NAT traversal for GIST in 300 seconds http://www.ietf.org/internet-drafts/draft-pashalidis-nsis-gimps-nattraversal-00.txt

1
NAT traversal for GISTin 300 secondshttp//www.
ietf.org/internet-drafts/draft-pashalidis-nsis-gim
ps-nattraversal-00.txt

• A. Pashalidis H. Tschofenig

2
Types of NAT

• Need to consider different types of NAT, i.e. NAT
  that
• modify only IP addresses (port-preserving)
• modify IP addresses and port numbers
• use a single public IP address
• dynamically allocate IP addresses to flows
• are NSIS-aware
• do not implement the NSLP that is being
  signalled
• do implement the NSLP that is being signalled
• Are NSIS-unaware

3
Types of NAT

• Need to consider different types of NAT, i.e. NAT
  that
• modify only IP addresses (port-preserving)
• modify IP addresses and port numbers
• use a single public IP address
• dynamically allocate IP addresses to flows
• are NSIS-aware
• do not implement the NSLP that is being
  signalled
• do implement the NSLP that is being signalled
• Are NSIS-unaware
• Draft assumes type (2) and (4) NAT types (1) and
  (3) are special cases. Type (6) NATs not (yet?)
  considered.
• Cascades of NATs considered, but no parallel
  NATs.

4
Two approaches

• GIST-aware NAT translates GIST header fields
  (both D and C mode) in a way that is consistent
  with the translation it applies to the IP header
  in data flow.
• GIST-aware NAT adds information into GIST
  discovery messages GIST peers then use this
  information in order to map subsequent signalling
  to data flows.

5
Advantages

• Signalling messages and data flow consistent
  throughout the network.
• NATs remain transparent ?NAT-awareness at non-NAT
  GIST nodes not required.
• NATs do not generate mess that must be cleaned
  up elsewhere.
• NATs do minimal extra work.
• Works in the presence of IPsec/TLS.

6
Disadvantages

• Does not work in the presence of IPsec/TLS.
• NATs need to keep per-flow state (which they do
  anyway).
• Non-NAT GIST nodes must be NAT-aware.
• Internal network details may be revealed to the
  Internet via the original MRI.

7
Disadvantages

• Does not work in the presence of IPsec/TLS.
• NATs need to keep per-flow state (which they do
  anyway).
• Non-NAT GIST nodes must be NAT-aware.
• Internal network details are revealed to the
  Internet via the original MRI.
• Depending on environment, one approach may be
  better than the other (?)

8
Which approach is taken?

• Both depending on whether or not TLS/IPsec is
  required
• NATs transparently maintain consistency
  throughout
• Non-NAT GIST nodes less complicated ? easier
  deployment (?)
• Cascades of NATs handled ? easier testing (?)
• GIST peers handle NAT-induced inconsistency
• Necessary in order to provide IPsec/TLS in such
  installations GIST peers already interact with
  IPsec/TLS, key management, OCSP. Thus, NAT
  handling is another such overhead.

9
Scope

• Coordination of GIST and address translation in
  the NAT (NATs are routers too) ?
• Coordination of NSLP functionality with NAT
  functionality (i.e. flow identification before or
  after translation) ?
• Security considerations
• Installation of bindings as a result of
  signalling.
• NAT vs NSIS policies conflict avoidance ?

10
Open issues

• When should a (bidirectional) NAT binding be
  installed?
• When signalling exists in one direction?
• When signalling exists in both directions?
• Compatibility with GIST spec
• GIST/NSLP unaware NATs

11
Conclusion

• NAT traversal at the GIST layer
• involves addressing many (sub)cases
• raises new security concerns
• is likely to require a document of considerable
  length
• Is draft a reasonable basis for further
  discussion?
• Feedback solicited!