wdiff draft-pashalidis-nsis-gimps-nattraversal-01.txt draft-pashalidis-nsis-gimps-nattraversal-02.txt

NSIS A. Pashalidis
Internet-Draft H. Tschofenig
Expires: April 27, August 5, 2006 Siemens
October 24, 2005
February 2006

GIST NAT Traversal for GIST
draft-pashalidis-nsis-gimps-nattraversal-01.txt
draft-pashalidis-nsis-gimps-nattraversal-02.txt

Status of this Memo

By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.

Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.

The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.

This Internet-Draft will expire on April 27, August 5, 2006.

Abstract

This document describes how different types a number of mechanisms for the implementation
of Network Address
Translator (NAT) interact with the General Internet Signalling Transport (GIST) protocol. protocol [1] on
different types of Network Address Translator (NAT). The purpose focus of this
these mechanisms is the interaction of GIST with the address
translation function of the NAT, and their purpose is for
signalling traffic to traverse the NATs in a way enable GIST
hosts that preserves its
semantics are located on either side of the NAT to correctly
interpret signalling messages with respect to the data flows it corresponds traffic they
refer to. The purpose of this document is to provide guidance to
people that implement GIST and NSLPs on both NAT and non-NAT nodes.

Table of Contents

1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Problem Statement . . . . . . . . . . . . . . . . . . . . . . 6
4. Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . 11
5. Transparent NAT traversal for GIST . . . . . . . . . . . . . . 13
5.1. NI-side NSLP-unaware GaNATs . . . . . . . . . . . . . . . 13
5.2. NR-side NSLP-unaware GaNATs . . . . . . . . . . . . . . . 18 19
5.3. NSLP-aware GaNATs . . . . . . . . . . . . . . . . . . . . 21
5.4. Combination of NSLP-aware and NSLP-unaware GaNATs . . . . 25
6. Non-transparent NAT traversal for GIST . . . . . . . . . . . . . . . . 26 27
6.1. NI-side NSLP-unaware GaNATs . . . . . . . . . . . . . . . 26 27
6.2. NR-side NSLP-unaware GaNATs . . . . . . . . . . . . . . . 30 32
6.3. GIST peer processing . . . . . . . . . . . . . . . . . . . 34 38
7. GIST-unaware NATs . . . . . . . . . . . . . . . . . . . . . . 36
8. Security Considerations . . . . . . . . . . . . . . . . . . . 39
8.1. 41
7.1. Service Denial Attacks . . . . . . . . . . . . . . . . . . 39
8.2. 41
7.2. Network Intrusions . . . . . . . . . . . . . . . . . . . . 40
9. 42
8. IAB Considerations . . . . . . . . . . . . . . . . . . . . . . 42
10. 44
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 43
11. 45
10. Normative References . . . . . . . . . . . . . . . . . . . . . 43 45
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 44 46
Intellectual Property and Copyright Statements . . . . . . . . . . 45 47

1. Introduction

Network Address Translators (NATs) modify certain fields in the IP
and transport layer header of the packets that traverse them. In the
context of signalling as specified by the General Internet Signalling
Transport (GIST) protocol [1], this behaviour may lead to the
installation of state at network nodes that may be inconsistent and
meaningless with respect to the actual data traffic that traverses these
nodes.

This document describes how mechanisms that can be used in order for GIST
signalling messages to traverse NATs in a way that preserves the
consistency of state that is installed in the network with respect to
the data flows to which the signalling messages refer. As the
mechanisms that are described in this document exclusively operate at
the GIST layer, they are transparent to signalling applications. The
document is organised as follows. The next section introduces the
terminology that is used throughout this document. Section 3
provides a detailed discussion of the NAT traversal problem and
highlights certain design decisions that have to be taken when
addressing the problem. Section 4 lists the assumptions on which the
subsequently proposed mechanisms are based. The mechanisms are
described in Section 5
presents the proposed mechanisms for "transparent" NAT traversal, and
??? Section 6. Finally, Section 7 presents
some security issues that arise in conjunction with the proposed mechanisms where such protection is
required.
described in this document.

2. Terminology

The terminology, abbreviations and notational conventions that are
used throughout the document are as follows.

o DR: Data Responder, as defined in [1]

o DS: Data Sender, as defined in [1]

o GaNAT: GIST-aware NAT - a GaNAT MAY implement a number of NSLPs.

o GIST: General Internet Messaging Protocol for Signalling [1]

o NAT: Network Address Translator

o NI: NSIS Initiator, as defined in [1]

o NR: NSIS Responder, as defined in [1]

o NSIS: Next Steps in Signalling: The name of the IETF working group
that specified the family of signalling protocols of which this
specification
document is also a member. The term NSIS is also used to refer to
this family of signalling protocols as a whole.

o GIST-aware: Implements GIST and MAY also implement a number of
NSLPs.

o GIST-unaware: GIST-unaware, does not implement any NSLP. The term
is synonymous to NSIS-unaware.

o NSLP: NSIS Signalling Layer Protocol, as defined in [1]

o downstream: as defined in [1]

o upstream: as defined in [1]

o MRI: Message Routing Information, as defined in [1]

o NLI.IA: Interface Address field of the Network Layer Information
header field,
object, as defined in [1]

o <- : Assignment operator. The quantity to the right of the
operator is assigned to the variable to its left.

o A.B: Element B of structure A. Example: [IP
header].SourceIPAddress denotes the source IP address of an IP
header.

o [data item]: This notation indicates that "data item" is a single
identifier of a data structure. (Square brackets do not denote
optional arguments in this document.)

3. Problem Statement

According to [1], all GIST messages between two peers carry IP
addresses in order to define the data flow to which the signalling
refers. Moreover, certain GIST messages also carry the IP address of
the sending peer, in order to enable the receiving peer to address
subsequent traffic to the sender. Packets that cross an addressing
boundary, say from addressing space S1 to S2, have the IP addresses
in the IP header translated from space S1 to S2 by the NAT; if GIST
payloads are not translated in a consistent manner, the MRI in a GIST
packet that crosses the boundary, e.g. from address space S1 to S2,
refers to a flow that does not exist in S2. In fact, the flow may be
invalid in S2 because at the IP address that belongs to S1 may not be
routable or invalid in S2. Moreover, the IP address of the sending
peer may also be not routable or invalid in the addressing space of
the receiving peer. The purpose of this document is to describe a
way for GIST messages to be translated in a way that is consistent
with the translation that NATs apply to the IP headers of both
signalling and the data
traffic.

A NAT may either be GIST-unaware or GIST-aware. We denote refer to a GIST-
aware NAT as a GaNAT "GaNAT" in the sequel. A GaNAT MAY also support at
least one NSLP. Note that there exists an NSLP, namely the NATFW
NSLP [2], that specifically addresses NAT traversal for data flows.
Inevitably, the NATFW NSLP also provides the necessary mechanisms for
the related signalling to traverse the NATs involved. involved NATs. Consider a
GaNAT that supports both the NATFW NSLP, and the NAT traversal
extension to GIST
mechanism that is specified described in this document. document (which operates at the
GIST layer). Suppose now that a GIST QUERY message arrives at this
GaNAT that contains the NSLP identifier (NSLPID) of the NATFW NSLP.
A question that arises is whether the GaNAT should use the GIST GIST-layer
NAT traversal extension
defined mechanism (described in this document, document), or the NATFW
NSLP mechanism, in order to provide "NAT traversal" for both the
signalling message and the data flow to which it refers. The answer
to this question is that such a GaNAT MUST should implement a policy according
to which one method is used in preference to the other. Note, however, Note that, should
however, if the GaNAT
prefer the GIST prefers GIST-layer NAT traversal to NATFW NSLP, traversal, then it will may
happen, if no on-path GaNATs exist that prefer the NATFW NSLP, that the
downsteam NATFW peer will be unable to discover any
no downstream NATFW NSLP peers. peers are discovered. This may make the
entire NATFW session obsolete.

Clearly, if It is therefore anticipated that the
NATFW NSLP will be the preferred NAT traversal mechanism in most
circumstances.

However, in certain cicumstances it may be desirable for GIST
signalling messages to traverse a GaNAT does NAT, and not desirable or possible
to use the NATFW NSLP for this purpose. Examples of such
circumstances are the following.

o GaNATs that do not implement the NATFW NSLP, then NSLP are on the only
way for path taken
by GIST signalling messages. This situation may arise during
incremental deployment of the signalling and protocols that are
developed by the data flow to traverse NSIS working group.

o GaNATs that GaNAT, is
for implement the necessary mechanisms to operate NATFW NSLP are on the path taken by GIST layer. The same
holds when
signalling messages that refer to a given data flow. However, the
NSLP that is being signalled is an NSLP other than *not* the NATFW NSLP. Enabling NSLP and there
exists no NATFW signalling session for the data flow in question.

Describing NAT traversal for GIST signalling messages in presicely these the above
circumstances is the motivation subject matter of this specification. document.

In general, a given data flow between a data sender (DS) and a data
receiver (DR) may have to traverse a number of NATs, some of which
may be GIST-and-NATFW-aware, some may be GIST-aware, and some may be
GIST-unaware. Additionally, NSLP signalling for such a data flow may
be required to traverse through a subset of those NATs. Whether or
not the routing inftrastructure infrastructure and state of the network causes the
signalling for such a data flow to traverse the same NATs as the flow
depends, among other things, on which NSLP is being signalled. While
signalling of the QoS NSLP, for example, might not traverse any of
the NATs that are traversed by the data flow, the signalling of the
NATFW NSLP traverses at least those NATs that implement the NATFW
NSLP (otherwise the signalling path would no longer be coupled to the
data path, as this coupling is defined by the GIST QUERY/RESPONSE
discovery mechanism for the "path coupled" Message Routing Method).
It is desirable that the GIST-layer NAT traversal extension for GIST provides NAT
traversal for every possible combination of NATs, either on the data
or the signalling path, in a secure manner.

Due to the GIST QUERY/RESPONSE discovery mechanism (according to
which QUERY messages are simply forwarded if the current node does
not support the required NSLP), two GIST nodes typically identify
themselves as NSLP peers only if they both implement the same NSLP.
This means that, if
If one or more NATs that are unaware of this NSLP are between them,
then the two NSLP peers are not able to discover each other at all.
This is because, even in the unlikely event that the NAT bindings
that are necessary for the GIST traffic to traverse the in-between
NAT(s) exist, the NLI.IA field included in the RESPONSE message sent
by the downstream GIST peer is invalid (or the IP address is unreachable)
in the address space of the upstream GIST peer. In order to overcome this
limitation, either the two peers need to cope with the in-between
NAT(s), or, if the NAT(s) are GaNATs, they (the GaNATs) need to apply
additional processing in order to transparently create and maintain
consistency between the information in the header of GIST signalling
messages and the information in the IP header of the data traffic.
Additionally, if NSLP-aware NATs are on the data path, then these
NATs should process NSLP traffic in a way that the preserves consistency
after address translation. This processing deviates from the
processing of NSLP-
aware NSLP-aware non-NAT nodes. In the The following sections we specify mechanisms
that aim
describe how to overcome the limitation of two adjacent GIST NSLP peers
not being able to execute an the NSLP in the presence of in-between
NAT(s).

