nat traversal for gist in 300 seconds a. pashalidis; h. tschofenig

NAT traversal for GISTin 300 seconds

http://www.ietf.org/internet-drafts/draft-pashalidis-nsis-gimps-nattraversal-00.txt

A. Pashalidis; H. Tschofenig

{Andreas.Pashalidis, Hannes.Tschofenig} @siemens.com

Types of NAT Need to consider different types of NAT, i.e. NAT

that1. modify only IP addresses (“port-preserving”)2. modify IP addresses and port numbers3. use a single public IP address 4. dynamically allocate IP addresses to flows5. are NSIS-aware

1. do not implement the NSLP that is being signalled

2. do implement the NSLP that is being signalled

6. Are NSIS-unaware


Types of NAT Need to consider different types of NAT, i.e. NAT

that1. modify only IP addresses (“port-preserving”)2. modify IP addresses and port numbers3. use a single public IP address 4. dynamically allocate IP addresses to flows5. are NSIS-aware

1. do not implement the NSLP that is being signalled

2. do implement the NSLP that is being signalled

6. Are NSIS-unaware

Draft assumes type (2) and (4) NAT: types (1) and (3) are special cases. Type (6) NATs not (yet?) considered.

Cascades of NATs considered, but no “parallel” NATs.


Two approaches

GIST-aware NAT translates GIST header fields (both D and C mode) in a way that is consistent with the translation it applies to the IP header in data flow.

GIST-aware NAT adds information into GIST discovery messages; GIST peers then use this information in order to map subsequent signalling to data flows.


Advantages Signalling messages and data flow

consistent throughout the network. NATs remain transparent NAT-awareness

at non-NAT GIST nodes not required. NATs do not “generate mess” that must be

“cleaned up” elsewhere.

NATs do minimal extra work. Works in the presence of IPsec/TLS.


Disadvantages

Does not work in the presence of IPsec/TLS.

NATs need to keep per-flow state (which they do anyway).

Non-NAT GIST nodes must be NAT-aware. Internal network details may be revealed

to the Internet via the original MRI.


Disadvantages

Does not work in the presence of IPsec/TLS.

NATs need to keep per-flow state (which they do anyway).

Non-NAT GIST nodes must be NAT-aware. Internal network details are revealed to

the Internet via the original MRI.

Depending on environment, one approach may be better than the other (?)


Which approach is taken?

Both; depending on whether or not TLS/IPsec is required

— NATs transparently maintain consistency throughout• Non-NAT GIST nodes less complicated

easier deployment (?)• Cascades of NATs handled easier

testing (?)

— GIST peers handle NAT-induced inconsistency• Necessary in order to provide IPsec/TLS;

in such installations GIST peers already interact with IPsec/TLS, key management, OCSP. Thus, NAT handling is another such overhead.


Scope

— Coordination of GIST and address translation in the NAT (NATs are routers too) ?

— Coordination of NSLP functionality with NAT functionality (i.e. flow identification before or after translation) ?

— Security considerations• Installation of bindings as a result of

signalling.• NAT vs NSIS policies; conflict avoidance ?


Open issues

When should a (bidirectional) NAT binding be installed?

— When signalling exists in one direction?— When signalling exists in both directions?

— Compatibility with GIST spec

— GIST/NSLP unaware NATs


Conclusion NAT traversal at the GIST layer…

— involves addressing many (sub)cases

— raises “new” security concerns

— is likely to require a document of considerable length

Is draft a reasonable basis for further discussion?

Feedback solicited!

nat traversal for gist in 300 seconds a. pashalidis; h. tschofenig

Documents