1 / 27

NATFW NSLP overview

NATFW NSLP overview. Document history. v00 - Jan 27th - Creation. Agenda. Introduction NATFW NSLP mode of operation Things to fix. Introduction. NATFW NSLP scope - to be added later NATFW NSLP deployment scenarios: DS behind NAT DR behind NAT Same for FW and for NATFW

ghalib
Download Presentation

NATFW NSLP overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. NATFW NSLP overview

  2. Document history • v00 - Jan 27th - Creation

  3. Agenda • Introduction • NATFW NSLP mode of operation • Things to fix

  4. Introduction • NATFW NSLP scope - to be added later • NATFW NSLP deployment scenarios: • DS behind NAT • DR behind NAT • Same for FW and for NATFW • Intra-realm communications

  5. Intra-realm communications Net x Alice wants to talk to Bob Alice k.l.m.n/30 a.b.c.1/24 a.b.c.e The net Bob NSIS aware NAT/FW a.b.c.d How to avoid useless resource spending on NAT and Firewalls (potentially event Qos gates)? Let Bob provide to Alice both his locally scoped and global scoped addresses

  6. Intra-realm communications Net x Alice Alice wants to talk Phil a.b.c.1/24 NSIS aware NAT/FW + Qos NSLP k.l.m.n/30 The net a.b.c.e Bob NSIS aware NAT/FW + Qos NSLP e.f.g.h/30 a.b.c.1/24 a.b.c.d Local scoped address could obviously overlap, a solution needs to be provided to handle that case Phil a.b.c.d

  7. Intra-realm communications Sales/HR NAT Stacking Alice ISP x NATFW2 NAT1 Trudy Bob NAT3 Need to avoid this path from being taken Foo.com Max Same problem but getting worst …

  8. Intra-realm communications Sales/HR NAT Stacking 137.121.5.8 Alice ISP x 10.1.2.3 NATFW2 NAT1 Trudy Bob NAT3 192.168.1.2 Preferred Path!!! Need to avoid this path from being taken Foo.com Max

  9. 2-REA:[10.1.2.3|192.168.1.3] 4-REA:[10.1..2.3|192.168.1.3|137.121.5..8] 1-REA:[10.1.2.3] 3-REA:[10.1..2.3|192.168.1.3|137.121.5.8] Intra-realm communications Sales/HR NAT Stacking Alice ISP x 10.1.2.3 137.121.5.8 NATFW2 NAT1 Trudy Bob NAT3 192.168.1.2 Foo.com Max

  10. Intra-realm communications • Issues with the none optimal paths: • Aside being not optimal … • Certain NATs do not support the required loopback behavior • Proposed solution: • Communicate several NR addresses to the NI • The first response received from an NR will hint the NR address to use for the rest of the messages • NSIS messages need to be sent simultaneously and not sequentially (I.e. don’t wait for responses).

  11. Intra-realm communications • Proposed solution - continued: • Communicate several NR addresses to the NI • The first response received from an NR will hint the NR address to use for the rest of the messages • NSIS messages need to be sent simultaneously and not sequentially (I.e. don’t wait for responses). • The reserve message needs to be intercepted by intermediate NATs (before reaching the edge NAT) • These intermediate NATs need to provide the translated address as well • User application impacts: • Several NR addresses need to be provided • NTLP impacts: • Although a messaging association was already linked to a destination address, it needs to be re-checked if applicable or not to avoid the confusion of overlapped local scoped addresses

  12. NSIS NATFW NSLP life cycle Start NSIS NATFW activated NR behind NAT Discovery Behind a NAT? NRBNAT=0 NRBNAT=1 Idle Idle

  13. NSIS NATFW NSLP life cycle: NI Snd-CREATE n=MAXRTX Idle Send Create message To all provided recipients* Initiator event Run Timer & wait for response Snd-CREATE Timeout n-- Path-Succeeded** Error msg Any other messages n>0 Stateinstalled yes no St-Instl-Flure Drop Inform upper layers Idle

  14. Inform upper layers Any other msgs NSIS NATFW NSLP life cycle: NI Stateinstalled St-Instl-Flure Inform upper layers Negotiate no yes Idle Run STRF** timer Snd-CREATE ST-Delete Waiting for statechange triggers Reason? Received delete msg Upper layer requested Trigger test Drop Send delete msg Inform upper layers Received delete Modify? timeout ST-delete ST-Refresh Idle Idle

  15. NSIS NATFW NSLP life cycle: NI ST-Refresh Modify N=MAXRTXMDFY Send Refresh* Send Modify** Stateinstalled Run Timer & wait for response MD-St-Instl-Flure Timeout n-- Path-Succeeded*** Error msg Any other messages Inform upper layers n>0 Stateinstalled yes no MD-St-Instl-Flure Drop Keep existing state? MD-St-Instl-Flure Stateinstalled ST-Delete

