< draft-pashalidis-nsis-gimps-nattraversal-03.txt   draft-pashalidis-nsis-gimps-nattraversal-04.txt >
NSIS A. Pashalidis NSIS A. Pashalidis
Internet-Draft H. Tschofenig Internet-Draft NEC
Expires: December 25, 2006 Siemens Intended status: Informational H. Tschofenig
June 23, 2006 Expires: September 6, 2007 Siemens
March 5, 2007
GIST NAT Traversal GIST NAT Traversal
draft-pashalidis-nsis-gimps-nattraversal-03.txt draft-pashalidis-nsis-gimps-nattraversal-04.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 34 skipping to change at page 1, line 35
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 25, 2006. This Internet-Draft will expire on September 6, 2007.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The IETF Trust (2007).
Abstract Abstract
This document describes a number of mechanisms for the implementation This document describes a number of mechanisms for the implementation
of the General Internet Signalling Transport (GIST) protocol [1] on of the General Internet Signalling Transport (GIST) protocol [1] on
different types of Network Address Translator (NAT). The focus of different types of Network Address Translator (NAT). The focus of
these mechanisms is the interaction of GIST with the address these mechanisms is the interaction of GIST with the address
translation function of the NAT, and their purpose is to enable GIST translation function of the NAT, and their purpose is to enable GIST
hosts that are located on either side of the NAT to correctly hosts that are located on either side of the NAT to correctly
interpret signalling messages with respect to the data traffic they interpret signalling messages with respect to the data traffic they
skipping to change at page 2, line 26 skipping to change at page 2, line 37
5.4. Combination of NSLP-aware and NSLP-unaware GaNATs . . . . 25 5.4. Combination of NSLP-aware and NSLP-unaware GaNATs . . . . 25
6. Non-transparent NAT traversal for GIST . . . . . . . . . . . . 27 6. Non-transparent NAT traversal for GIST . . . . . . . . . . . . 27
6.1. NI-side NSLP-unaware GaNATs . . . . . . . . . . . . . . . 27 6.1. NI-side NSLP-unaware GaNATs . . . . . . . . . . . . . . . 27
6.2. NR-side NSLP-unaware GaNATs . . . . . . . . . . . . . . . 32 6.2. NR-side NSLP-unaware GaNATs . . . . . . . . . . . . . . . 32
6.3. GIST peer processing . . . . . . . . . . . . . . . . . . . 38 6.3. GIST peer processing . . . . . . . . . . . . . . . . . . . 38
7. Security Considerations . . . . . . . . . . . . . . . . . . . 41 7. Security Considerations . . . . . . . . . . . . . . . . . . . 41
7.1. Service Denial Attacks . . . . . . . . . . . . . . . . . . 41 7.1. Service Denial Attacks . . . . . . . . . . . . . . . . . . 41
7.2. Network Intrusions . . . . . . . . . . . . . . . . . . . . 42 7.2. Network Intrusions . . . . . . . . . . . . . . . . . . . . 42
8. IAB Considerations . . . . . . . . . . . . . . . . . . . . . . 44 8. IAB Considerations . . . . . . . . . . . . . . . . . . . . . . 44
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 45 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 45
10. Normative References . . . . . . . . . . . . . . . . . . . . . 45 10. Normative References . . . . . . . . . . . . . . . . . . . . . 46
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 46 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 47
Intellectual Property and Copyright Statements . . . . . . . . . . 47 Intellectual Property and Copyright Statements . . . . . . . . . . 48
1. Introduction 1. Introduction
Network Address Translators (NATs) modify certain fields in the IP Network Address Translators (NATs) modify certain fields in the IP
and transport layer header of the packets that traverse them. In the and transport layer header of the packets that traverse them. In the
context of signalling as specified by the General Internet Signalling context of signalling as specified by the General Internet Signalling
Transport (GIST) protocol [1], this behaviour may lead to the Transport (GIST) protocol [1], this behaviour may lead to the
installation of state at network nodes that may be inconsistent and installation of state at network nodes that may be inconsistent and
meaningless with respect to the data traffic that traverses these meaningless with respect to the data traffic that traverses these
nodes. nodes.
skipping to change at page 4, line 10 skipping to change at page 4, line 10
subsequently proposed mechanisms are based. The mechanisms are subsequently proposed mechanisms are based. The mechanisms are
described in Section 5 and Section 6. Finally, Section 7 presents described in Section 5 and Section 6. Finally, Section 7 presents
some security issues that arise in conjunction with the mechanisms some security issues that arise in conjunction with the mechanisms
described in this document. described in this document.
