< draft-werner-nsis-natfw-nslp-statemachine-02.txt   draft-werner-nsis-natfw-nslp-statemachine-03.txt >
NSIS C. Werner NSIS C. Werner
Internet-Draft X. Fu, Ed. Internet-Draft X. Fu
Expires: September 7, 2006 Univ. Goettingen Expires: December 27, 2006 Univ. Goettingen
H. Tschofenig H. Tschofenig
Siemens Siemens
C. Aoun C. Aoun
ENST ENST
N. Steinleitner N. Steinleitner, Ed.
Univ. Goettingen Univ. Goettingen
March 6, 2006 June 25, 2006
NAT/FW NSLP State Machine NAT/FW NSLP State Machine
draft-werner-nsis-natfw-nslp-statemachine-02.txt draft-werner-nsis-natfw-nslp-statemachine-03.txt
Status of this Memo Status of this Memo
By submitting this Internet-Draft, each author represents that any By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79. aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
skipping to change at page 1, line 40 skipping to change at page 1, line 40
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on September 7, 2006. This Internet-Draft will expire on December 27, 2006.
Copyright Notice Copyright Notice
Copyright (C) The Internet Society (2006). Copyright (C) The Internet Society (2006).
Abstract Abstract
This document describes the state machines for the NSIS Signaling This document describes the state machines for the NSIS Signaling
Layer Protocol for Network Address Translation/Firewall signaling Layer Protocol for Network Address Translation/Firewall signaling
(NAT/FW NSLP). A set of state machines for NAT/FW NSLP entities at (NAT/FW NSLP). A set of state machines for NAT/FW NSLP entities at
skipping to change at page 2, line 18 skipping to change at page 2, line 18
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Notational conventions used in state diagrams . . . . . . . . 3 3. Notational conventions used in state diagrams . . . . . . . . 3
4. State Machine Symbols . . . . . . . . . . . . . . . . . . . . 6 4. State Machine Symbols . . . . . . . . . . . . . . . . . . . . 6
5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 7 5. Common Rules . . . . . . . . . . . . . . . . . . . . . . . . . 7
5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 7 5.1. Common Procedures . . . . . . . . . . . . . . . . . . . . 7
5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 9 5.2. Common Variables . . . . . . . . . . . . . . . . . . . . . 9
5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 9 5.3. Constants . . . . . . . . . . . . . . . . . . . . . . . . 9
6. State machine for the NAT/FW NI . . . . . . . . . . . . . . . 9 6. State machine for the NAT/FW NI/NR+ . . . . . . . . . . . . . 9
7. State machines for the NAT/FW NF . . . . . . . . . . . . . . . 11 7. State machine for the NAT/FW NF . . . . . . . . . . . . . . . 11
8. State machine for the NAT/FW NR . . . . . . . . . . . . . . . 15 8. State machine for the NAT/FW NR/NI+ . . . . . . . . . . . . . 15
9. Security Considerations . . . . . . . . . . . . . . . . . . . 18 9. Security Considerations . . . . . . . . . . . . . . . . . . . 18
10. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 18 10. Open Issues . . . . . . . . . . . . . . . . . . . . . . . . . 18
11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 18 11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 18
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18
13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 19 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 18
13.1. Normative References . . . . . . . . . . . . . . . . . . . 19 13.1. Normative References . . . . . . . . . . . . . . . . . . . 18
13.2. Informative References . . . . . . . . . . . . . . . . . . 19 13.2. Informative References . . . . . . . . . . . . . . . . . . 18
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 20
Intellectual Property and Copyright Statements . . . . . . . . . . 21 Intellectual Property and Copyright Statements . . . . . . . . . . 21
1. Introduction 1. Introduction
This document describes the state machines for NAT/FW NSLP [1], This document describes the state machines for NAT/FW NSLP [1],
trying to show how NAT/FW NSLP can be implemented to support its trying to show how NAT/FW NSLP can be implemented to support its
deployment. The state machines described in this document are deployment. The state machines described in this document are
illustrative of how the NAT/FW NSLP protocol defined in [1] may be illustrative of how the NAT/FW NSLP protocol defined in [1] may be
implemented for the first NAT/FW NSLP node in the signaling path, implemented for the first NAT/FW NSLP node in the signaling path,
skipping to change at page 6, line 13 skipping to change at page 6, line 13
more exit conditions with the same level of precedence become TRUE more exit conditions with the same level of precedence become TRUE
simultaneously, the choice as to which exit condition causes the simultaneously, the choice as to which exit condition causes the
state transition to take place is arbitrary. state transition to take place is arbitrary.
In addition to the above notation, there are a couple of In addition to the above notation, there are a couple of
clarifications specific to this document. First, all boolean clarifications specific to this document. First, all boolean
variables are initialized to FALSE before the state machine execution variables are initialized to FALSE before the state machine execution
begins. Second, the following notational shorthand is specific to begins. Second, the following notational shorthand is specific to
this document: this document:
<variable> = <expression1> | <expression2> | ... <variable> = <expression1> | <expression2> | ...
