Presentation is loading. Please wait.

Presentation is loading. Please wait.

NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig.

Published byAnabel Wells Modified over 9 years ago

Similar presentations

Presentation on theme: "NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig."— Presentation transcript:

1 NAT traversal for GIST in 300 seconds http://www.ietf.org/internet-drafts/draft-pashalidis-nsis-gimps-nattraversal-00.txt A. Pashalidis; H. Tschofenig

2 {Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com Types of NAT Need to consider different types of NAT, i.e. NAT that 1. modify only IP addresses (“port-preserving”) 2. modify IP addresses and port numbers 3. use a single public IP address 4. dynamically allocate IP addresses to flows 5. are NSIS-aware 1. do not implement the NSLP that is being signalled 2. do implement the NSLP that is being signalled 6. Are NSIS-unaware

3 {Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com Types of NAT Need to consider different types of NAT, i.e. NAT that 1. modify only IP addresses (“port-preserving”) 2. modify IP addresses and port numbers 3. use a single public IP address 4. dynamically allocate IP addresses to flows 5. are NSIS-aware 1. do not implement the NSLP that is being signalled 2. do implement the NSLP that is being signalled 6. Are NSIS-unaware Draft assumes type (2) and (4) NAT: types (1) and (3) are special cases. Type (6) NATs not (yet?) considered. Cascades of NATs considered, but no “parallel” NATs.

4 {Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com Two approaches GIST-aware NAT translates GIST header fields (both D and C mode) in a way that is consistent with the translation it applies to the IP header in data flow. GIST-aware NAT adds information into GIST discovery messages; GIST peers then use this information in order to map subsequent signalling to data flows.

5 {Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com Advantages Signalling messages and data flow consistent throughout the network. NATs remain transparent  NAT-awareness at non-NAT GIST nodes not required. NATs do not “generate mess” that must be “cleaned up” elsewhere. NATs do minimal extra work. Works in the presence of IPsec/TLS.

6 {Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com Disadvantages Does not work in the presence of IPsec/TLS. NATs need to keep per-flow state (which they do anyway). Non-NAT GIST nodes must be NAT-aware. Internal network details may be revealed to the Internet via the original MRI.

7 {Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com Disadvantages Does not work in the presence of IPsec/TLS. NATs need to keep per-flow state (which they do anyway). Non-NAT GIST nodes must be NAT-aware. Internal network details are revealed to the Internet via the original MRI. Depending on environment, one approach may be better than the other (?)

8 {Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com Which approach is taken? Both; depending on whether or not TLS/IPsec is required — NATs transparently maintain consistency throughout Non-NAT GIST nodes less complicated  easier deployment (?) Cascades of NATs handled  easier testing (?) — GIST peers handle NAT-induced inconsistency Necessary in order to provide IPsec/TLS; in such installations GIST peers already interact with IPsec/TLS, key management, OCSP. Thus, NAT handling is another such overhead.

9 {Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com Scope — Coordination of GIST and address translation in the NAT (NATs are routers too) ? — Coordination of NSLP functionality with NAT functionality (i.e. flow identification before or after translation) ? — Security considerations Installation of bindings as a result of signalling. NAT vs NSIS policies; conflict avoidance ?

10 {Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com Open issues When should a (bidirectional) NAT binding be installed? — When signalling exists in one direction? — When signalling exists in both directions? — Compatibility with GIST spec — GIST/NSLP unaware NATs

11 {Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com Conclusion NAT traversal at the GIST layer… — involves addressing many (sub)cases — raises “new” security concerns — is likely to require a document of considerable length Is draft a reasonable basis for further discussion? Feedback solicited!

Download ppt "NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig."

Similar presentations

NSIS Operation Over IP Tunnels draft-ietf-nsis-tunnel-04.txt Charles Shen, Henning Schulzrinne, Sung-Hyuck Lee, Jong Ho Bang IETF#71 – Philadelphia, USA.

NSIS Operation Over IP Tunnels draft-ietf-nsis-tunnel-04.txt Charles Shen, Henning Schulzrinne, Sung-Hyuck Lee, Jong Ho Bang IETF#71 – Philadelphia, USA.
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.

Project by: Palak Baid (pb2358) Gaurav Pandey (gip2103) Guided by: Jong Yul Kim.
NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT 09.11.2005.

NAT TRAVERSAL FOR IPSEC Research Seminar on Datacommunications Software HIIT
1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.

1 Network Architecture and Design Advanced Issues in Internet Protocol (IP) IPv4 Network Address Translation (NAT) IPV6 IP Security (IPsec) Mobile IP IP.
1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.

1 © NOKIA NSIS MIPv6 FW/ November 8 th 2004 Mobile IPv6 - NSIS Interaction for Firewall traversal draft-thiruvengadam-nsis-mip6-fw-01 S. Thiruvengadam.
Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.

Telematics group University of Göttingen, Germany Overhead and Performance Study of the General Internet Signaling Transport (GIST) Protocol Xiaoming.
1 Route Optimization based on ND-Proxy for Mobile Nodes in IPv6 Mobile Networks Jaehoon Jeong, Kyeongjin Lee, Jungsoo Park, Hyoungjun Kim ETRI

1 Route Optimization based on ND-Proxy for Mobile Nodes in IPv6 Mobile Networks Jaehoon Jeong, Kyeongjin Lee, Jungsoo Park, Hyoungjun Kim ETRI
1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level.

1 A survey of Internet Topology Discovery. 2 Outline Motivations Internet topology IP Interface Level Router Level AS Level PoP Level.
MOBILITY SUPPORT IN IPv6

MOBILITY SUPPORT IN IPv6
Oct 26, 2004CS573: Network Protocols and Standards1 IP: Routing and Subnetting Network Protocols and Standards Autumn 2004-2005.

Oct 26, 2004CS573: Network Protocols and Standards1 IP: Routing and Subnetting Network Protocols and Standards Autumn
NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:

NSIS Transport Layer draft-ietf-nsis-ntlp-00.txt Slides:
By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.

By Rod Lykins.  Background  Benefits  Security Advantages ◦ Address Space ◦ IPSec  Remaining Security Issues  Conclusion.
Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn 2004-2005.

Oct 21, 2004CS573: Network Protocols and Standards1 IP: Addressing, ARP, Routing Network Protocols and Standards Autumn
A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.
July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.

July 2008IETF 72 - NSIS1 Permission-Based Sending (PBS) NSLP: Network Traffic Authorization draft-hong-nsis-pbs-nslp-01 Se Gi Hong & Henning Schulzrinne.
Internet Networking Spring 2003

Internet Networking Spring 2003
1IETF-59 MANET WG Ad Hoc IP Address Autoconfiguration Jaehoon Jeong ETRI 3 rd February 2004 draft-jeong-adhoc-ip-addr-autoconf-01.txt.

1IETF-59 MANET WG Ad Hoc IP Address Autoconfiguration Jaehoon Jeong ETRI 3 rd February 2004 draft-jeong-adhoc-ip-addr-autoconf-01.txt.
Internetworking Devices that connect networks are called Internetworking devices. A segment is a network which does not contain Internetworking devices.

Internetworking Devices that connect networks are called Internetworking devices. A segment is a network which does not contain Internetworking devices.
Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-03) Sung-Hyuck Lee, Seong-Ho Jeong,

Applicability Statement of NSIS Protocols in Mobile Environments (draft-ietf-nsis-applicability-mobility-signaling-03) Sung-Hyuck Lee, Seong-Ho Jeong,

Similar presentations

Ads by Google