Transcript PPT Version

Loose End Message Routing
Method for NATFW NSLP
IETF 61- November 2004
draft-stiemerling-nsis-natfw-mrm-00.txt
Martin Stiemerling
[email protected]
0
Background
• Data receiver behind a NAT
• Must learn its public reachable IP address/port number
• A NAT must be found somewhere upstream
FW1
DR
NR
NAT3
Private
NW
NAT1
FW2
Internet
NAT4
DS
1
NATFW NSLP 1/2
• Create a NSLP REA message
• Create a NTLP message with
 Direction: downstream
 Source: DR
 Destination: DS or DS*
• DS is often not known in advance




SIP
Must use DS* (Opportunistic Address)
Any address outside your network
Or a proxy address
• Send message like a CREATE message
2
NATFW NSLP 2/2
REA to DS*
downstream
DR
NR
DS*
FW1
NAT3
Private
NW
NAT1
FW2
Internet
NAT4
DS
CREATE
3
Pros and Cons
• Easy solution from the first days
• Creates not needed states at Firewalls
• Security associations created where not
needed
• Somehow a hack regarding the NTLP
 Message sent wrong way
 Flow parameters are not the real onces
4
Loose End MRM
REA to DR
from DS* upstream
DR
NR
DS*
FW1
NAT3
Private
NW
NAT1
FW2
Internet
NAT4
DS
CREATE
5
Pros and Cons
• Semantically clean solution
• Creates only state at NATs
• Security association must only be done
between NATs
• NTLP should get an ‘extension’
 A signal-to address for DS*
 Indicates that this not the real NI address
6
Thank you!
Questions?
7