Presentation is loading. Please wait.

Presentation is loading. Please wait.

0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

Published byOwen Weaver Modified over 8 years ago

Similar presentations

Presentation on theme: "0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun."— Presentation transcript:

1 0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun

2 1 IPR Claim Received IPR claim of Nortel December 14th Nortel Networks U.S. Patent No. 6,772,210, entitled "Method and apparatus for exchanging communications between telephone number based devices in an internet protocol environment", may contain claims that are believed may be necessary for practicing the resulting IETF Standard based on this Internet Draft. Claim is here  https://datatracker.ietf.org/public/ipr_detail_show.cgi?&ipr_id=506 https://datatracker.ietf.org/public/ipr_detail_show.cgi?&ipr_id=506 We are not lawyers, but there MAY be prior art!

3 2 Editorial Changes in -05 Several editorial changes  Moved Miquel to the author’s list in the text body  Integrated many comments from Elwyn Merged Query message into a single section 3.3.6  Was Section 3.3.6 and 3.3.7 Aligned object format presentation to GIMPS I-D Added in Section 3.5 the compatibility bits described in GIMPS  NATFW NSLP limits usage to MANDATORY, OPTIONAL, FORWARD  REFRESH bit combination not used, NFs do not refresh on their own

4 3 Editorial Changes in -05 Changed Response Type Object to Proxy Support Object Removed scoping object (not needed anywhere) NOTIFY (per WG decision – IETF 61)  Removed NOTIFY target object  NOTIFY messages are sent upstream only (Section 3.3.5) Added appendix on "Object ID allocation for testing" Added text about how REA is activated to Section 3.3.2 Updated security considerations

5 4 Security Consideration Section Update Resolved remaining issues in the NAT/FW threats document  see mailing list, data receiver behind a NAT NAT/FW threats document incorporated into main document  Was draft-fessi-nsis-natfw-threats-02 Updated threat model and security solution text  GIMPS security between neighboring NSLP nodes  Usage of authorization tokens  Authentication and authorization of an initiator towards non-neighboring nodes based on CMS Open issues:  Mobility handling and security (based on old I-D)  More details  Security object formats

6 5 Protocol Changes in -05 Introduced notion of ‘deny’ policy rules Reworked Section 3.3.8 and 3.3.9 (proxy mode)  Section 3.3.7 Proxy Mode for Data Receiver behind NAT  Section 3.3.8 Proxy Mode for Data Sender behind Middleboxes  Proxy mode is no longer the default mode (see later) Added DSInfo description to section about REA  Information about data sender  Limit possible CREATE message senders and local filters Since REA incorporates the DSInfo semantics, the TRIGGER message has been removed Added section about finding upstream firewalls (UCREATE)  Section 3.3.9 Proxy Mode for Data Receiver behind Firewall More details on next slides...

7 6 Proxy Mode - NR side Data receiver behind NAT

8 7 Issues on DR behind NAT Proxy Mode Issues with not using the proxy mode as default  NI+(i.e. NR) needs to know the NATFW NSLP capabilities  Impact on applications as they would need to advertise their NSIS capabilities Proxy mode used and far endhost supports the NSLP how to handle the existing NSLP sessions triggered by the REA?  One created by a CREATE message sent by the Edge NAT  one created by a CREATE message sent by the far endhost’s NI  DR to decide whether the proxy mode signaling session needs to be terminated based on an e2e signaling session.

9 8 On the Security of Data Receiver behind a NAT Data Sender NAT/ FW Data Receiver Treat the signaling sessions (1) and (2) independently (authorization issue) Do not update state established on the NAT/FW (created by the proxy mode signaling session) based on an e2e signaling session. Proxy mode triggers a CREATE to deal with routing asymmetry and firewalls between the NAT/FW and the DR. (1) End-to-End Signaling (2) Proxy Mode Signaling

10 9 Proxy Mode - NI side Data sender behind NAT or Firewall

11 10 Blocking Traffic Proxy Mode for Data Receiver behind Firewall Used to block particular incoming data flows

12 11 Open Issues Security Details on UCREATE  Protocol details just new  Need review  Multihomed scenarios: several Firewalls parallel There is an issue tracker https://kobe.netlab.nec.de/roundup/nsis-natfw-nslp/index https://kobe.netlab.nec.de/roundup/nsis-natfw-nslp/index You can register yourself a the tracker! A diff between -04 and -05 at: http://www.stiemerling.org/ietf/nsis/draft-ietf-nsis-nslp-natfw-05-diff-to-04.html

Download ppt "0 NAT/Firewall NSLP IETF 62th – March 2005 draft-ietf-nsis-nslp-natfw-05.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun."