Note that a

A number of different situations has to be dealt with, variations are possible, depending on the level
of NSIS support by a NAT. the in-between NAT(s). The following combinations
of NATs that are located between two adjacent GIST NSLP peers are
considered.

o all NAT(s) are GIST-unaware

o all NAT(s) are (NSLP-unaware) NSLP-unaware GaNAT(s)

o all NAT(s) are NSLP-aware

o a combination of the above NAT types.

The approach taken in this document is to propose separate mechanisms
for the traversal of each of the above type of NAT. If NATs that
belong to multiple types exist on the path between two adjacent NSLP
peers, the proposed mechanisms should work in combination. Thus,
traversal of multiple NATs of different types should not require
further specification from a functional perspective. However,
security issues that arise due to the combination of NAT types may
have to be considered.

A GIST-unaware NAT cannot tell data and signalling traffic apart.
The installation of the NAT binding for the signalling traffic in
such a NAT occurs typically independently from the installation of
the NAT binding for the data traffic. Furthermore, as the NAT cannot
associate the signalling and the data traffic in any way, traffic, it cannot indicate
that an association exists between the two NAT bindings. Therefore,
in the presence of such a NAT, non-NAT GIST nodes that are located on
either side of the NAT have to cope with the NAT without assistance
from the NAT. This would typically require initially discovering the
NAT and subsequently establishing an association between between the
MRI in the signalling messages and the translated IP header in the
data traffic. Due to the variety of behaviours that a GIST-unaware
NAT may exhibit, establishing this association is a non-trivial task.
Therefore, traversal of such (i.e. GIST-unaware) NATs is considered
a special case and is further discussed in
Section 7. outside the scope of this version of this
document.

Traversal of GaNAT(s) is comperatively comparatively more straightforward. This is
because, based on the MRI in a given incoming GIST message, a GaNAT
can identify the data flow to which the message refers. It can then
check its NAT binding cache and determine the translation that is
(or, if no NAT binding for the flow exists yet, will be) applied to
the IP header of the data flow. The GaNAT can then include
sufficient information about this translation into the signalling
message, such that its receiver (i.e. the GIST peer that receives the
data traffic after network address translation has been applied) can
map the signalling message to the data flow.

There exist a variety of ways for a GaNAT to encode the
abovementioned above-
mentioned information into signalling messages. In this document the
following two ways are considered.

1. Non-transparent apprach: approach: The GaNAT includes an additional "NAT
Traversal" payload (see section A.3.8 of [1]) into the GIST
header of the GIST QUERY message. This "NAT Traversal" payload
is echoed by the GIST responder on the other side of the NAT.
Both peers use
The responder (which is assumed to be located on the "other side"
of the NAT) uses the information in this payload in order to map
subsequent signalling messages to the data flows they refer to.

2. Transparent approach: The GaNAT replaces GIST header fields in a
way that is consistent with the translation it applies to the
data traffic, as necessary. The GaNAT does this for GIST QUERY
and RESPONSE messages, for D-mode as well as for C-mode messages
throughout the duration of the signalling session.

The second approach being "transparent" means that a GaNAT that
follows this approach remains completely transparent to the GIST
peers that are located either side of it. Thus, this approach works
even if these GIST peers do not support the NAT traversal object for
GIST (as described in section 7.2 of [1]). Unfortunately though, the transparent
approach does not work if the GaNAT is NSLP-unaware and
if signalling traffic is to be
cryptographically protected between the two GIST peers that are
located either side of the GaNAT. GaNAT, and the GaNAT is NSLP-unaware. If,
however, the GaNAT is NSLP-aware, then cryptographic protection is
terminated at the GaNAT (i.e. the GaNAT is a GIST peer itself). In
this scenario, it is clearly preferable for the GaNAT to follow the
transparent approach, rather than to include a NAT Traversal object.
Thus, if a GaNAT acts as a GIST peer for a signalling session, it
MUST follow the transparent approach, as described in Section 5.3.
However, due to the fact that the transparent approach does not work
if signalling is to be cryptographically protected, a GaNAT MUST also
implement the non-transparent approach (for the case where an NSLP is
signalled that the GaNAT does not support), unless the GaNAT is going
to be used only in deployments where cryptographic protection of
signalling traffic is not a requirement.

Note that a GaNAT MAY implement both approaches. If such a GaNAT is
NSLP-unaware, it can then adopt the correct desired behaviour, based on
whether or not cryptographic protection is required for the
signalling traffic between two GIST peers. If such protection is
required, the GaNAT MUST adopt the mechanisms that follow the non-
transparent approach; if it is not, it MAY follow the mechanisms
implementing the transparent approach. The GaNAT can tell whether or
not cryptographic protection is required from the stack proposals
that are exchanged proposal in
the GIST QUERY and RESPONSE messages; inclusion of IPsec or TLS
proposals amounts to cryptographic protection being required.

Regardless of which approach is taken, after a GIST response passes
through an NSLP-unaware GaNAT, the GaNAT should expect a messaging
association to be set up between the two involved GIST peers. For

4. Assumptions

The discussion in this to happen, the GaNAT has to allow traffic to traverse it. From
a security perspective, the GaNAT should allow the minimum necessary
traffic types to traverse. Additionally, the amount of per
signalling session state that document is allocated at a GaNAT should be
minimised for reasons of efficiency based on the following
assumptions.

1. No IP addresses and resistance to service denial
attacks. For these reasons, it makes sense for port numbers are carried in the GaNAT to be able
to predict with certainty which payloads of
an NSLP. If this is not the GIST responder's stack
proposal will be used by case, then the initiator NSLP has to provide
additional mechanisms for the establishement traversal of a
messaging association. This can (Ga)NATs. These
mechanisms must be accomplished by having the GaNAT
modify compatible the stack configuration object mechanisms described in the GIST RESPONSE as it
passes though it such this
document. Note that the initiator is forced to use a
particular stack proposal and, if applicable, a particular transport
layer destination port.

The reason why it is preferable for the GaNAT to modify only the
stack configuration data object (as opposed to the stack proposal
object) NATFW NSLP is that the GIST responder expects its original stack
proposal an exception to be included this rule
in the GIST CONFIRM message. The initiator
would not be able to echo that object as it would does not have seen it
and, if signalling messages are cryptographically protected, then the
GaNAT cannot replace the stack proposal in the GIST CONFIRM message
with the one the responder expects, without causing cryptographic
checks need to fail at the responder. Thus, be compatible with the approach taken mechanisms
described in this
document document. This is for because the GaNAT to render invalid all but one stack
configuration data objects GIST-layer NAT
traversal mechanisms described in the GIST RESPONSE message. How this is
done depends on document and the format of this object. If, for example, it
contains transport layer port numbers, NATFW
NSLP are mutually exclusive (i.e. it is rendered invalid by
setting these numbers to zero.

A question arises due to the fact not permissible that the stack proposal carried by
a GIST QUERY may include multiple proposals of which some provide
cryptographic protection for signalling traffic and some do not.
Which behaviour should a GaNAT that supports
given (Ga)NAT applies both approaches assume
in this case? In order GIST-layer NAT traversal and NATFW
NSLP processing to provide maximise the probability messages that
cryptographic protection is going belong to used, the GaNAT MUST follow the
non-transparent approach in this case.

4. Assumptions

The discussion in this document is based on the following
assumptions.

1. No IP addresses and port numbers are carried in the payloads of
an NSLP. same
signalling session).

2. The path taken by the signalling traffic between those GIST peers
that have GaNATs in between is such that the responses to packets
that a GaNAT sends on a given interface arrive on the same
interface (if such responses are sent at all).

3. The path taken by signalling traffic remains fixed between the
two GIST peers, as far as the in-between GaNATs are concerned.
That is, we assume that signalling traffic traverses the same
GaNAT(s) until at least one of the following conditions is met.

* The NSIS state that is installed at the two GIST peers
expires.

* The NSIS state that is installed at the two GIST peers is
refreshed using a GIST QUERY.

* A new GIST QUERY/RESPONSE exchange takes place due to other
reasons, e.g. a detected route change.

Note that this assumption is not necessarily met by "normal" data
path coupled signalling. This is because, under "normal" data
path coupled signalling, the signalling traffic is "coupled" to
the data traffic at nodes that decide to act as GIST peers.
Thus, under "normal" path coupled signalling, it is not an error
condition (e.g. a reason to trigeer trigger a "route change"), for
example, if the set of on-path nodes, which do not act as GIST
peers, changes, as long as adjacent GIST peers remain the same.

4. The data flow traverses the same set of GaNATs as the signalling
traffic. By assumption 3, this set of GaNATs is fixed until the
next GIST QUERY/RESPONSE procedure is executed.

+-----+
+----+GaNAT|-----+
| | A | |
| +-----+ |
+------+ +------+ +--+---+ +------+
+--+ | GIST | | IP | | IP | | GIST | +--+
|DS+-+peer 1+--+router| |router+--+peer 2+-+DR|
+--+ +------+ +---+--+ +--+---+ +------+ +--+
| +-----+ |
| |GaNAT| |
+----+ B +-----+
+-----+

Figure 1: Network with more than one NAT at an addressing boundary

Figure 1 illustrates the importance of assumptions (3) and (4). With
regard to that figure, suppose that a (D-mode) signalling session has
been setup between the two adjacent GIST peers 1 and 2 and that both
signalling and data traffic follows the path GIST peer 1 -> IP router
-> GaNAT A -> IP router -> GIST peer 2. Suppose now that, after some
time, GIST peer 1 decides to set up a C-mode connection with peer 2.
Suppose moreover that the left IP router decides to forward the
C-mode signalling traffic on the link towards GaNAT B. Thus,
signalling traffic now follows the alternative path GIST peer 1 -> IP
router -> GaNAT B -> IP router -> GIST peer 2. Note that this change
in forwarding between the two adjacent GIST peers does not trigger a
"route change" at the GIST layer because (a) it does not necessarily
destroy the adjacency of peer 1 and 2 and (b) it does not necassarily necessarily
destroy the coupling of the path taken by signalling traffic to that
taken by data traffic (at GIST nodes). Nevertheless, assumptions (3)
and (4) mandate that this situation does not occur. However, even if
such a situation occurs, the mechanisms described in this document
may still work as state expires after a certain timeout period.

If assumption (1) does not hold, the NSLP has to provide additional
mechanisms for the traversal of (Ga)NATs. These mechanisms must be
compatible with the mechanisms employed by GIST.

