1 / 10

NFCC Packet Filter Control Protocol

NFCC Packet Filter Control Protocol. NFCC Control Protocol Characteristics. NFCC requires a control protocol for clients to dynamically update policy. Must fulfill NFCC functional requirements. Must be efficient (traverses air interface).

lowri
Download Presentation

NFCC Packet Filter Control Protocol

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NFCC Packet Filter Control Protocol

  2. NFCC Control Protocol Characteristics • NFCC requires a control protocol for clients to dynamically update policy. • Must fulfill NFCC functional requirements. • Must be efficient (traverses air interface). • Must present an appropriate security model for NFCC use cases. • Should be light enough to easily implement on mobile nodes.

  3. NSIS NAT/FW NSLP • The NSIS NAT/FW NSLP was designed for path coupled configuration of NAT and packet filtering devices. • NSLP is a candidate for the NFCC control protocol. • NSLP has some potential risks in the context of NFCC.

  4. NSLP Risks • Does path coupled signaling work? • Asymmetric routing? • When nothing is transmitted (open a passive socket use case)? • Is a soft state model best? • Cost of state refreshing? • Vulnerabilities introduced by obsolete state? • No defined filtering model. • Implied model is filtering only on single source and destination addresses and ports.

  5. NSLP Risks (Continued) • No transactional semantics. • Atomic creation/deletion of sets of rules is important to avoid unintentional vulnerabilities. • Complex trust model. • All NSLP middleboxes must be able to decrypt and rewrite control messages. • Incomplete security model. • Firewall session authentication and authorization not yet defined. • No end to end security by design.

  6. NSLP Risks (Continued) • NSLP is currently incomplete. • Complete is time for NFCC? • Will it support all of NFCC requirements (don’t let the tail wag the dog)? • Will such a novel and complex protocol work? • NSLP currently looks to be relatively complex (and expensive) to implement.

  7. PFCP • PFCP (Packet Filter Control Protocol) is an alternative to NSLP. • Designed, ground up, for NFCC requirements. • Light-weight and efficient on the air interface. • Client-server rather than path coupled. • Hard state rather than soft state. • Simple trust model and complete security model. • Security from existing standards (TLS or IPSec). • Complete specification available.

  8. Why Client-Server? • Client-server works as well as path coupling. • Automated server discovery (DNS, DHCP). • Server knows network topology and updates filters as required. • Server can act as client to servers in adjacent networks.

  9. Client Server is Better • Client–server is better than path coupling. • Works with asymmetric routing. • Works with NFCC use cases such as passive sockets. • Packet filtering technology doesn’t need to be NFCC enabled. • Leverage existing security protocols. • Simpler to specify and implement.

  10. Conclusion • 3GPP2 needs to evaluate the technical risks associated with adopted the NAT/FW NSLP for NFCC. • PFCP is provided as a specific alternative control protocol for consideration.

More Related