2. Terminology 2. Terminology
The terminology, abbreviations and notational conventions that are The terminology, abbreviations and notational conventions that are
used throughout the document are as follows. used throughout the document are as follows.
o DR: Data Responder, as defined in [1] o DR: Data Receiver, same as Flow Receiver as defined in [1]
o DS: Data Sender, as defined in [1] o DS: Data Sender, same as Flow Sender as defined in [1]
o GaNAT: GIST-aware NAT - a GaNAT MAY implement a number of NSLPs. o GaNAT: GIST-aware NAT - a GaNAT MAY implement a number of NSLPs.
o GIST: General Internet Messaging Protocol for Signalling [1] o GIST: General Internet Messaging Protocol for Signalling [1]
o NAT: Network Address Translator o NAT: Network Address Translator
o NI: NSIS Initiator, as defined in [1] o NI: NSIS Initiator; this is the GIST node (as defined in [1]) that
initiates a signalling session for a given NSLP. The NI may or
may not be identical to the DS or the DR.
o NR: NSIS Responder, as defined in [1] o NR: NSIS Responder; this is the GIST node (as defined in [1]) that
acts as the last in a sequence of nodes that participate in a
given signalling session. The NR may or may not be identical to
the DR or the DS.
o NSIS: Next Steps in Signalling: The name of the IETF working group o NSIS: Next Steps in Signalling: The name of the IETF working group
that specified the family of signalling protocols of which this that specified the family of signalling protocols of which this
document is also a member. The term NSIS is also used to refer to document is also a member. The term NSIS is also used to refer to
this family of signalling protocols as a whole. this family of signalling protocols as a whole.
o GIST-aware: Implements GIST and MAY also implement a number of o GIST-aware: Implements GIST and MAY also implement a number of
NSLPs. NSLPs.
o GIST-unaware: GIST-unaware, does not implement any NSLP. The term o GIST-unaware: GIST-unaware, does not implement any NSLP. The term
skipping to change at page 4, line 46 skipping to change at page 4, line 51
o downstream: as defined in [1] o downstream: as defined in [1]
o upstream: as defined in [1] o upstream: as defined in [1]
o MRI: Message Routing Information, as defined in [1] o MRI: Message Routing Information, as defined in [1]
o NLI.IA: Interface Address field of the Network Layer Information o NLI.IA: Interface Address field of the Network Layer Information
object, as defined in [1] object, as defined in [1]
o NSLP: Network Signalling Layer Protocol
o <- : Assignment operator. The quantity to the right of the o <- : Assignment operator. The quantity to the right of the
operator is assigned to the variable to its left. operator is assigned to the variable to its left.
o A.B: Element B of structure A. Example: [IP o A.B: Element B of structure A. Example: [IP
header].SourceIPAddress denotes the source IP address of an IP header].SourceIPAddress denotes the source IP address of an IP
header. header.
o [data item]: This notation indicates that "data item" is a single o [data item]: This notation indicates that "data item" is a single
identifier of a data structure. (Square brackets do not denote identifier of a data structure. (Square brackets do not denote
optional arguments in this document.) optional arguments in this document.)
skipping to change at page 12, line 19 skipping to change at page 12, line 19
| +-----+ | | +-----+ |
+------+ +------+ +--+---+ +------+ +------+ +------+ +--+---+ +------+
+--+ | GIST | | IP | | IP | | GIST | +--+ +--+ | GIST | | IP | | IP | | GIST | +--+
|DS+-+peer 1+--+router| |router+--+peer 2+-+DR| |DS+-+peer 1+--+router| |router+--+peer 2+-+DR|
+--+ +------+ +---+--+ +--+---+ +------+ +--+ +--+ +------+ +---+--+ +--+---+ +------+ +--+
| +-----+ | | +-----+ |
| |GaNAT| | | |GaNAT| |
+----+ B +-----+ +----+ B +-----+
+-----+ +-----+
Figure 1: Network with more than one NAT at an addressing boundary Figure 1: Network with more than one NAT at an addressing boundary
Figure 1 illustrates the importance of assumptions (3) and (4). With Figure 1 illustrates the importance of assumptions (3) and (4). With
regard to that figure, suppose that a (D-mode) signalling session has regard to that figure, suppose that a (D-mode) signalling session has
been setup between the two adjacent GIST peers 1 and 2 and that both been setup between the two adjacent GIST peers 1 and 2 and that both
signalling and data traffic follows the path GIST peer 1 -> IP router signalling and data traffic follows the path GIST peer 1 -> IP router
-> GaNAT A -> IP router -> GIST peer 2. Suppose now that, after some -> GaNAT A -> IP router -> GIST peer 2. Suppose now that, after some
time, GIST peer 1 decides to set up a C-mode connection with peer 2. time, GIST peer 1 decides to set up a C-mode connection with peer 2.
Suppose moreover that the left IP router decides to forward the Suppose moreover that the left IP router decides to forward the
C-mode signalling traffic on the link towards GaNAT B. Thus, C-mode signalling traffic on the link towards GaNAT B. Thus,
signalling traffic now follows the alternative path GIST peer 1 -> IP signalling traffic now follows the alternative path GIST peer 1 -> IP
skipping to change at page 20, line 11 skipping to change at page 20, line 11
PortNext. How IPNext and PortNext are made known to each GaNAT (e.g. PortNext. How IPNext and PortNext are made known to each GaNAT (e.g.
how the NAT binding for the data traffic is installed in the GaNAT) how the NAT binding for the data traffic is installed in the GaNAT)
is outside the scope of this document. is outside the scope of this document.
