NATFW NSLP Implementation

1
NAT/FW NSLP Implementation

• Presentation given by Hannes Tschofenig
• Implemented by Henning Peters

2
Current Status

• Working C NATFW NSLP prototype
• Based on Univ. Goettingen GIST implementation
• Essential features are covered, including proxy
  modes (DS behind NAT, DR behind NAT) and all
  basic behavior, (CREATE/REFRESH/TEARDOWN/RESPONSE,
  REA/RESPONSE)
• TODO
• Firewall Interaction
• Interaction with a AAA server
• Performance evaluation and improvements
  (including refinement of memory management)
• Development time 2 man-months (including work
  on GIST)

3
Big picture
4
Details

• GNU/Linux kernel 2.6.x as development platform
• NAT/FW API using Linux iptables/netfilter
• Splitted into three processes
• GIST server, NAT/FW server, NAT/FW client
• All GIST / NAT/FW client/server communication
  over UNIX sockets
• See performance overhead paper from X. Fu et. al
  on GIST http//www.tmg.informatik.uni-goettingen.
  de/publications
• Using code generation for object construction and
  FSM 1000 lines of code
• Virtual machines were used for testing

5
Conclusion

• Issues filed as part of the implementation
  experience.
• E.g., REA/UCREATE separation, Missing ports using
  REA, how to update MRI at NATs, terminology
• Some already resolved in the current draft
• https//kobe.netlab.nec.de/roundup/nsis-natfw-nslp
  /index
• Some amount of energy went into GIST code to make
  things more generic (e.g., FSM, objects, timers).
  
• ? Easier job for new NSLP implementation using
  this GIST implementation