Assumptions (2), (3) and (4) hold if, at an addressing boundary, only
one NAT exists. Due to security and management reasons, this is
likely to be the case in many settings.

5. Transparent NAT traversal for GIST

This section describes the operation of GaNATs that implement the
transparent approach listed in Section 3. Note that the An NSLP-aware GaNAT may MUST
follow this approach approach, as described in Section 5.3. An NSLP-unaware
GaNAT MAY follow this approach, as described in Section 5.1 and
Section 5.2, only if it is unaware of the NSLP that is being
signalled, and when no cryptographic protection of signalling data
is requested by the two NSLP peers.

Note that we have to deal with two types of GaNATs, NSLP-unaware GaNAT have to be dealt with,
namely those that are located at the NSIS initiator (NI-side), and
those that are located at the NSIS responder (NR-side). This
distinction arises due to the fact that NI-side and NR-side GaNATs
obtain the destination IP address for forwarded packets of the downstream GIST peer in
different ways.

5.1. NI-side NSLP-unaware GaNATs

This section describes the "transparent" operation of an NI-side,
NSLP-unaware GaNAT.

For every arriving IP packet P, an NSLP-unaware, NI-side GaNAT
executes the following algorithm.

1. If P has a RAO followed by the GIST header with an NSLP ID that
is not supported, it and if P is identified as a GIST QUERY. In this case QUERY, the
GaNAT performs the following.

1. We denote P as by GQ. It The GaNAT looks at the stack proposal ST in
GQ. If it indicates that includes a proposal with cryptographic protection is required, protection,
the mechanism that is applies applied is the one described in ???.
Section 6.1.

2. The GaNAT remembers GQ along with the interface on which it
arrived. We call this interface the "upstream link".

3. It searches its table of existing NAT bindings against
entries that match the GQ.MRI. A matching entry means that
the data flow, to which the signalling refers, already
exists.

+ If a matching entry is found, the GaNAT looks at which
link the packets of the data flow are forwarded; we call
this link the "downstream" link. Further, the GaNAT
checks how the headers of the data flow (IP addresses, addresses and
port numbers, etc) numbers) are translated according to this NAT
binding. We denote [IP header].SourceIPAddress used on
the downstream link as IPGaNATds, and the source port
number used to forward the IP address of translated
data traffic as SPNDTGaNATds.
The NAT may also use a different source port number when
forwarding signalling traffic. This port number is
denoted as SPNSTGaNATds.

2. packets by IPds, and their [Transport layer
header].SourcePort by SPDTds.

+ If no matching entry is found, the GaNAT determines, based
on its routing table, the link on which packets that match
GQ.MRI (excluding GQ.MRI.SourceIPAddress) would be
forwarded. We call this link the "downstream
link". "downstream" link.
Then, the GaNAT acquires an IP address and source port for
itself on the downstream link. (This link, denoted by IPds and SPDTds
respectively. This address and port could be dynamic or static.) This address
static, and will be used to forward both
signalling and (among other things) for the
installation of a NAT binding for the data traffic on the downstream link. If
it also performs port translation, in the
future.

4. The GaNAT also
acquires aquires a source port number for the data traffic on the
downstream link. This will be used with version of the NAT binding,
if such a binding
GIST QUERY that will be established for the data
traffic at a later stage, and is denoted as SPNDTGaNATds.
The signalling traffic packets may also be forwarded
using the a different source port number as over the incoming
packets. downstream link.
We denote the acquired IP address as IPGaNATds
and the source this port number for the signalling traffic as
SPNSTGaNATds. by SPSTds. (There is no requirement that
SPSTds must be different from GQ.[UDP Header].SourcePort.)

Issues: The reason why the GaNAT may also assign a different
source port number to the signalling traffic, is to enable
the GaNAT to demultiplex (i.e. forward to the correct
internal address) the signalling responses that arrive from downstream.
the downstream direction. Of course, a GaNAT does not need
to actually change the source port of signalling traffic; it
can always use SPNSTGaNATds SPSTds the same port as in the incoming
packet. Such a GaNAT may use the GIST session ID in order to
demultiplex (i.e. forward to the correct internal address)
the traffic that arrives from the downstream direction. It
is unclear which of the two approaches is preferable.

5. It creates a new GIST QUERY packet GQ', as follows.

1. GQ' <- GQ

2. GQ'.MRI.SourceIPAddress <- IPGaNATds IPds

3. GQ'.MRI.SourcePortNumber <- SPNDTGaNATds SPDTds

4. GQ'.[IP header].SourceIPAddress <- IPGaNATds IPds

5. GQ'.[UDP HEADER].SourcePort header].SourcePort <- SPNSTGaNATds SPSTds

6. GQ'.NLI.IA <- IPGaNATds IPds

7. GQ'.S <- true

6. It remembers GQ and GQ', the fact that they are associated,
and the associated upstream and downstream links. (Note: The
GaNAT does not have to remember the entire packets; for
simplicity of exposition, however, we assume it does. An
implementation SHOULD discard at this point all information
that is not used later.)

7. It forwards GQ' on the downstream link.

2. Otherwise, if P carries an [IP header].DestinationIPAddress that
belongs to the GaNAT, and if it is identified as a GIST response RESPONSE
in D-mode with an NSLP ID that is not supported, the GaNAT does
the following (P is denoted as by GR).

1. It searches for a matching GQ' in its buffer. A GR GQ' is said
to match a GQ' GR if they carry the same cookie value. If none
is found, GR is discarded. Otherwise, the GaNAT may also
perform further consistency checks on a matching GR/GQ' pair,
such as checking that they contain the same session IDs,
MRIs, NSLP IDs. If consistency checks succeed, fail, GR is discarded.
Otherwise, the GaNAT constructs a new GIST response RESPONSE GR', as
follows.

1. GR' <- GR

2. GR'.MRI <- GQ.MRI, where GQ is the packet associated with
GQ'(as
GQ' (as remembered previously), and GQ' is the packet
that matches the received GR.

3. GR'.[IP header].SourceIPAddress <- IPGaNATus, IPus, where
IPGaNATus = GQ.[IP header].DestinationIPAddress. IPus is an
IP address that is bound to the upstream link.

4. GR'.[IP header].DestinationIPAddress <- GQ.NLI.IA

5. GP'.S GR'.[UDP header].DestinationPort <- true. GQ.[UDP
header].SourcePort

6. It GR'.NLI.IA <- IPus

7. GR'.S <- true

8. The GaNAT inspects the stack proposals Stack-Configuration-Data object in
GR' and the corresponding GQ' in order to see if check whether
or not the upstream GIST NSLP peer has a
choice of more than can select one possible stack. If such of multiple
transport layer protocol/destination port number
combinations for the establishment of a choice
exists, messaging
association. If multiple choices exist, the GaNAT removes
invalidates as many stack transport layer protocol/port number
combination proposals from GR' as necessary, until only one stack the
upstream NSLP peer can only initiate the establishment of
a messaging association with the downstream NSLP peer
using a single transport layer protocol/destination port
number combination. This invalidation is done by setting
the D-flag in those MA-Protocol-Options fields that carry
the port number proposals that are to be chosen invalidated.
Note that, by setting the D-flag in a particular MA-
Protocol-Option field, the GaNAT may also invalidate the
associated transport layer protocol and security (e.g.
TLS) proposal. The actions of the GaNAT MUST NOT result
in the strongest, in terms of security, proposal to be
invalidated. In the end, the NAT will expect the
upstream NSLP peer to use a particular combination of
transport layer protocol and destination port (and
possibly other details that are associated with the valid
proposal) for the establishment of the messaging
association. We
denote call this stack as combination the "stack
proposal expected by the NAT" and denote it by ST. The
GaNAT remembers this ST and ST, its association with GQ, GQ',
GR, GR'. We say that, in
this case, GR', and the upstream and downstream links. By doing
so, the GaNAT "installs" is said to "install" the ST.

2. It forwards GR' on the upstream link.

3. If no NAT binding for the data traffic was found in step
1.3.2, the GaNAT now installs a NAT binding (for the
unidirectional data traffic) which says that "a packet K that
arrives on the upstream link and for which it holds that

+ K.[IP
header].DestinationIPAddress=GQ.MRI.DestinationIPAddress,

+ K.[IP header].Protocol=GQ.MRI.Protocol, and

+ K.[TCP/UDP header].SourcePort=GQ.MRI.SourcePort K.[Transport layer header].PortNumbers=GQ.MRI.PortNumbers

should be forwarded on the downstream link, with [IP
header].SourceIPAddress = IPGaNATds. IPds and [Transport layer
header].SourcePort=SPDTds".

Issues: there is a question of whether this NAT binding
should also enable data traffic in the opposite direction to
traverse the NAT; in order to be able to demultiplex upstream
traffic that carries data that belongs to different flows,
the GaNAT should keep the necessary per-flow state. From a
signalling point of view, however, upstream data traffic that
corresponds (on the application level) to the downstream flow
to which this GIST session refers, is a separate flow for
which, depending on the application, there may or there may
not exist a signalling session. If such a signalling session
exists, then the GaNAT acts as an NR-side GaNAT for this
session. Thus, during the processing of this signalling care
has to be taken not to establish a NAT binding for a flow for
which a NAT binding already exists. Finally, Moreover, security
issues may arise when traffic, for which no signalling
exists, is allowed to traverse a GaNAT.

Another issue is about refreshing the NAT binding. A NAT
binding that was established as a result of GIST signalling
should remain in place for as long as the associated GIST
state in the GaNAT remains valid. If GIST signalling refers
to a NAT binding that already exists, then the timeout of the
NAT binding should occur according to the NAT policy, in a
manner independent from GIST processing. (If signalling
persists after the deletion of a NAT binding, then the NAT
binding may be re-installed and then timed out together with
GIST state).

3. Otherwise, if P.[IP header].DestinationIPAddress belongs to the
GaNAT, and if P carries the transport protocol and destination
port numbers number indicated by some stack proposal ST that has previously been
installed by the GaNAT, and if P has arrived on either the
upstream or the downstream interface that is associated with ST,
then P is said to "match" ST. For such a packet, the GaNAT does
the following. If P is expected to contain a GIST header, then
the GaNAT check checks whether or not the bits where the GIST header is
expected, consitute constitute a valid GIST header. If they do not, P is
silently discarded. Otherwise, If all is in order, the GaNAT constructs an
outgoing packet P' as follows (the variables used below refer to
those stored
together in association with ST).