Similar presentations

NSIS Operation Over IP Tunnels draft-ietf-nsis-tunnel-04.txt Charles Shen, Henning Schulzrinne, Sung-Hyuck Lee, Jong Ho Bang IETF#71 – Philadelphia, USA.

NSIS Operation Over IP Tunnels draft-ietf-nsis-tunnel-04.txt Charles Shen, Henning Schulzrinne, Sung-Hyuck Lee, Jong Ho Bang IETF#71 – Philadelphia, USA.
Applicability Statement of NSIS Protocols in Mobile Environments draft-ietf-nsis-applicability-mobility-signaling-12.txt Takako Sanda, Xiaoming Fu, Seong-Ho.

Applicability Statement of NSIS Protocols in Mobile Environments draft-ietf-nsis-applicability-mobility-signaling-12.txt Takako Sanda, Xiaoming Fu, Seong-Ho.
Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.

Progress Report: Metering NSLP (M-NSLP) 66th IETF meeting, NSIS WG.
H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.
1 Improved DNS Server Selection for Multi-Homed Nodes draft-savolainen-mif-dns-server-selection-04 Teemu Savolainen (Nokia) Jun-ya Kato (NTT) MIF WG meeting.

1 Improved DNS Server Selection for Multi-Homed Nodes draft-savolainen-mif-dns-server-selection-04 Teemu Savolainen (Nokia) Jun-ya Kato (NTT) MIF WG meeting.
Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.

Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-04 S. Thiruvengadam Hannes Tschofenig Franck Le Niklas Steinleitner.
IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.

IETF 58 PANA WG PANA Update and Open Issues (draft-ietf-pana-pana-02.txt) Dan Forsberg, Yoshihiro Ohba, Basavaraj Patil, Hannes Tschofenig, Alper Yegin.
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.

Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.
1 IETF 64th meeting, Vancouver, Canada Design Options of NSIS Diagnostics NSLP Xiaoming Fu Ingo Juchem Christian Dickmann Hannes Tschofenig.

1 IETF 64th meeting, Vancouver, Canada Design Options of NSIS Diagnostics NSLP Xiaoming Fu Ingo Juchem Christian Dickmann Hannes Tschofenig.
Mobility Support in NSIS 57th IETF Meeting, July 13-18, Vienna Xiaoming Fu Henning Schulzrinne Hannes Tschofenig.

Mobility Support in NSIS 57th IETF Meeting, July 13-18, Vienna Xiaoming Fu Henning Schulzrinne Hannes Tschofenig.
NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:

NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:
Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-03) Sung-Hyuck Lee, Seong-Ho Jeong,

Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-03) Sung-Hyuck Lee, Seong-Ho Jeong,
Host Identity Protocol

Host Identity Protocol
Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.

Request History – Solution Mary Barnes SIP WG Meeting IETF-57 draft-ietf-sip-history-info-00.txt.
PPSP Tracker Protocol draft-gu-ppsp-tracker-protocol PPSP WG IETF 82 Taipei Rui Cruz (presenter) Mário Nunes, Yingjie Gu, Jinwei Xia, David Bryan, João.

PPSP Tracker Protocol draft-gu-ppsp-tracker-protocol PPSP WG IETF 82 Taipei Rui Cruz (presenter) Mário Nunes, Yingjie Gu, Jinwei Xia, David Bryan, João.
NSIS NATFW NSLP: A Network Firewall Control Protocol draft-ietf-nsis-nslp-natfw-08.txt IETF NSIS Working Group January 2006 M. Stiemerling, H. Tschofenig,

NSIS NATFW NSLP: A Network Firewall Control Protocol draft-ietf-nsis-nslp-natfw-08.txt IETF NSIS Working Group January 2006 M. Stiemerling, H. Tschofenig,
NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)

NSIS Path-coupled Signaling for NAT/Firewall Traversal Martin Stiemerling, Miquel Martin (NEC) Hannes Tschofenig (Siemens AG) Cedric Aoun (Nortel)
NSIS IETF 56 MONDAY, March 17, 2003: 0900-1130 Morning Session TUESDAY, March 18, 2003: 1300-1400 Afternoon Sessions I.

NSIS IETF 56 MONDAY, March 17, 2003: Morning Session TUESDAY, March 18, 2003: Afternoon Sessions I.
0 NAT/Firewall NSLP IETF 61th November 2004 draft-ietf-nsis-nslp-natfw-04.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

0 NAT/Firewall NSLP IETF 61th November 2004 draft-ietf-nsis-nslp-natfw-04.txt Martin Stiemerling, Hannes Tschofenig, Cedric Aoun.

Similar presentations

Ads by Google