  16. NSIS NATFW NSLP life cycle: NR Active-Listen NR-Idle Initiator event Send reserve msg n=MAXRTX-RSV Check NRBNAT Run Timer & wait for response 1 0 Pasv-Listen Active-Listen Timeout n-- Received RSV Ack Error msg* Any other messages yes n>0 Inform upper layers no Drop Inform upper layers Inform upper layers PASV-Listen PASV-Listen PASV-Listen

  17. NSIS NATFW NSLP life cycle: NR PASV-Listen Received msg Check msg Received Create msg Any other messages Delete NR-Rcv-Create Recvd Error msg Received Delete msg Drop Modify Inform upper layers NR-Mod-ST Inform upper layers PASV-Listen ?? Send Delete confirm?* NR-Idle NR-Idle NR-Idle

  18. NSIS NATFW NSLP life cycle: NR NR-Rcv-create Inform upper layers Send create-ack n=MAXRTX-CRACK yes Validate ? no Run Timer & wait for response ? Send Error msg Error related to create ack ? Any other msgs Timeout n-- Received create-ack Ack PASV-Listen NR-Idle yes n>0 Inform upper layers Inform upper layers no Inform upper layers NR-Idle PASV-Listen NR-Idle

  19. NSIS NATFW NSLP life cycle: NR NR-Mod-ST Inform upper layers Send mod-ack n=MAXRTX-MODACK yes Validate ? no Run Timer & wait for response ? Send Error msg Error related to Mod ack ? Any other msgs Timeout n-- Received mod-ack Ack PASV-Listen NR-Idle yes n>0 Inform upper layers Inform upper layers no Inform upper layers NR-Idle PASV-Listen NR-Idle

  20. NSIS NATFW NSLP life cycle: NF NF-Idle Received msg Msg type Reserve-msg Create-msg Any other msg NF-Rcv-RSV NF-Rcv-Create Drop NF-Idle

  21. NSIS NATFW NSLP life cycle: NF NF-Rcv-Create Should we send create with error flag downstream??? No Validate-authz Available resources Yes No Yes NF-ST-Install Forward create Send error upstream Wait for confirmation Timer NF-Idle Received other msg timeout Received error Drop Received create-ack No authz Received Authz create-ack Send error- last node no authz NF-State-Install Send error - no authz Forward error* Forward NF-Idle NF-Idle NF-Idle NF-ST-Installed

  22. NSIS NATFW NSLP life cycle: NF NF-NATBINDRSV n=RCVMAX NF-Rcv-RSV NF-Idle Send error timeout NAT? Received anything else No Wait for Create* Received Create yes Forward NF-Rcv-Create Edge NAT n>0 yes Drop n-- No Local bind update No NF-Idle Create-msg Rcv-bind update Drop Send bind-update** Forward Drop Rcv upstream error Forward Send error Wait for RSV-Ack NF-NATBINDRSV Local System failure Send RSV-Ack NF-Idle NF-NATBINDRSV timeout Delete bind/Send error Delete bind/forward Append RSV-ack NF-NATBINDRSV Send RSV-Ack NF-Idle NF-Idle NF-NATBINDRSV NF-NATBINDRSV

  23. NSIS NATFW NSLP life cycle: NF NF-ST-Install Waiting for Create ack? Other msg Drop Local system error Create-msg ack Send error Timeout Rcv Error msg Forward NF-Idle Send create ack with last NF flag NF-ST-Installed NF-Idle NF-ST-Installed

  24. NSIS NATFW NSLP life cycle: NF NF-ST-Installed Received msg Msg check Any other msg Local system error Rcv delete Send error/delete state Rcv error msg NF-ST-Installed Delete state/forward Forward NF-Idle Rcv Refresh Rcv modify msg Delete state NF-Idle Forward* NF-Rcv-Modify NF-Idle NF-ST-Installed

  25. NSIS NATFW NSLP life cycle: NF NF-Rcv-Mod Available resources No No Validate-authz yes Send error upstream/keep existing Yes Forward mod NF-ST-Installmod NF-ST-Installed Received msg Check msg Received other msg Received Authz mod-ack Received create-ack No authz Drop Received error NF-State-Install Send error - no authz Forward error* Forward NF-Idle NF-ST-Installedmod NF-Idle

  26. NSIS NATFW NSLP life cycle: NF NF-ST-Installmod Waiting for mod ack? Other msg Drop Local system error mod-msg ack Send error NF-ST-Installedmod NF-ST-Installedmod Timeout Rcv Error msg* NF-Idle Rcv fatal Error msg** Change state Forward Was I the last NF? Delete state/forward Policy check NF-ST-Installed yes NF-ST-Installed Send mod ack with last NF flag*** NF-Idle NF-ST-Installed

  27. Things to fix • How to benefit more from the user apps triggering the NATFW NI/NR? Particularly for key management and messaging association parameter negotiation? • Provide means to prevent local NEs to respond instead of remote NEs having the same local scoped address

More Related