1. P' <- P

2. If P has arrived on the upstream link, then

1. P'.[IP header].SourceIPAddress <- IPGaNATds IPds

2. P'.[IP header].DestinationIPAddress <- GR.NLI.IA

3. P'.MRI <- GQ'.MRI

4. P'.NLI.IA <- IPGaNATus

4. IPds

5. The GaNAT forwards P' on the downstream link.

3. else (if P has arrived on the downstream link)

1. P'.[IP header].SourceIPAddress <- IPGaNATus IPus

2. P'.[IP header].DestinationIPAddress <- GQ.NLI.IA

3. P'.MRI <- GQ.MRI

4. P'.NLI.IA <- IPGaNATus

4. IPus

5. The GaNAT forwards P' on the upstream link.

Note that the GaNAT can determine the location in a packet
where a GIST header is expected. If, for example, the packet
is a UDP packet, then the GIST header should follow
immediately after the UDP header. If the packet is a TCP
packet, then the GaNAT can determine the location where the
GIST heaer header should start by counting the number of NSLP
payload bits that followed the end of the previous GIST
header. The start of the next GIST header is expected at the
position where the previous GIST message, including NSLP
payload, ends. The GaNAT can tell where this message ends
from the LENGTH field inside the previous GIST header. It
should be noted here that, in order to correctly count the
bits, the GaNAT may have to keep track of TCP sequence
numbers, and thereby be aware of the correct ordering of
packets. However, the GaNAT only has to keep buffers that
are as long as the LENGTH field inside the previous GIST
header (and possibly up to one MTU size more than that).

Also note that some TCP packets P may not be expected to
contain any GIST header (this happens when the NSLP payload
from a previous packet stretches over several packets). For
those packets, the GaNAT only applies the transformation in
the IP header. Finally, note that a GIST header may start a
packet but finish in another. If such a packet is received
by received,
the GaNAT, it GaNAT MUST buffer the entire that packet, until the packet is
received where the GIST header completes. It can then apply
the required processing and forward both packets.

4. Otherwise, if P matches a (data) NAT binding, the GaNAT applies
normal NAT processing and forwards the packet on the
corresponding link.

5. Otherwise, P is subjected to normal NAT processing. That is, P
is either silently discarded. discarded or it causes the installation of a
(data) NAT binding.

Brief discussion of the algorithm: The fact that the GaNAT replaces
the NSLP peer's peers' NLI.IA with its own IP address (in both directions),
causes the two GIST peers to send subsequent signalling messages to the
GaNAT, in the belief that they talk to the their adjacent NSLP peer. The
GaNAT transparently forwards the signalling traffic and appropriately
translates the fields in the GIST header, in a way that is consistent
with the translation it applies to the data traffic.

Note that, according to this mechanism, the size of an outgoing GIST
message
messages is always the same as the size of its corresponding incoming
GIST message. Finally messages. Also note that the MRI that the NR sees indicates as
destination address the IP address of the DR (as expected), but as
source address it sees indicates the is IPGaNATds IPds of the GaNAT that is
closest to the NR.

5.2. NR-side NSLP-unaware GaNATs

The case of NR-side GaNATs is more subtle, since, in this setting,
the DS does not learn the IP address of the DR (which is assumed to
be on the same side of the GaNATs as the NR) and the NI does not
learn the address of the NR. In this setting we assume that each NR-
side GaNAT that is in between two GIST peers, a priori knows a
routable IP address of the next downstream GaNAT. The last GaNAT of
this chain is assumed to know the IP address of the DR. In order to
clarify this assumption, see, for example, Figure 2. In this figure,
GaNAT A is assumed to know the IP address of GaNAT B, GaNAT B is
assumed to know the IP address of GaNAT C, and GaNAT C is assumed to
know the IP address of the DR. A given GaNAT that knows such an
address, in effect anticipates to receive a signalling message from
the upstream direction that refers to a data flow that terminates in
a downstream node. In other words, such a GaNAT may typically have
already a NAT binding in place for the data traffic. We call the IP
address of the next downstream GaNAT (or, if the GaNAT is the last in
the chain, the address of the DR) the "pending" IP address. In the
following description address and denote
it is denoted by IPNext. How The GaNAT may also have a destination port associated
with IPNext. If IPNext is derived from an existing data traffic NAT
binding, then this port is typically the destination port after
translation from that binding. This port, if known, is denoted
PortNext. How IPNext and PortNext are made known to each GaNAT (e.g.
how the NAT binding for the data traffic is installed in the GaNAT)
is outside the scope of this document.

+--+ +------+ +-----+ +-----+ +-----+ +------+ +--+ +--+
+NI+--+ GIST NSLP +---+GaNAT+---+GaNAT+---+GaNAT+---+ GIST NSLP +--+NR+--+DR|
+--+ |peer 1| | A | | B | | C | |peer 2| +--+ +--+
+------+ +-----+ +-----+ +-----+ +------+

Figure 2: Network with NR-side GaNATs (the public Internet is assumed
to be between NI and GIST NSLP peer 1)

For every arriving IP packet P, an NSLP-unaware, NR-side GaNAT
executes the following algorithm.

1. If P has a RAO followed by the GIST header with the NSLP ID
indicates an unsupported NSLP, and if it is identified as a GIST QUERY.
In this case
QUERY, the GaNAT does the following.

1. We denote P as by GQ. The GaNAT looks at the stack proposal ST in
GQ. If it indicates that cryptographic protection is
required, the algorithm that is executed is the one described
in section Section 6 below.

2. The GaNAT remembers GQ along with the link on which it
arrived. We call this link the "upstream" link.

3. The GaNAT determines whether or not this GIST QUERY is
anticipated, i.e. if a pending IPNext (and possibly PortNext)
exists that matches this GIST QUERY. A pending IPNext is
said to "match" a GIST QUERY, if [this condition is an open
issue!] If no pending IPNext is also matching, P is discarded (it
is a question whether or not an error message should be
sent). Otherwise, additional checks may be performed (e.g.
something like a DSInfo object may have to be checked against
the GQ). If these checks fail, P is discarded. Otherwise,
the GaNAT performs the following.

4. It searches its table of existing NAT bindings against
entries that match the GQ.MRI. A matching entry means that
the data flow, to which the signalling refers, already
exists.

+ If a matching entry is found, the GaNAT looks at which
link the packets of the data flow are forwarded; we call
this link the "downstream" link. Further, the GaNAT
checks how the IP and transport layer headers of the data
flow (IP addresses,
port numbers, etc) are translated according to this NAT binding. We denote [IP header].SourceIPAddress used on
the downstream link as IPGaNATds, and the source port
number as SPNDTGaNATds. Note
that the [IP header].DestinationIPAddress and [Transport
layer header].DestinationPort of this NAT binding should
be equal to IPNext. IPNext and PortNext respectively. If it is they are
not, this should be handled as an auditive error
condition. The GaNAT may also assign a
new source port number to signalling traffic, which is
denoted as SPNSTGaNATds.

+ If no matching entry is found, the GaNAT determines, based
on its routing table, the link on which packets that match
GQ.MRI (excluding GQ.MRI.SourceIPAddress and where
GQ.MRI.DestinationIPAddress is replaced with IPNext) would
be forwarded. We call this link the "downstream" link.
Then, the

5. The GaNAT acquires an IP address for itself on the downstream
link. (This address could be dynamic or static.) Depending
on its type, the GaNAT may also acquire a UDP source port numbers
number for the translation version of data
traffic. the GIST QUERY that will be
forwarded to the downstream direction. We denote the
acquired IP address as IPGaNATds and the source port numbers for data and signalling
traffic as SPNDTGaNATds and SPNSTGaNATds number by IPds SPSTds
respectively.

5. It creates The GaNAT then constructs a new GIST QUERY
packet GQ', as follows.

1. GQ' <- GQ

2. GQ'.MRI.SourceIPAddress <- IPGaNATds

3. GQ'.MRI.DestinationIPAddress <- IPNext.

3. GQ'.MRI.DestinationPort <- PortNext.

4. GQ'.MRI.SourcePort GQ'.NLI.IA <- SPNDTGaNATds. IPds.

5. GQ'.[IP header].SourceIPAddress <- IPGaNATds IPds.

6. GQ'.[UDP HEADER].SourcePort GQ'.[IP header].DestinationIPAddress <- SPNSTGaNATds IPNext.

7. GQ'.[IP header].Destination_IP_Address GQ'.[UDP header].SourcePort <- IPNext SPSTds.

8. GQ'.NLI.IA <- IPGaNATds.

9. GQ'.S <- true

6. It remembers GQ, GQ' GQ', the fact that they are associated, and
the associated upstream and downstream links (interfaces).

7. It forwards GQ' on the downstream link.

Steps 2,3, 4 and 5

The remaining steps of the algorithm are analogous to the
corresponding steps of the algorithm executed by NSLP-unaware, NI-
side GaNATs, which was described in Section 5.1.

5.3. NSLP-aware GaNATs

The difference of NSLP-aware GaNATs and NSLP-unaware GaNATs is that
the former perform NSLP processing in addition to the processing of
the NSLP-unaware GaNATs. Another way to see this is by observing
that NSLP-aware GaNATs should provide an "MRI translation service"
(MRITS) in addition to normal GIST and NSLP processing. The MRITS
operates at the GIST layer. The motivation behind the MRITS this is for GIST to hide
from the NSLP that signalling messages traverse an addressing
boundary. In other words, the purpose of the MRITS is to make the
NSLP believe that it is operating in a single IP addressing space.
When and how the MRITS is invoked for a particular packet depends on
(i) the direction of the
packet an incoming message (i.e. downstream or
upstream) and (ii) the location of the GaNAT (i.e. NI-side or NR-side). NR-
side). It should also be noted that certain NSLP layer tasks must be
carried out in consistency with the placement of the MRITS. This is
to prevent events triggered by the NSLP to cause installation of
inconsistent state. In order to clarify this, consider the scenario
of the QoS NSLP running in a GaNAT that operates according to the
mechanisms described in this section. Since the GaNAT only presents
a single addressing space to the NSLP (say, the internal addressing
space), the packet classifier of the GaNAT's QoS provisioning
subsystem should classify data packets based on internal addresses
only (i.e. it should first translate packets that carry external
addresses and then classify them). Whether the MRITS presents
internal-only or external-only addresses to the NSLP is not
significant, as long as NSLP layer operations are carried out
consistently. In the remainder of this section we present the case
where internal addresses are presented to the NSLP.

The MRITS is obviously invoked only on GIST packets that carry an
NSLP identifier that corresponds to an NSLP that the GaNAT actually
supports. Also, for
implements. For non-GIST packets, normal NAT behaviour applies.
Although the MRITS is part of GIST processing, in order to clarify
our discussion,
the exposition, we view it as a somewhat separate processing step
(i.e. like a subroutine). subroutine) that is executed in addition to GIST, as
this is specified in [1]. For NI-side, NSLP-aware GaNATs, it holds
that

o for a GIST/NSLP packet that is to be forwarded on the downstream
link of an NI-side GaNAT, the MRITS is invoked after the packet
has been processed by the NSLP and before it is given to GIST, and

o for a GIST/NSLP packet that is received on the downstream link,
the MRITS is invoked after GIST processing and before the packet
is given to the NSLP.