+--+ +------+ +-----+ +-----+ +-----+ +------+ +--+ +--+ +--+ +------+ +-----+ +-----+ +-----+ +------+ +--+ +--+
+NI+--+ NSLP +---+GaNAT+---+GaNAT+---+GaNAT+---+ NSLP +--+NR+--+DR| +NI+--+ NSLP +---+GaNAT+---+GaNAT+---+GaNAT+---+ NSLP +--+NR+--+DR|
+--+ |peer 1| | A | | B | | C | |peer 2| +--+ +--+ +--+ |peer 1| | A | | B | | C | |peer 2| +--+ +--+
+------+ +-----+ +-----+ +-----+ +------+ +------+ +-----+ +-----+ +-----+ +------+
Figure 2: Network with NR-side GaNATs (the public Internet is assumed Figure 2: Network with NR-side GaNATs (the public Internet is assumed
to be between NI and NSLP peer 1) to be between NI and NSLP peer 1)
For every arriving IP packet P, an NSLP-unaware, NR-side GaNAT For every arriving IP packet P, an NSLP-unaware, NR-side GaNAT
executes the following algorithm. executes the following algorithm.
1. If P has a RAO followed by the GIST header with the NSLP ID 1. If P has a RAO followed by the GIST header with the NSLP ID
indicates an unsupported NSLP, and if it is identified as a GIST indicates an unsupported NSLP, and if it is identified as a GIST
QUERY, the GaNAT does the following. QUERY, the GaNAT does the following.
1. We denote P by GQ. The GaNAT looks at the stack proposal in 1. We denote P by GQ. The GaNAT looks at the stack proposal in
GQ. If it indicates that cryptographic protection is GQ. If it indicates that cryptographic protection is
skipping to change at page 23, line 28 skipping to change at page 23, line 28
| | | | | | | | | | | | | | | |
| +-+-----+-+ | | ++------+-+ | | +-+-----+-+ | | ++------+-+ |
| | GIST | | | | GIST | | | | GIST | | | | GIST | |
u/s | +-+-----+-+ | d/s u/s | ++------+-+ | d/s u/s | +-+-----+-+ | d/s u/s | ++------+-+ | d/s
-----+----+ +-----+----- -----+---+ +-----+----- -----+----+ +-----+----- -----+---+ +-----+-----
link +----------------+ link link +----------------+ link link +----------------+ link link +----------------+ link
NI-side NR-side NI-side NR-side
NSLP-aware NSLP-aware NSLP-aware NSLP-aware
GaNAT GaNAT GaNAT GaNAT
Figure 3: Operation of the MRI Translation Service Figure 3: Operation of the MRI Translation Service
The reason for this construction is to give the NSLP the impression The reason for this construction is to give the NSLP the impression
that it works only with flows that originate and terminate in the that it works only with flows that originate and terminate in the
internal address space. We now describe the operation of the MRITS internal address space. We now describe the operation of the MRITS
and GIST in NSLP-aware GaNATs. An NI-side NSLP-aware GaNAT operates and GIST in NSLP-aware GaNATs. An NI-side NSLP-aware GaNAT operates
according to the following rules. according to the following rules.
1. When the NSLP asks for a message to be sent towards the 1. When the NSLP asks for a message to be sent towards the
downstream GIST peer, the MRITS does the following (IPds and downstream GIST peer, the MRITS does the following (IPds and
SPDTds are obtained similarly to the case of an NSLP-unaware SPDTds are obtained similarly to the case of an NSLP-unaware
skipping to change at page 46, line 8 skipping to change at page 47, line 8
[3] "Advanced Encryption Standard (AES)", FIPS PUB 197, [3] "Advanced Encryption Standard (AES)", FIPS PUB 197,
November 2001. November 2001.
[4] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing [4] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
for Message Authentication", RFC 2104, February 1997. for Message Authentication", RFC 2104, February 1997.
Authors' Addresses Authors' Addresses
Andreas Pashalidis Andreas Pashalidis
Siemens NEC
Otto-Hahn-Ring 6 Kurfuersten-Anlage 36
Munich, Bavaria 81739 Heidelberg 69115
Germany Germany
Email: Andreas.Pashalidis@siemens.com Email: Andreas.Pashalidis@netlab.nec.de
Hannes Tschofenig Hannes Tschofenig
Siemens Siemens
Otto-Hahn-Ring 6 Otto-Hahn-Ring 6
Munich, Bavaria 81739 Munich, Bavaria 81739
Germany Germany
Email: Hannes.Tschofenig@siemens.com Email: Hannes.Tschofenig@siemens.com
Intellectual Property Statement Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79. found in BCP 78 and BCP 79.
skipping to change at page 47, line 29 skipping to change at page 48, line 45
such proprietary rights by implementers or users of this such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr. http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at this standard. Please address the information to the IETF at
ietf-ipr@ietf.org. ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment Acknowledgment
Funding for the RFC Editor function is currently provided by the Funding for the RFC Editor function is provided by the IETF
Internet Society. Administrative Support Activity (IASA).
 End of changes. 18 change blocks. 
37 lines changed or deleted 44 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/