Title: GIST NAT traversal and Legacy NAT traversal for GIST http://www.ietf.org/internet-drafts/draft-pashalidis-nsis-gimps-nattraversal-03.txt AND http://www.ietf.org/internet-drafts/draft-pashalidis-nsis-legacy-nattraversal-03.txt
1GIST NAT traversal andLegacy NAT traversal for
GISThttp//www.ietf.org/internet-drafts/draft-p
ashalidis-nsis-gimps-nattraversal-03.txtAND
http//www.ietf.org/internet-drafts/draft-pashali
dis-nsis-legacy-nattraversal-03.txt
- A. Pashalidis H. Tschofenig
2NAT Traversal
- Previous document split in two.
- GIST NAT Traversal
- NAT is GIST-aware
- Legacy NAT traversal for GIST.
- NAT does not know anything about NSIS
- Online, but not submitted to IETF yet
- Reason for splitting material in one document
does not affect material in the other.
3GIST NAT Traversal
- Document (still) covers two approaches
transparent and non-transparent. - Both approaches are compatible with GIST main
spec. - However, only non-transparent approach makes use
of GIST NAT Traversal object.
4Transparent Approach
2. TRANSLATE FLOW ID (MRI) according to NAT
binding put NAT IP address in NLI.IA field
3. GIST QUERY (translated)
1. GIST QUERY
NAT
GIST peer 1
GIST peer 2
4. GIST RESPONSE (sent to NLI.IA)
6. GIST RESPONSE (translated)
5. TRANSLATE MRI and NLI.IA back to original
values
- NAT translates IP header, transport layer header,
and GIST header of signalling traffic (D-mode and
C-mode) in a manner consistent with the data flow
NAT binding. - NAT does not install a separate NAT binding for
signalling traffic (translation above suffices) - Approach hides internal addresses from public
Internet. - Approach does not work if IPsec/TLS is used!
5Non-transparent Approach
2. Add NAT Traversal Object
3. GIST QUERY (with NTO)
1. GIST QUERY
NAT
GIST peer 1
GIST peer 2
4. GIST RESPONSE (with NTO)
6. GIST RESPONSE (without NTO)
5. Remove NTO
- Message 3 contains translated and original MRI,
thus peer 2 can map subsequent signalling
messages (with untranslated MRI) to data flow. - NAT installs NAT binding for signalling traffic
after RESPONSE is received. - NAT does not modify any GIST messages, except
QUERY, RESPONSE. - Internal addresses exposed on public Internet.
6Legacy NAT Traversal for GIST
- Extension to GIST
- For now, no changes in message formats required.
- Just new behaviour at GIST nodes.
7Legacy NAT traversal NI-side
NAT detected!
NAT
GIST peer 2
1. GIST QUERY
2. GIST QUERY
GIST peer 1
3. GIST RESPONSE
4. GIST RESPONSE
data
UDP TUNNEL
sig
NAT detected!
Do the NAT work
- Peer 2 detects the NAT and proposes a UDP tunnel
- Peer 1 detects the NAT and sets up the UDP tunnel
- Both data traffic and signalling traffic is sent
over the tunnel.
8Legacy NAT traversal NR-side
Work in progress