The converse holds for NR-side NSLP-aware GaNATs. In particular,

o for a GIST/NSLP packet that is to be forwarded on the upstream
link of an NI-side GaNAT, the MRITS is invoked after the packet
has been processed by the NSLP and before it is given to GIST, and

o for a GIST/NSLP packet that is received on the upstream link, the
MRITS is invoked after GIST processing and before NSLP processing.

Figure 3 illustrates this idea.

+----------------+ +----------------+
| +------+ | | +------+ |
| | NSLP | | | | NSLP | |
| +-+---++ | | +-+--+-+ |
| | | | | | | |
| | +-+---+ | | +----++ | |
| | |MRITS| | | |MRITS| | |
| | +---+-+ | | ++----+ | |
| | | | | | | |
| +-+-----+-+ | | ++------+-+ |
| | GIST | | | | GIST | |
u/s | +-+-----+-+ | d/s u/s | ++------+-+ | d/s
-----+----+ +-----+----- -----+---+ +-----+-----
link +----------------+ link link +----------------+ link
NI-side NR-side
NSLP-aware NSLP-aware
GaNAT GaNAT

Figure 3: Operation of the MRI Translation Service

The reason for this construction is to give the NSLP the impression
that it works only with flows that originate and terminate in the
internal address space. We now describe the operation of the MRITS
and GIST in NSLP-aware GaNATs. An NI-side NSLP-aware GaNAT operates
according to the following rules.

1. When the NSLP asks for a message to be sent towards the
downstream GIST peer, the MRITS does the following (IPGaNATds (IPds and
SPNDTGaNATds
SPDTds are obtained similarly to the case of an NSLP-
unaware NSLP-unaware
GaNAT).

1. MRI.SourceIPAddress <- IPGaNATds IPds

2. MRI.SourcePort <- SPNDTGaNATds SPDTds

2. Additionally, GIST performs the following on the resulting packet
before it is forwarded on the downstream link (SPNSTGaNATds (SPSTds is obtained
similarly to the case of an NSLP-unaware GaNAT).

1. [IP header].SourceIPAddress <- IPGaNATds IPds
2. [UDP/TCP header].SourcePort <- SPNSTGaNATds SPSTds

3. NLI.IA <- IPGaNATds IPds

4. S <- true

3. If a message is received on the downstream link, the MRITS does
the following before the NSLP is invoked.

1. MRI.SourceIPAddress <- IPflow

2. MRI.SourcePort <- SPNDTGaNATus, SPDTus, where IPflow is the IP address of
the DS (as seen by the GaNAT) and SPNDTGaNATus SPDTus is the destination
port number used in the original MRI.

4. If, after NSLP processing, a message is to be forwarded on the
upstream link, GIST performs the following processing (note that
no MRITS processing takes place in this case).

1. [IP header].SourceIPAddress <- IPGaNATus IPus

2. [IP header].DestinationIPAddress <- IPpeer

3. NLI.IA <- IPGaNATus IPus

4. S <- true, where IPGaNATus IPus is the GaNATs IP address for the
upstream link, IPpeer is the IPaddress IP address of the NI (or the
next GaNAT in the upstream direction), and IPflow is the IP
address of the DS (as seen by the GaNAT). The GaNAT is
assumed to determine the correct IPGaNATus IPus and IPpeer from
previous communications and in cooperation with GIST.
[Issue: how exactly should IPGaNATus, IPus, IPpeer and IPflow be
resolved; i.e. what exactly should the GaNAT remember?]

An NR-side NSLP-aware GaNAT operates according to the following
rules.

1. If the packet is received on the upstream link, the MRITS does
the following, before the NSLP is notified.

1. P.MRI.SourceIPAddress <- IPGaNATds IPds

2. P.MRI.DestinationIPAddress <- IPNext, where IPGaNATds IPds is the
GaNAT's IP address for the downstream link and IPNext is the
address of the DR. IPNext is obtained in a way similar to
the case of an NSLP-unaware GaNAT.

2. If, after NSLP processing, a message is to be forwarded on the
downstream link, GIST performs the following processing (note
that no MRITS processing takes place in this case).

1. [IP header].SourceIPAddress <- IPGaNATds IPds

2. [IP header].DestinationIPAddress <- IPNext

3. NLI.IA <- IPGaNATds IPds

4. S <- true, where IPGaNATds IPds is the GaNATs IP address for the
downstream link, IPNext is the IP address of the DR (or the
next GaNAT in the downstream direction). The GaNAT is
assumed to determine the correct IPNext in a way similar to
the case of an NSLP-unaware GaNAT.

3. When the NSLP asks for a message to be sent towards the upstream
GIST
peer, the MRITS does the following.

1. MRI.SourceIPAddress <- IPflow

2. MRI.Destination_IP_Address <- IPGaNATus IPus

4. Additionally, GIST performs the following on the resulting packet
before it is forwarded on the downstream link.

1. [IP header].SourceIPAddress <- IPGaNATus IPus

2. [IP header].DestinationIPAddress <- IPpeer

3. NLI.IA <- IPGaNATus IPus

4. S <- true, where IPGaNATus IPus is the GaNATs IP address for the
upstream link, IPpeer is the IP address of the NI (or the
next GaNAT in the upstream direction), and IPflow is the IP
address of the DS. The GaNAT is assumed to determine the
correct IPGaNATus IPus and IPpeer fields from previous communications
and in cooperation with GIST. [question: how exactly should IPGaNATus
IPus and IPpeer be resolved; i.e. what exactly should the
GaNAT remember]?

5.4. Combination of NSLP-aware and NSLP-unaware GaNATs

In the absence of an adversary, a combination of NSLP-aware and NSLP-
unaware GaNATs should work without further specification. However,
in the presence of an adversary, additional security issues may arise
from the combination. These issues may introduce opportunities for
attack that do not exist in setting where the on-path GaNATs are
either all NSLP-aware or all NSLP-unaware.

6. Non-transparent NAT traversal for GIST

This section discusses the "non-transparent" operation for GaNAT
traversal at the GIST layer, i.e. the first approach listed in
Section 3. For this approach, approach the behaviour of both the GaNAT and the
GIST peers is defined. As with the transparent approach, the case of
the in-between GaNAT(s) being located at the NI-side is different
from that of NR-side GaNATs. Note that the mechanisms in this
section apply only to NSLP-unware GaNATs.

The GaNAT informs the NSLP peers about its presence during the GIST
discovery process. This information enables the NSLP peers to map
the translated data flow to the signalling messages, and to
consistently translate the MRI, so that the NSLP only "sees" the
correct MRI. Cryptographic protection of signalling messages can be
supported with this approach because the GaNAT only modifies the GIST
QUERY and REPONSE RESPONSE messages, which are never cryptographically
protected in their entirety.

In this approach, the GaNAT embeds a new GIST "NAT Traversal Object" (NTO)
payload type into the GIST QUERY. This payload The NTO encodes the aforementioned information,
information and
we call this payload type the "NAT Traversal Object" (NTO). The NTO is an optional payload in the GIST header of a GIST QUERY, and
QUERY. It is added, and processed, by the GaNAT(s) through which the
QUERY traverses. The information in the NTO must enable enables the two NSLP
peers to locally translate the MRI in the same way as if it were
consistently and transparently translated by the in-between GaNAT(s).
Note that there may be more than one GaNAT between the two NSLP
peers. The format of the NTO follows the format of the object in the
GIST common header. In particular, the NTO is preceded by a TLV
common header, as defined in [1]. The A and B flags are both set to
0 in this header, indicating that support for the NTO is mandatory.
The type value is TBD. The NTO is defined as in section A.3.8 of
[1].

6.1. NI-side NSLP-unaware GaNATs

For every arriving IP packet P, an NSLP-unaware, NI-side GaNAT
executes an algorithm that is equivalent to the following.

1. If P has a RAO followed by the GIST header with an NSLP ID that
is not supported, and if it is identified as a GIST QUERY. In this case QUERY, the
GaNAT does the following.

1. We denote P as by GQ. The GaNAT looks at the stack proposal ST in
GQ. If it does not include a any proposal with cryptographic
protection, the GaNAT MAY choose to follow the approach
described in Section 5.1 above.

2. We call The GaNAT remembers GQ along with the link on which GQ arrived it
arrived. We call this link the "upstream" link.

3. The GaNAT searches its table of existing NAT bindings against
entries that match the GQ.MRI. A matching entry means that
the data flow, to which the signalling refers, already
exists.

4. We denote [IP header].SourceIPAddress
static, and will be used on (among other things) for the downstream
link as IPGaNATds, and
installation of a NAT binding for the data traffic in the
future.

4. The GaNAT aquires a source port number for the data
and signalling traffic as SPNDTGaNATds and SPNSTGaNATds
respectively. version of the
GIST QUERY that will be forwarded over the downstream link.
We denote this port by SPSTds. (There is no requirement that
SPSTds must be different from GQ.[UDP Header].SourcePort.)

5. It creates a new GIST QUERY packet GQ', as follows.

1. GQ' <- GQ

2. GQ'.MRI.SourceAddress GQ'.MRI.SourceIPAddress <- IPGaNATds. IPds

3. GQ'.MRI.SourcePort GQ'.MRI.SourcePortNumber <- SPNDTGaNATds. SPDTds

4. GQ'.NLI.IA.<- IPGaNATds. IPds.

5. GQ'.[IP header].SourceIPAddress <- IPGaNATds. IPds.

6. GQ'.[UDP header].SourcePort <- SPNSTGaNATds. SPSTds.

7. GQ'.S <- true.

8. It checks whether or not an NTO was included in GQ.

- If none was included, it creates a new NTO as follows
and adds it to GQ'. Note that the MRI field of the
NTO is taken from GQ.

o NTO.[NAT Count] <- 1.

o NTO.MRI <- GQ.MRI.

o NTO.[List of translated objects] <- [type of MRI],
[type of NLI], [type of SCD] NLI]

o NTO.opaque information for replaced by NAT 1 <- GQ.[IP
header].SourceAddress, [link identifier of
GQ.NLI.IA, GQ.[UDP header].SourcePort, LinkID,
where LinkID represents the upstream
link]. link.

- If one was included, it replaces certain fields and
appends new fields into the NTO, as follows, and adds
the resulting object to GQ'. Note that the MRI field
of the NTO is not modified.

o NTO.[NAT Count] <- i, where i is the current [NAT
count] value increased by one.

o NTO.[List of translated objects] <- [type of MRI],
[type of NLI], [type of STD] NLI]

o NTO.[opaque NTO.opaque information replaced by NAT i] i <-
GQ.[IP header].SourceAddress, [LinkID of
GQ.NLI.IA, GQ.[UDP header].SourcePort, LinkID,
where LinkID represents the upstream
link]. link.

