOC = xTR_local | / | Source Port = | Dest Port = | LCM |Type=4 |R|I| LISP Map-Notify Message | ~ MS-RTR Authentication Key/Length/Data , xTR-ID ~ RTR MS / | IPv4 or IPv6 Header | OH | | \ | Src_RLOC = Map-Server_RLOC , Dst_RLOC =RTR_RLOC | / | Source Port = | Dest Port = | UDP \ | UDP Length | UDP Checksum | LCM |Type=4 |R| LISP Map-Notify Message | | MS-RTR Key ID | MS-RTR Auth. Data Length | ~ MS-RTR Authentication Data ~ ~ xTR-ID ~

19 Q&A? Thank you!

20 Message Formats: Data-Map-Notify
/ | IPv4 or IPv6 Header | OH | (uses RLOC addresses) | \ | | / | Source Port = xxxx | Dest Port = | UDP \ | UDP Length | UDP Checksum | L |N|L|E|V|I| | Nonce/Map-Version | I \ S / | Instance ID/Locator Status Bits | P IH | (uses RLOC or EID addresses) | / | Source Port = xxxx | Dest Port = | LCM | LISP Map-Register Message | NTR infers MN translated RLOC and port from the outer header of this message. This address is cached by NTR and is used by NTR to send data to MN. Basically Data-Map-Register functions as an authenticated Echo Request message. - Router Alert is used on LISP data packets that include LISP control payload, so NTR knows that it has to process them differently. Inner header destination RLOC must be set to MN’s Map-Server RLOC. NTR retrieves this RLOC to identify the MS to send the Map-Register to. Inner Header source address should be ignored. NTR re-originates the inner header src addr.

21 Basic Overview – NTR as re-encapsulating xTR
MN-EID=>NTR-RLOC MS Map-Request (dst-EID)/Map-Reply Data-Map-Register ( EID =>NTR-RLOC ): 4341 Map-Reister (Mn-EID=> NTR-RLOC) NAT 0/0 => NTR-RLOC LISP-DATA xTR LISP DATA NTR MN-EID=>MN-translated-RLOC+port Essentially, NTR becomes a second xTR for MN. NTR hides MN’s mobility events from its corresponding nodes, further ensuring scalability of LISP-MN.

Download ppt "Draft-ermagan-lisp-nat-traversal-00 Vina Ermagan, Dino Farinacci, Darrel Lewis, Fabio Maino, Jesper Skriver, Chris White Presenter: Vina Ermagan IETF."

Similar presentations

LISP Mobile Node LISP Mobile Node draft-meyer-lisp-mn-00.txt Dino Farinacci, Vince Fuller, Darrel Lewis and David Meyer IETF StockholmHiroshima LISP Working.

LISP Mobile Node LISP Mobile Node draft-meyer-lisp-mn-00.txt Dino Farinacci, Vince Fuller, Darrel Lewis and David Meyer IETF StockholmHiroshima LISP Working.
Why do current IP semantics cause scaling issues? −Today, “addressing follows topology,” which limits route aggregation compactness −Overloaded IP address.

Why do current IP semantics cause scaling issues? −Today, “addressing follows topology,” which limits route aggregation compactness −Overloaded IP address.
1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.

1 Introduction to Mobile IPv6 IIS5711: Mobile Computing Mobile Computing and Broadband Networking Laboratory CIS, NCTU.
Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.

Future Directions For IP Architectures Ipv6 Cs686 Sadik Gokhan Caglar.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
MIP Extensions: FMIP & HMIP

MIP Extensions: FMIP & HMIP
Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.

Transitioning to IPv6 April 15,2005 Presented By: Richard Moore PBS Enterprise Technology.
Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv4 20.3 IPv6.

Computer Networks20-1 Chapter 20. Network Layer: Internet Protocol 20.1 Internetworking 20.2 IPv IPv6.
© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.

© 2006 Cisco Systems, Inc. All rights reserved.IP6FD v2.0—2-1 IPv6 Operations Defining and Configuring Neighbor Discovery.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Addressing the Network – IPv4 Network Fundamentals – Chapter 6.
CS 457 – Lecture 16 Global Internet - BGP Spring 2012.

CS 457 – Lecture 16 Global Internet - BGP Spring 2012.
1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.

1 Internet Protocol Version 6 (IPv6) What the caterpillar calls the end of the world, nature calls a butterfly. - Anonymous.
IETF 72 – July 2008 Vince Fuller, Darrel Lewis, Eliot Lear, Scott Brim, Dave Oran, Noel Chiappa, John Curran, Dino Farinacci, and David Meyer LISP Deployment.

IETF 72 – July 2008 Vince Fuller, Darrel Lewis, Eliot Lear, Scott Brim, Dave Oran, Noel Chiappa, John Curran, Dino Farinacci, and David Meyer LISP Deployment.
Introduction to LISP (not (the (programming ( language))))

Introduction to LISP (not (the (programming ( language))))
Network Localized Mobility Management using DHCP

Network Localized Mobility Management using DHCP
資 管 Lee Lesson 12 IPv6 Mobility. 資 管 Lee Lesson Objectives Components of IPv6 mobility IPv6 mobility messages and options IPv6 mobility data structures.

資 管 Lee Lesson 12 IPv6 Mobility. 資 管 Lee Lesson Objectives Components of IPv6 mobility IPv6 mobility messages and options IPv6 mobility data structures.
1 draft-fuller-lisp-ddt-01 DDT Security V. Fuller, D. Lewis, V. Ermagan Presenter: Vina Ermagan IETF 83, Paris – March 2012.

1 draft-fuller-lisp-ddt-01 DDT Security V. Fuller, D. Lewis, V. Ermagan Presenter: Vina Ermagan IETF 83, Paris – March 2012.
IP Version 6 (IPv6) Dr. Adil Yousif. Why IPv6?  Deficiency of IPv4  Address space exhaustion  New types of service  Integration  Multicast  Quality.

IP Version 6 (IPv6) Dr. Adil Yousif. Why IPv6?  Deficiency of IPv4  Address space exhaustion  New types of service  Integration  Multicast  Quality.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

Similar presentations

Ads by Google