nat traversal for gist in 300 seconds a. pashalidis; h. tschofenig
TRANSCRIPT
![Page 1: NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f115503460f94c23991/html5/thumbnails/1.jpg)
NAT traversal for GISTin 300 seconds
http://www.ietf.org/internet-drafts/draft-pashalidis-nsis-gimps-nattraversal-00.txt
A. Pashalidis; H. Tschofenig
![Page 2: NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f115503460f94c23991/html5/thumbnails/2.jpg)
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Types of NAT Need to consider different types of NAT, i.e. NAT
that1. modify only IP addresses (“port-preserving”)2. modify IP addresses and port numbers3. use a single public IP address 4. dynamically allocate IP addresses to flows5. are NSIS-aware
1. do not implement the NSLP that is being signalled
2. do implement the NSLP that is being signalled
6. Are NSIS-unaware
![Page 3: NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f115503460f94c23991/html5/thumbnails/3.jpg)
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Types of NAT Need to consider different types of NAT, i.e. NAT
that1. modify only IP addresses (“port-preserving”)2. modify IP addresses and port numbers3. use a single public IP address 4. dynamically allocate IP addresses to flows5. are NSIS-aware
1. do not implement the NSLP that is being signalled
2. do implement the NSLP that is being signalled
6. Are NSIS-unaware
Draft assumes type (2) and (4) NAT: types (1) and (3) are special cases. Type (6) NATs not (yet?) considered.
Cascades of NATs considered, but no “parallel” NATs.
![Page 4: NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f115503460f94c23991/html5/thumbnails/4.jpg)
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Two approaches
GIST-aware NAT translates GIST header fields (both D and C mode) in a way that is consistent with the translation it applies to the IP header in data flow.
GIST-aware NAT adds information into GIST discovery messages; GIST peers then use this information in order to map subsequent signalling to data flows.
![Page 5: NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f115503460f94c23991/html5/thumbnails/5.jpg)
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Advantages Signalling messages and data flow
consistent throughout the network. NATs remain transparent NAT-awareness
at non-NAT GIST nodes not required. NATs do not “generate mess” that must be
“cleaned up” elsewhere.
NATs do minimal extra work. Works in the presence of IPsec/TLS.
![Page 6: NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f115503460f94c23991/html5/thumbnails/6.jpg)
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Disadvantages
Does not work in the presence of IPsec/TLS.
NATs need to keep per-flow state (which they do anyway).
Non-NAT GIST nodes must be NAT-aware. Internal network details may be revealed
to the Internet via the original MRI.
![Page 7: NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f115503460f94c23991/html5/thumbnails/7.jpg)
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Disadvantages
Does not work in the presence of IPsec/TLS.
NATs need to keep per-flow state (which they do anyway).
Non-NAT GIST nodes must be NAT-aware. Internal network details are revealed to
the Internet via the original MRI.
Depending on environment, one approach may be better than the other (?)
![Page 8: NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f115503460f94c23991/html5/thumbnails/8.jpg)
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Which approach is taken?
Both; depending on whether or not TLS/IPsec is required
— NATs transparently maintain consistency throughout• Non-NAT GIST nodes less complicated
easier deployment (?)• Cascades of NATs handled easier
testing (?)
— GIST peers handle NAT-induced inconsistency• Necessary in order to provide IPsec/TLS;
in such installations GIST peers already interact with IPsec/TLS, key management, OCSP. Thus, NAT handling is another such overhead.
![Page 9: NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f115503460f94c23991/html5/thumbnails/9.jpg)
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Scope
— Coordination of GIST and address translation in the NAT (NATs are routers too) ?
— Coordination of NSLP functionality with NAT functionality (i.e. flow identification before or after translation) ?
— Security considerations• Installation of bindings as a result of
signalling.• NAT vs NSIS policies; conflict avoidance ?
![Page 10: NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f115503460f94c23991/html5/thumbnails/10.jpg)
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Open issues
When should a (bidirectional) NAT binding be installed?
— When signalling exists in one direction?— When signalling exists in both directions?
— Compatibility with GIST spec
— GIST/NSLP unaware NATs
![Page 11: NAT traversal for GIST in 300 seconds A. Pashalidis; H. Tschofenig](https://reader036.vdocuments.us/reader036/viewer/2022082711/56649f115503460f94c23991/html5/thumbnails/11.jpg)
{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com
Conclusion NAT traversal at the GIST layer…
— involves addressing many (sub)cases
— raises “new” security concerns
— is likely to require a document of considerable length
Is draft a reasonable basis for further discussion?
Feedback solicited!