9. It remembers GQ, GQ', the fact that they are associated,
and the associated upstream and downstream links.

10. It forwards GQ' on the downstream link. Note: The
encoding of the information that the GaNAT encodes into
the NTO.[opaque information replaced by NAT i] field is a
local implementation issue.

2. Otherwise, if P carries an [IP header].DestinationIPAddress that
belongs to the GaNAT, and if it is identified as a GIST RESPONSE
packet in datagram mode
with an NSLP ID that is not supported, the GaNAT does the
following (P is denoted as by GR).

1. If P does not contain an NTO, the GaNAT forwards discards it as usual without
further processing. Otherwise, it searches for a matching
GQ' in its buffer. A GQ' is said to be matching if it
carries the same cookie value. If none is found, GR is
discarded. Otherwise, the GaNAT selects should also make sure that
the
information encoded by it session ID in GR is the [opaque information replaced
by NAT] field of same as in GQ', that the embedded NTO, denoted by IPAddressToSend NSLP IDs
match, and LinkID. If multiple [opaque information replaced by NAT]
fields are present in that GR arrived on the NTO, downstream link. If these
consistency checks fail, GR should be discarded. Otherwise,
the GaNAT uses the last one in
the list. It then constructs a new GIST response RESPONSE GR', as follows
(note that no changes are made to the MRI).

1. GR' <- GR

2. GR'.[IP header].DestinationIPAddress <- IPAddressToSend.

3. GR'.NTO.[NAT Count] <- current value minus one.

4. Remove The GaNAT selects the information that it encoded in the last
[opaque information replaces replaced by NAT i] field from GR'.NTO of the
embedded NTO, denoted by IPAddressToSend,
PortAddressToSend and LinkID, where i is the current
value of [NAT Count] as indicated in the NTO.

3. GR'.[IP header].DestinationIPAddress <- IPAddressToSend.

4. GR'.[UDP header].DestinationPort=PortAddressToSend.

5. GR'.NTO.[NAT Count] <- reduce by one.

6. GR'.S <- true.

2. It forwards GR' on the upstream link, i.e. the link
identified by LinkID.

3. The GaNAT SHOULD now invalidate all but one stack
configuration objects inspects the Stack-Configuration-Data object in GR
and the stack proposal corresponding GQ' in GR'. order to check whether or not
the upstream NSLP peer can select one of multiple transport
layer protocol/destination port number combinations for the
establishment of a messaging association. If multiple
choices exist, the GaNAT invalidates as many transport layer
protocol/port number combination proposals from GR' as
necessary, until the upstream NSLP peer can only initiate the
establishment of a messaging association with the downstream
NSLP peer using a single transport layer protocol/destination
port number combination. This invalidation is done so that by
setting the quering node can only chose D-flag in those MA-Protocol-Options fields that one
proposal, and
carry the port number proposals that therefore only one NAT binding must are to be
installed for invalidated.
Note that, by setting the signalling traffic to traverse D-flag in a particular MA-Protocol-
Option field, the GaNAT. GaNAT may also invalidate the associated
transport layer and security protocol (e.g. TCP/TLS)
proposal. The actions of the GaNAT SHOULD keep valid MUST NOT result in the
strongest, in terms of security, stack proposal. proposal to be invalidated.
In the end, the NAT will expect the upstream NSLP peer to use
a particular combination of transport layer protocol and
destination port (and possibly other details that are
associated with the valid proposal) for the establishment of
the messaging association. We denote call this combination the
"stack proposal as PR. expected by the NAT" and denote it by ST.
The GaNAT remembers this ST, its association with GQ, GQ',
GR, GR', and the upstream and downstream links. By doing so,
the GaNAT is said to "install" ST.

3. It forwards GR' on the link identified by LinkID.

4. The GaNAT now installs a NAT binding for the signalling
traffic that is exchanged over a messaging association which
says that "a packet K that arrives on the upstream link and
for which it holds that

+ K.[IP header].SourceIPAddress=IPAddressToSend, header].DestinationIPAddress=GR.NLI.IA,,

+ K.[IP header].Protocol=PR.Protocol, header].Protocol=ST.Protocol, and

+ K.[TCP/UDP header].DestinationPort=PR.[Destination Port] K.[Transport layer
header].DestinationPort=ST.DestinationPort

should be forwarded on the downstream link (i.e. link, with [IP
header].SourceIPAddress = IPds and [UDP/TCP
header].DestinationPort=SIGPort, where SIGPort is a port that
the GaNAT allocates for use as a source port for signalling
traffic.

5. The GaNAT now installs a NAT binding for the UDP-encapsulated
signalling traffic which says that "a packet M that arrives
on the upstream link
on and for which GR arrived), it holds that

+ M.[IP header].DestinationIPAddress=GR.NLI.IA,

+ M.[IP header].Protocol=UDP, and

+ M.[UDP header].DestinationPort=GIST well-known port

should be forwarded on the downstream link, with [IP
header].SourceIPAddress =
IPGaNATds.

5. IPds. Note that this is a special
type of NAT binding, in that the source port in M may vary
from one incoming message to another. This is why each
packet M may be mapped by the GaNAT to a different source
port. Translation in the upstream direction must be applied
consistently, and timeouts must also be selected
appropriately. That is, the overall binding must be timed
out together with the GIST state that is associated with this
session. However, each incoming packet M that matches this
binding causes the installation of a "sub"-binding (in the
sense that a new port mapping may occur) that will typically
time out faster.

6. If no NAT binding for the data traffic was found in step
1.3.2, the GaNAT now installs a NAT binding (for the
unidirectional data traffic) which says that "a packet K L that
arrives on the upstream link and for which it holds that
+ K.[IP header].DestinationIPAddress=GQ'.NTO.MRI.Destination
IPAddress, L.[IP
header].DestinationIPAddress=GQ.MRI.DestinationIPAddress,

+ K.[IP header].Protocol=GQ'.NTO.MRI.Protocol, L.[IP header].Protocol=GQ.MRI.Protocol, and

+ K.[TCP/UDP header].PortNumbers=GQ'.NTO.MRI.PortNumbers L.[Transport layer header].PortNumbers=GQ.MRI.PortNumbers

should be forwarded on the downstream link (i.e. the link on
which GR arrived), link, with [IP
header].SourceIPAddress =
IPGaNATds IPds and [UDP/TCP header].SourcePort=SPDTGaNATds.
header].SourcePort=SPDTds.

Issues: there is a question of whether this NAT binding
should also enable data traffic in the opposite direction to
traverse the NAT; in order to be able to demultiplex upstream
traffic that carries data that belongs to different flows,
the GaNAT should keep the necessary per-flow state. From a
signalling point of view, however, upstream data traffic that
corresponds (on the application level) to the downstream flow
to which this GIST session refers, is a separate flow for
which, dependent on the application, there may or there may
not exist a signalling session. If such a signalling session
exists, then the GaNAT acts as an NR-side GaNAT for this
session. Thus, during the processing of this signalling, signalling care
has to be taken not to establish a NAT binding for a flow for
which a NAT binding already exists. Finally, security issues may
arise when traffic, for which no signalling exists, is
allowed to traverse a GaNAT.

3. Otherwise, if P matches an existing NAT binding, normal NAT
processing is applied.

4. Otherwise, P is subjected to normal NAT processing. That is, P
is either silently discarded. discarded or it causes the installation of a
(data) NAT binding.

6.2. NR-side NSLP-unaware GaNATs

As is the case with NR-side NSLP-unaware GaNATs that follow the
"transparent" approach, an NR-side NSLP-unaware GaNAT that follows
the "non-transparent" approach must know a "pending" IP address and,
depending on the scenario, also a and
optionally destination port number, as described in Section 5.2.
This IP address and destination port number are denoted as by IPNext and
PortNext respectively. How they are made known to the GaNAT is
outside the scope of this document. Note, however, that a typical
scenario would be that the GaNAT has an existing NAT binding for the data flow in place
from where this information can be derived.

For every arriving incoming IP packet P, an NSLP-unaware, NR-side GaNAT
executes the following algorithm.

1. If P carries an [IP header].DestinationIPAddress that belongs to
the GaNAT, if it has a RAO followed by a the GIST header with an
unsupported NSLPID, and if it is identified as a GIST QUERY, the
GaNAT does the following.

1. We denote P as by GQ. The GaNAT looks at the stack proposal ST in
GQ. If it indicates that no does not include any proposal with cryptographic protection is
required,
protection, the GaNAT MAY choose to follow the "transparent"
approach as described in Section 5.2 above.

2. If GQ.[IP header].[Destination Address] header].DestinationIPAddress, denoted by IPus in
the sequel, is not bound to the link on which GQ arrived, the
GaNAT silently discards the packet. Otherwise, it remembers
GQ along with the link on which it arrived. We call this
link the "upstream" link.

3. The GaNAT determines whether or not this GIST QUERY is
anticipated, i.e. if a pending IPNext and PortNext exists.
One way of determining whether or not a pending IPNext and
PortNext exists is checking whether or not a NAT binding for
the data traffic, as this is defined by the MRI in the GIST
QUERY, exists in the NAT binding cache. If one exists, then
IPNext and PortNext is the address and destination port
number to on which
the data this traffic is sent after translation. forwarded. If no pending
IPNext is found, then GQ is discarded (it is an open issue a question
whether or not an error message should be sent). Otherwise,
additional checks may be performed (e.g. a DSInfo object may
have to be checked against the GQ). If these checks fail, GQ
is discarded. Otherwise, the GaNAT performs the following.

4. We call the link on which GQ arrived the "upstream" link.
The GaNAT aquires an IP address for itself for the upstream
link (this could be a static or a dynamic IP address). This
address is denoted IPGaNATus. The GaNAT will use this
address as a source IP address in order to send subsequent
signalling messages to the upstream direction. If the GaNAT
is an edge NAT, IPGaNATus will typically coincide with the
destination IP address of the (original) MRI in the GIST
QUERY.

5. The GaNAT It searches its table of existing NAT bindings against
entries that match the GQ.MRI. A matching entry means that the
data flow, to which the signalling refers, already exists.

+ If a matching entry is found, the GaNAT determines the
link on looks at which
link the packets of the data flow are forwarded; we call
this link the "downstream" link. Further, the GaNAT
checks how the headers of the data flow (IP addresses,
port numbers) are translated according to this NAT
binding. Note that the [IP header].DestinationIPAddress of
and DestinationPort in this NAT binding should be equal to IPNext.
IPNext and PortNext respectively. If it is they are not, this
should be handled as an auditive error condition. (This
check is done as a consistency check.)

+ If no matching entry is found, the GaNAT determines, based
on its routing table, the link on which packets that match
GQ.MRI (where GQ.MRI.DestinationIPAddress is replaced with
IPNext) would be forwarded. We call this link the
"downstream" link.

