[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[NSIS] NATFW NSLP: Blocking unwanted traffic

To: nsis at ietf.org
Subject: [NSIS] NATFW NSLP: Blocking unwanted traffic
From: Martin Stiemerling <stiemerling at netlab.nec.de>
Date: Tue, 22 Jun 2004 11:28:56 +0200
List-help: <mailto:nsis-request@ietf.org?subject=help>
List-id: Next Steps in Signaling <nsis.ietf.org>
List-post: <mailto:nsis@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
Sender: nsis-bounces at ietf.org

Hi,

Allison and Franck brought up an idea regarding the NATFW NSLP and the policy rules that can be installed at Firewalls.

Let me first go back to what the NATFW NSLP can do right now:

The NATFW NSLP document assumes that Firewalls are configured 'default to deny', meaning that all data packets that are not explicitly allowed to traverse are blocked. This assumption holds for NATs as well, as there is no way of data packets traversing unless there is a NAT configuration for them.

Now talking for Firewalls only: NATFW NSLP does create at a Firewall this type of firewall rule (but not limited to):

ALLOW from IP(DS) to IP(DR) transport-protocol=TCP source-port=XX dest-port=YY

DS = Data sender  DR = data receiver

The overall goal is to get data packets through Firewalls (and NATs too) and therefore open pinholes.

The issue brought up: Should there be support for Firewalls that are 'default to accept' and therefore it should be possible to load firewall rules that BLOCK certain data packets?

A firewall rule example for this case:

BLOCK from IP(DS) to IP(DR) transport-protocol=ANY

This blocking would be helpful for clients to block certain traffic at Firewalls, for instance, mobile nodes could stop wasting their wireless bandwidth with undesired incoming data packets.

There are some implications of supporting this:

- NSLP would have to carry further information about the action (allow, block) in the policy rule object. (minor issue)

- the NSLP must find the appropriate firewall to install the firewall rules
 (major issue):
 There is already a procedure to find NATs at the receiver's side (reserve
 mode) and this would have to be extended to find Firewalls. This is
 not a problem in environments with only one Firewall. The NTLP would have
 to route the message upstream to the first Firewall. But in environments
 with several Firewalls in parallel (multihoming) and in sequence this
 might get tricky.  The NSLP/NTLP must have knowledge which of the
 Firewalls is the one who would handle the incoming data packets.

I hope that I have captured the issue in the right way. Otherwise Allison and Franck are requested to correct me.

Martin

_______________________________________________
nsis mailing list
nsis at ietf.org
https://www1.ietf.org/mailman/listinfo/nsis

Prev by Date: RE: [NSIS] new draft about security threats for the NAT/firewall
Next by Date: [NSIS] GIMPS refreshes vs NSLP refreshes
Previous by thread: [NSIS] WGLC on "RSVP Security Properties"
Next by thread: [NSIS] NATFW NSLP: Blocking unwanted traffic
Index(es):
- Date
- Thread