[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [NSIS] New NATFW NSLP I-D: draft-ieft-nsis-nslp-natfw-02.txt

To: "Hancock, Robert" <robert.hancock at roke.co.uk>, "'Hannes Tschofenig '" <Hannes.Tschofenig at siemens.com>, "'Franck.Le at nokia.com '" <Franck.Le at nokia.com>, "'nsis at ietf.org '" <nsis at ietf.org>
Subject: RE: [NSIS] New NATFW NSLP I-D: draft-ieft-nsis-nslp-natfw-02.txt
From: Martin Stiemerling <stiemerling at netlab.nec.de>
Date: Mon, 21 Jun 2004 14:25:29 +0200
Cc:
In-reply-to: <EA943CD30BCB104E9D38F5B5DC2D9A70019A05FF@rsys004a.roke.co.uk>
List-help: <mailto:nsis-request@ietf.org?subject=help>
List-id: Next Steps in Signaling <nsis.ietf.org>
List-post: <mailto:nsis@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
References: <EA943CD30BCB104E9D38F5B5DC2D9A70019A05FF@rsys004a.roke.co.uk>
Sender: nsis-bounces at ietf.org

Hi Robert and all,

--On Samstag, 29. Mai 2004 23:01 Uhr +0100 "Hancock, Robert" <robert.hancock at roke.co.uk> wrote:

| Hi all,
|
| a quick comment on the provision of N-tuples in GIMPS vs.
| their provision in an NSLP.
|
| This question actually came up (from several sources) during
| the framework development. The result of that discussion was
| to make a firm distinction between:
| 1) the information needed to route a signalling message, and
| the information that a NAT needs to be able to rewrite, and
| 2) additional information needed by an NSLP
|
| The hope/view is that (1) is fixed and fairly common to all
| scenarios, but (2) could vary wildly. (1) is in GIMPS but (2)
| is definitely not (and never should be). If more fine-grained
| information is needed, then (2) has to be defined by the NSLP.
| (Note that the NSLP should not define a complete classifier,
| but just the 'extra bits'.) I can see firewall signalling being

I agree on this that additional information to the flow information is carried within NSLPs. The policy rule object has actually the intention to carry additional information only.

| a reasonable case of this: you often do see policies expressed
| in terms of TCP flags, but it's very unlikely that TCP flag
| setting would affect routing or be re-written by NATs (that
| is, such information would never be part of (1) and carried by
| GIMPS).

Yes, that's additional information independent of routing and NATs. In my opinion TCP flags to be set or not to be set are out of scope of NATFW NSLP defintion and are more subject to local policies. So a local NATFW NSLP node can decided on its own if firewall rules evaluate TCP flags or not. The MIDCOM semantics, for instance, provide a hint for middleboxes with the 'direction of flow' parameter. This parameter says from where the flow will come and how TCP flags should be observed at the firewall/NAT.

 Martin


_______________________________________________
nsis mailing list
nsis at ietf.org
https://www1.ietf.org/mailman/listinfo/nsis

References:
- RE: [NSIS] New NATFW NSLP I-D: draft-ieft-nsis-nslp-natfw-02.txt
  - From: Hancock, Robert

Prev by Date: RE: [NSIS] New NATFW NSLP I-D: draft-ieft-nsis-nslp-natfw-02.txt
Next by Date: Re: [NSIS] 3.2.2 in draft-ieft-nsis-nslp-natfw-02.txt
Previous by thread: RE: [NSIS] New NATFW NSLP I-D: draft-ieft-nsis-nslp-natfw-02.txt
Next by thread: RE: [NSIS] New NATFW NSLP I-D: draft-ieft-nsis-nslp-natfw-02.txt
Index(es):
- Date
- Thread