5. It creates a new GIST QUERY packet GQ', as follows.

1. GQ' <- GQ

2. GQ'.MRI.DestinationAddress GQ'.MRI.DestinationIPAddress <- IPNext. IPnext

3. GQ'.MRI.DestinationPort GQ'.MRI.DestinationPortNumber <- PortNext. PortNext

4. GQ'.[IP header].DestinationIPAddress <- IPNext. IPnext

5. GQ'.[UDP header].DestinationPort <- GIST well-known port
(TBD)

6. It checks whether or not an NTO was included in GQ.

- If none was included, it creates a new NTO as follows
and adds it to GQ'. Note that the MRI field of the
NTO is taken from GQ.

o NTO.[NAT Count] <- 1.

o NTO.MRI <- GQ.MRI.

o NTO.[List of translated objects] <- [type of MRI],
[type of NLI], [type of SCD]

o NTO.opaque information for NAT 1 <- IPGaNATus,
[link identifier LinkID of
upstream link]. link.

- If one was included, it replaces certain fields and
appends new fields into the NTO, as follows, and adds
the resulting object to GQ'. Note that the MRI field
of the NTO is not modified.

o NTO.[NAT Count] <- i, where i is the current [NAT
count] value increased by one.

o NTO.[List of translated objects] <- [type of MRI],
[type of NLI], [type of SCD]

o NTO.[opaque NTO.opaque information replaced by NAT i] i <-
IPGaNATus, [LinkID LinkID
of upstream link].

6. link.

7. It remembers GQ, GQ', the fact that they are associated,
and the associated upstream and downstream links.

8. It forwards GQ' on the downstream link. Note: The
encoding of the information that the GaNAT encodes into
the NTO.[opaque information replaced by NAT i] field is a
local implementation issue.

2. Otherwise, if P is identified as a GIST RESPONSE packet in
datagram mode with an
NSLP ID that is not supported, the GaNAT does the following (P is
denoted as by GR).

1. If P does not contain an NTO, the GaNAT forwards It searches for a matching GQ' in its buffer. A GQ' is said
to be matching if it as usual
without further processing. carries the same cookie value. If none
is found, GR is discarded. Otherwise, the GaNAT selects should also
make sure that the
information encoded by it session ID in GR is the [opaque information replaced
by NAT] field of same as in GQ',
that the embedded NTO, denoted by IPGaNATus NSLP IDs match, and
LinkID. that GR arrived on the
downstream link. If multiple [opaque information replaced by NAT]
fields are present in these consistency checks fail, GR should
be discarded. Otherwise, the GaNAT constructs a new GIST
RESPONSE GR', as follows.

2. If P does not contain an NTO, the GaNAT uses the last one in discards it without
further processing. Otherwise, the list. The GaNAT then constructs a new
GIST response RESPONSE GR', as follows (note that no changes are made
to the MRI).

1. GR' <- GR GR.

2. GR'.[IP header].SourceIPAddress <- IPGaNATus.

3. GR'.MRI.NLI.IA <- IPGaNATus.

4. Remove The GaNAT selects the information that it encoded in the last
[opaque information replaced by NAT i] field from GR'.NTO. of the
embedded NTO, denoted by LinkID, where i is the current
value of [NAT Count] as indicated in the NTO.

3. GR'.NLI.IA <- IPus

4. GR'.NTO.[List of translated objects by NAT i] <- [type of
NLI], where i is the current value of [NAT Count] as
indicated in the NTO.

5. GR'.NTO.[NAT Count] <- reduce by one.

6. GR'.[IP header].SourceIPAddress <- IPus (this is the IP
address that is bound to the link identified by LinkID
and must be equal to GQ.[IP header].DestinationIPAddress,
where GQ is the GIST QUERY associated with GQ').

7. GR'.[UDP header].DestinationPort <- GQ.[UDP
header].SourcePort, where GQ is the GIST QUERY associated
with GQ'.

8. GR'.S <- true.

3. SIGPORT=ST.DestinationPort.

4. It forwards GR' on the upstream link, i.e. the link identified by LinkID.

4. LinkID (i.e. the
upstream link).

5. The GaNAT now installs a NAT binding for the signalling
traffic that is exchanged over a messaging association which
says that "a packet K that arrives on the upstream link and
for which it holds that

+ K.[IP header].DestinationIPAddress=IPGaNATus, header].DestinationIPAddress=IPus (which is equal to
GQ.MRI.DestinationIPAddress and GQ.[IP
header].DestinationIPAddress),

+ K.[IP header].Protocol=PR.Protocol, header].Protocol=ST.Protocol, and

+ K.[TCP/UDP K.[Transport layer header].DestinationPort=SIGPORT

should be forwarded on the downstream link (i.e. link, with [IP
header].DestinationIPAddress = GR.NLI.IA and [Transport layer
header].DestinationPort=ST.DestinationPort.

6. The GaNAT now installs a NAT binding for the UDP-encapsulated
signalling traffic which says that "a packet M that arrives
on the upstream link
on and for which GR arrived), it holds that

+ M.[IP header].DestinationIPAddress=IPus,

+ M.[IP header].Protocol=UDP, and

+ M.[UDP header].DestinationPort=GIST well-known port

should be forwarded on the downstream link, with [IP header].DestinationIPAddress
header].SourceIPAddress =
GR.MRI.NLI.IA GR.NLI.IA". Note that this is a
special type of NAT binding, in that the source port in M may
vary from one incoming message to another. This is why each
packet M may be mapped by the GaNAT to a different source
port. Translation in the upstream direction must be applied
consistently, and [UDP/TCP
header].DestinationPort=PR.[Destination Port].

5. timeouts must also be selected
appropriately. That is, the overall binding must be timed
out together with the GIST state that is associated with this
session. However, each incoming packet M that matches this
binding causes the installation of a "sub"-binding (in the
sense that a new port mapping may occur) that will typically
time out faster.

7. If no NAT binding for the data traffic was found in step
1.3.2, the GaNAT may now install installs a NAT binding (for the
unidirectional data traffic) which says that "a packet L that
arrives on the upstream link and for which it holds that

+ L.[IP header].DestinationIPAddress=GR'.NTO.MRI.Destination
IPAddress, header].DestinationIPAddress=IPus (which is equal to
GQ.MRI.DestinationIPAddress and GQ.[IP
header].DestinationIPAddress),

+ L.[IP header].Protocol=GR'.NTO.MRI.Protocol, header].Protocol=GQ.MRI.Protocol, and

+ L.[TCP/UDP
header].DestinationPortNumbers=GR'.NTO.MRI.DestinationPort L.[Transport layer header].PortNumbers=GQ.MRI.PortNumbers

should be forwarded on the downstream link, with [IP
header].DestinationIPAddress = IPNext and [UDP/TCP [Transport layer
header].DestinationPort=PortNext.

Note: If the GaNAT also allows data traffic to traverse in
the other direction (i.e. in the upstream direction), then
the IP packets of this data traffic MUST have
SourceIPAddress=IPus, SourcePort=GQ.MRI.DestinationPort,
DestinationPort=GQ.MRI.SourcePort, and must be forwarded on
the upstream link. (This applies anyway for GaNATs with only
two links and where each link is bound to a single IP
address. However, for other types of GaNAT care has to be
taken that this restriction is enforced.)

Issues: there is a question of whether this NAT binding
should also enable data traffic in the opposite direction to
traverse the NAT; in order to be able to multiplex demultiplex upstream
traffic that carries data that belongs to different flows,
the GaNAT should keep the necessary per-flow state. From a
signalling point of view, however, upstream data traffic that
corresponds (on the application level) to the downstream flow
to which this GIST session refers, is a separate flow for
which, dependent on the application, there may or there may
not exist a signalling session. If such a signalling session
exists, then the GaNAT acts as an NI-side NR-side GaNAT for this
session. Thus, during the processing of this signalling care
has to be taken not to establish a NAT binding for a flow for
which a NAT binding already exists. Finally, security issues
may
arise when traffic, for which no signalling exists, is
allowed to traverse a GaNAT.

3. Otherwise, if P matches an existing NAT binding, normal NAT
processing is applied.

4. Otherwise, P is subjected to normal NAT processing. That is, P
is either silently discarded. discarded or it causes the installation of a
(data) NAT binding.

The remaining steps of the algorithm are analogous to the algorithm
of NSLP-unaware, NR-side GaNATs, which was described in the previous
section.

6.3. GIST peer processing

In the presence of GaNATs on the signalling path between two NSLP
peers, and if the GaNATs follow the "non-transparent" approach (which
they have to follow in the context of cryptographically protected
signalling), the consistent translation of the GIST header fields
must be carried out by the NSLP peers. The GIST processing that
performs this task, is described next. Note that this processing is
in addition to the processing described in section 7.2 of [1].

7. GIST-unaware NATs

The following may serve as indications Also note that the
processing described in this section applies only to non-NAT nodes.

A GIST peer that receives a GIST QUERY that carries an NSLP ID for a
supported NSLP and an NTO, constructs a GIST RESPONSE according to
[1]. This response is sent to the existence public address of an GIST-
unaware NAT the last in-
between two GaNAT. This address appeared as NLI.NI in the GIST peers. These indications can only be
detected by QUERY
(and also as the receiver source address in the IP header).

If local policy allows the installation of a GIST message. The first occasion these
indications may be detected is with state without the
reception of a GIST QUERY,
typically by CONFIRM message, then the downstream peer. (Note that != denotes inequality).

o The MRI.SourceIPAddress does not belong to responder stores the addressing space of
NTO carried with the receiving peer.

o The MRI.DestinationIPAddress does not belong to QUERY together with the addressing
space of routing state
information about the receiving querying GIST peer.

o The IP address in In particular, the NLI.IA MRI
field does not belong to the
addressing space of the receiving peer.

o The D flag of a received GIST packet denotes downstream direction
and NTO must be saved in order for the S flag peer to be able to
map subsequently received signalling messages to this signalling
session.

Note that it is not set sufficient for the NSLP to exclusively rely on
the NTO.MRI for this purpose. In order to see this, consider two
private addressing domains, A and [IP header].SourceIPAddress !=
MRI.SourceIPAddress.

o The D flag of B, each with a received GIST packet denotes upstream direction GaNAT at its border,
and a node N in the S flag is not set and [IP header].SourceIPAddress !=
MRI.DestinationIPAddress.

o This is public internet. In domain A, node N1 has a GIST QUERY
communication session with N, and [IP header].DestinationIPAddress !=
MRI.DestinationIPAddress.

Note in domain B, node N2 also has a
communication session with N. Suppose that these are only indications. In the presence (private) IP addresses
of an
adversary, a GIST peer may be tricked into believing N1 and N2 are equal (e.g. 192.168.0.3), and that an GIST-
unaware NAT exists between itself they both
communicate with N using the same source and one of its neighbouring peers,
while in reality destination ports. If
they both have an NSIS signalling session for this may not be data traffic, the
NTO.MRI field in the case.

