Transcript PPT Version

NAT traversal for GIST
in 300 seconds
http://www.ietf.org/internet-drafts/draft-pashalidis-nsis-gimps-nattraversal-00.txt
A. Pashalidis; H. Tschofenig
Types of NAT

Need to consider different types of NAT, i.e. NAT that
1. modify only IP addresses (“port-preserving”)
2. modify IP addresses and port numbers
3. use a single public IP address
4. dynamically allocate IP addresses to flows
5. are NSIS-aware
1. do not implement the NSLP that is being
signalled
2. do implement the NSLP that is being signalled
6. Are NSIS-unaware
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Types of NAT

Need to consider different types of NAT, i.e. NAT that
1. modify only IP addresses (“port-preserving”)
2. modify IP addresses and port numbers
3. use a single public IP address
4. dynamically allocate IP addresses to flows
5. are NSIS-aware
1. do not implement the NSLP that is being
signalled
2. do implement the NSLP that is being signalled
6. Are NSIS-unaware

Draft assumes type (2) and (4) NAT: types (1) and (3)
are special cases. Type (6) NATs not (yet?) considered.
Cascades of NATs considered, but no “parallel” NATs.

{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Two approaches

GIST-aware NAT translates GIST header fields
(both D and C mode) in a way that is consistent with the
translation it applies to the IP header in data
flow.

GIST-aware NAT adds information into GIST
discovery messages; GIST peers then use this
information in order to map subsequent
signalling to data flows.
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Advantages





Signalling messages and data flow consistent
throughout the network.
NATs remain transparent NAT-awareness at
non-NAT GIST nodes not required.
NATs do not “generate mess” that must be
“cleaned up” elsewhere.
NATs do minimal extra work.
Works in the presence of IPsec/TLS.
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Disadvantages




Does not work in the presence of IPsec/TLS.
NATs need to keep per-flow state (which they do
anyway).
Non-NAT GIST nodes must be NAT-aware.
Internal network details may be revealed to the
Internet via the original MRI.
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Disadvantages


Does not work in the presence of IPsec/TLS.
NATs need to keep per-flow state (which they do
anyway).

Non-NAT GIST nodes must be NAT-aware.
Internal network details are revealed to the
Internet via the original MRI.

Depending on environment, one approach may
be better than the other (?)

{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Which approach is taken?

Both; depending on whether or not TLS/IPsec is required
— NATs transparently maintain consistency throughout
• Non-NAT GIST nodes less complicated  easier
deployment (?)
• Cascades of NATs handled  easier testing (?)
— GIST peers handle NAT-induced inconsistency
• Necessary in order to provide IPsec/TLS; in
such installations GIST peers already interact
with IPsec/TLS, key management, OCSP. Thus,
NAT handling is another such overhead.
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Scope
— Coordination of GIST and address translation in the
NAT (NATs are routers too) ?
— Coordination of NSLP functionality with NAT
functionality (i.e. flow identification before or after
translation) ?
— Security considerations
• Installation of bindings as a result of signalling.
• NAT vs NSIS policies; conflict avoidance ?
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Open issues

When should a (bidirectional) NAT binding be installed?
— When signalling exists in one direction?
— When signalling exists in both directions?
—
Compatibility with GIST spec
—
GIST/NSLP unaware NATs
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Conclusion

NAT traversal at the GIST layer…
— involves addressing many (sub)cases
— raises “new” security concerns
— is likely to require a document of considerable length

Is draft a reasonable basis for further discussion?

Feedback solicited!
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com