When a downstream GIST peer detects such QUERY of their respective signalling
sessions are identical. If these signalling sessions meet at an indication, it may notify NSLP
node that is located "after" the upstream peer about GaNATs, then this NSLP node sees the error. It may include additional
information
same MRI in signalling messages that enables are received over a messaging
association. In this case, the upstream peer node must use other information in
the signalling messages (e.g. session ID, source IP address) in order
to construct map subsequently received signalling messages to existing
sessions.

If local policy demands that no session-specific state is installed
before the reception of a GIST packet
in such a way that, after it traverses CONFIRM message, then the GIST-unaware NAT, responder
must encode the IP
addresses information in the MRI field NTO.MRI and the NLI.IA field are consistent with
those in the IP header (which match from the addressing space GIST QUERY
(and possibly other values such as NSLP ID and an identifier of the
receiving peer). However, this requires
link on which the specification of new
data structures and formats, processing rules, and requires GIST QUERY arrived) in the peers
to maintain additional state.

Unfortunately, responder cookie. Since
this approach cookie is likely to fail echoed in many circumstances.
In order to see this, consider the behaviour GIST CONFIRM message, the responder can
then delay the installation of an GIST-unaware NAT
when the relevant state until it receives an IP packet.
the GIST CONFIRM. The packet either
1. matches an existing NAT binding in which case its IP header construction of the responder cookie is
translated and
implementation-specific, in the packet sense that it is forwarded on another link, or

2. matches an existing policy rule which causes a new binding to does not raise
interoperability issues. Nevertheless, the cookie must be
established and then (1) happens, or

3. is discarded because neither (1) nor (2) applies.

With GIST-unaware NATs it is generated
in a matter of local policy (i.e. the rules way that exist meets the requirements listed in case (2) above) whether or section 8.5 of [1],
and in a way that does not traffic will be allowed
to traverse introduce additional attacks against the NAT. This obviously applies
system.

Two responder cookie construction mechanisms are described in the
sequel. These methods are in addition to both signalling those described in section
8.5 of [1], and
data traffic, as an GIST-unaware NAT is unable meet the requirements listed in that section.
Additionally, they enable the responder to distinguish authenticate the two
types contents
of traffic. It may be the case that GIST node A is unable cookie, i.e. to
contact GIST node B which is "behind" a NAT, even if communication ensure that the cookie was not tampered with
while in
from B to A may be possible because such communication would match a
policy rule; typically, transit. This feature is not provided by the cookie
construction mechanisms described in a scenarios [1].

Responder cookie generation mechanism 1: Responder cookie = (gennum
|| cookie-left || cookie-right), where A || denotes concatenation,
cookie-left is towards the NI computed as ENC (Q-Node NLI, MRI, NSLPID, reception
interface, [timestamp]), and
B is towards the NR, the NAT would have this behaviour.

Another approach to deal with GIST-unaware NATs cookie-right is similar to the NAT
traversal approach taken by IKEv2, i.e. by encapsulating GIST
messages into UDP datagrams, rather than directly into IP datagrams.
This technique requires the inclusion of additional fields into a
GIST QUERY, computed as follows. The sender adds (a hash of) its own IP
address MAC (cookie-
left). ENC denotes a semantically secure symmetric encryption
scheme, and MAC denotes an unforgeable message authentication code
scheme. The responder must use a key with ENC that has been selected
independently from the IP address of what it believes to one used with MAC. Whenever these keys are
refreshed, they MUST be refreshed together. Gennum is the DR into the
GIST payload. The receiver generation
number of this GIST messages compares these
addresses to the [IP header].SourceIPAddress ENC and the [IP
header].DestinationIPAddress respectively. If at least one of them MAC keys. The timestamp is unequal, the receiver deduces that a NAT an optional field.
Policy dictates whether or not it is between sender and
receiver. After the detection of a NAT, included in the remainder construction of
the
communication is encapsulated into UDP datagrams cookie. For example, responders that are addressed
to have a specified port.

Unfortunately, fast enough key
rollover may omit the IKEv2 NAT traversal mechanism cannot be used "as
is" timestamp. Example algorithms for NAT traversal ENC and MAC
are AES-128 in GIST. This is because of CBC mode [3], and HMAC-SHA1 [4].

Responder cookie generation mechanism 2: Responder cookie = (Gennum
|| AUTHENC (Q-Node NLI, MRI, NSLPID, reception interface,
[timestamp])) AUTHENC denotes a symmetric authenticated encryption
scheme. Gennum is the generation number of
reasons, including the following.

o key used with
AUTHENC. The NAT may use timestamp is an IP address optional element for the forwarding same reason as
above. Example AUTHENC algorithms include the one specified in
RFC3610.

The version of data traffic the MRI that is different from the IP address it uses NSLP peers pass to forward GIST
traffic. Since the NAT NSLP is GIST-unaware it cannot update the MRI
one in the GIST messages such that it matches the translation applies
to the data traffic. Moreover, neither header of the GIST sending, nor QUERY (not the
GIST receiving peer can perform one in the NTO, if one
is present). Whether or not this update; is a translated MRI depends on the
location of the sending peer
cannot predict with respect to the translation in-between GaNAT(s). Note
that the NAT will apply, and the
receiving peer does not have enough information to associate data
flows to signalling messages.

o It same MRI is unclear whether or not used by the IKEv2 NAT traversal mechanism
supports cascades of NATs.

o It seems to be inappropriate to use UDP encapsulation for certain
C-mode scenarios. For example, using UDP encapsulation for TCP
C-mode would result in GIST to appear responder in TCP over UDP over IP.

8. signalling messages
that are sent towards the downstream direction.

7. Security Considerations

The mechanisms proposed in this document give rise to a number of
threats that must be considered. In the following, a subset some of these
threats is mentioned.

8.1.

7.1. Service Denial Attacks

As described above, NSLP-unaware GaNATs create some state whenever
they receive a GIST QUERY message. This state is necessary in order
for the GaNAT to be able to map a GIST RESPONSE that arrives from the
downstream direction to the corresponding GIST QUERY and thereby to
perform the required translation.

The threat here is an attacker flooding the GaNAT with maliciously
constructed GIST QUERIES with the aim of exhausting the GaNAT's
memory. The attacker might use a variety of methods to construct
such GIST QUERIES, including the following.

1. Use as [IP header].SourceIPAddress the address of some other node
or an unallocated IP address. This method is also known as IP
spoofing.

2. Use an invalid NSLPID, in order to make sure that all on-path
GaNAT(s) will behave like NSLP-unaware GaNATs.

3. For each packet, use a different value for the cookie field.

4. For each packet, use a different value for the session ID field.

5. Combinations of the above.

How vulnerable a GaNAT is to the above service denial attack depends
on a variaty variety of factors, including the following.

o The amount of state allocated at the receipt of a GIST QUERY.
This amount may vary depending on whether or not the data flow to
which the signalling refers, already exists (i.e. whether or not
the GaNAT already maintains a NAT binding for it).

o The mechanism that the GaNAT uses to map RESPONSEs to QUERIEs.

o Whether or not the GaNAT acriques acquires dynamic IP addresses and ports
for the downstream link.

In order to decrease the exposure of a GaNAT to service denial
attacks, the following recommendations are made.

o The GaNAT should perform ingress filtering. This limits the
amount of locations from which an attacker can perform IP spoofing
without being detected.

o The GaNAT should allocate the minimum amount of state required at
the reception of a GIST QUERY.

o All state allocated by the GaNAT should timeout according to a
local policy. If the GaNAT detects heavy loads (which may
indicate a service denial attack in progress), the GaNAT should
timeout the state allocated as a result of a received GIST QUERY
quicker, proportionally to the experienced load.

o The installation of a NAT binding for the data traffic (if such a
binding does not exist prior to signalling) should be postponed
until the correct GIST REPONSE RESPONSE traverses the NAT.

The service denial threats mentioned in this section do not apply to
an NSLP-aware GaNAT, as such a GaNAT is required, in accordance with
its local policy, to verify the validity of the cookie(s) before
allocating any state, including the state required by the mechanisms
in this document.

8.2.

7.2. Network Intrusions

Although the primary goal of a NAT is to perform address translation
between two addressing spaces, NATs are sometimes also used to
provide a security service similar to the security service provided
by firewalls. That is, a NAT can be configured so that it does not
forward packets from the external into the internal network, unless
it determines that the packets belong to a communication session that
was originally initiated from an internal node and are, as such,
solicited.

If an NSLP-unaware GaNAT performs the above security-relevant
function in addition to address translation, then the presence of
GIST signalling and, in particular the mechanisms described in this
document, might allow an adversary to cause the installation of NAT
bindings in the GaNAT using these mechansisms. These NAT bindings
would then enable the adversary to inject unsolicited traffic into
the internal network, a capability that it may might not have in the
absence of the mechanisms described in this document.

The administrator of an NSLP-unaware GaNAT should therefore make
security-concious
security-conscious decisions regarding the operation of the GaNAT.
An NSLP-aware GaNAT, on the other hand, follows an NSLP policy which
indicates the required security mechanisms. This policy should
account for the fact that this NSLP-aware node performs also NAT and
the associated packet filtering.

8. IAB Considerations

None.

10.

9. Acknowledgements

The authors would like to thank Cedric Aoun, Christian Dickmann,
Robert Hancock, and Martin Stiemerling for their insightful comments.
Furthermore, we would like to mention that this document builds on
top of a previous document regarding migration scenarios.

11.

10. Normative References

[1] Schulzrinne, H. and R. Hancock, "GIST: General Internet
Signalling Transport", draft-ietf-nsis-ntlp-06 draft-ietf-nsis-ntlp-09 (work in
progress), May 2005. February 2006.

[2] Stiemerling, M., Tschofenig, H., and C. Aoun, "NAT/Firewall NSIS
Signaling Layer Protocol (NSLP)", draft-ietf-nsis-nslp-natfw-06 draft-ietf-nsis-nslp-natfw-09
(work in progress), May 2005. February 2006.

[3] "Advanced Encryption Standard (AES)", FIPS PUB 197,
November 2001.

[4] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
for Message Authentication", RFC 2104, February 1997.

Authors' Addresses

Andreas Pashalidis
Siemens
Otto-Hahn-Ring 6
Munich, Bavaria 81739
Germany

Email: Andreas.Pashalidis@siemens.com

Hannes Tschofenig
Siemens
Otto-Hahn-Ring 6
Munich, Bavaria 81739
Germany

Email: Hannes.Tschofenig@siemens.com

Intellectual Property Statement

The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.

Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.

The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.

Disclaimer of Validity

This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Copyright (C) The Internet Society (2005). (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.

Acknowledgment

Funding for the RFC Editor function is currently provided by the
Internet Society.