Execution of a statement of this form will result in <variable> Execution of a statement of this form will result in <variable>
having a value of exactly one of the expressions. The logic for having a value of exactly one of the expressions. The logic for
which of those expressions gets executed is outside of the state which of those expressions gets executed is outside of the state
machine and could be environmental, configurable, or based on machine and could be environmental, configurable, or based on
another state machine such as that of the method. another state machine such as that of the method.
4. State Machine Symbols 4. State Machine Symbols
( ) Used to force the precedence of operators in Boolean expressions ( ) Used to force the precedence of operators in Boolean expressions
and to delimit the argument(s) of actions within state boxes. and to delimit the argument(s) of actions within state boxes.
skipping to change at page 7, line 21 skipping to change at page 7, line 21
++ Increment the preceding integer operator by 1. ++ Increment the preceding integer operator by 1.
5. Common Rules 5. Common Rules
Throughout the document we use terms defined in the [1], such as NI, Throughout the document we use terms defined in the [1], such as NI,
NF, NR, CREATE, REA or RESPONSE. NF, NR, CREATE, REA or RESPONSE.
5.1. Common Procedures 5.1. Common Procedures
tx_CREATE(): Transmit a CREATE message tx_CREATE(): Transmit a CREATE message
tx_CREATE(LIFETIME>0): Transmit CREATE message with lifetime object
greater than 0 for session creation.
tx_CREATE(LIFETIME=0): Transmit CREATE message with lifetime object tx_CREATE(LIFETIME=0): Transmit CREATE message with lifetime object
explicitly set to 0 for session deletion explicitly set to 0 for session deletion.
tx_RESPONSE(code,type): Transmit RESPONSE message with specified code tx_RESPONSE(code,type): Transmit RESPONSE message with specified code
(SUCCESS or ERROR) and result type (related to a specific request (SUCCESS or ERROR) and result type (related to a specific request
type message: CREATE or REA). A code or result type may be type message: CREATE or REA). A code or result type may be
omitted, typically when forwarding received RESPONSE messages. omitted, typically when forwarding received RESPONSE messages.
tx_REA(): Transmit a REA message tx_REA(): Transmit a REA message
rx_RESPONSE(code, type): Evaluates to TRUE if a RESPONSE message has rx_RESPONSE(code, type): Evaluates to TRUE if a RESPONSE message has
been received with the specified code (SUCCESS or ERROR) and been received with the specified code (SUCCESS or ERROR) and
result type (related to a specific request type message: CREATE or result type (related to a specific request type message: CREATE or
REA). If the code or type is omitted, any received RESPONSE REA). If the code or type is omitted, any received RESPONSE
message which is only matching the given code or type will message which is only matching the given code or type will
evaluate this procedure to TRUE. evaluate this procedure to TRUE.
rx_CREATE(): Evaluates to TRUE if a CREATE message has been received. rx_CREATE(): Evaluates to TRUE if a CREATE message has been received.
rx_CREATE(Lifetime > 0): Evaluates to TRUE if a CREATE message with
lifetime object greater than 0 has been received.
rx_CREATE(Lifetime == 0): Evaluates to TRUE if a CREATE message with
lifetime object explicitly set to 0 has been received.
rx_REA(): Evaluates to TRUE if a REA message has been received. rx_REA(): Evaluates to TRUE if a REA message has been received.
rx_REA(Lifetime > 0): Evaluates to TRUE if a REA message with
lifetime object greater than 0 has been received.
rx_REA(Lifetime == 0): Evaluates to TRUE if a REA message with
lifetime object explicitly set to 0 has been received.
CHECK_AA(): Checks Authorization and Authentication of the received CHECK_AA(): Checks Authorization and Authentication of the received
message. Evaluates to TRUE if the check is successful, otherwise message. Evaluates to TRUE if the check is successful, otherwise
it evaluates to FALSE. This check is performed on all received it evaluates to FALSE. This check is performed on all received
messages hence it will only be shown within the state machine when messages hence it will only be shown within the state machine when
the check has failed. This CHECK_AA also MAY include a local the check has failed. This CHECK_AA also MAY include a local
policy check for the received message. policy check for the received message.
CreateSession(): Installs all session related states, variables, CreateSession(): Installs all session related states, variables,
bindings, policies. bindings, policies.
DeleteSession(): Removes all session related states, variables, DeleteSession(): Removes all session related states, variables,
bindings, policies. bindings, policies.
CreatePinhole(): Installs a pinhole for the new session. CreatePinhole(): Installs a pinhole for the new session.
DeletePinhole(): Removes a previously installed pinhole. DeletePinhole(): Removes a previously installed pinhole.
CreateReservations(): Creates a matching based on the MRI and open CreateReservations(): Creates a matching based on the MRI and open
pinholes for the signaling traffic. pinholes for the signaling traffic.
DeleteReservations(): Deletes previously installed matchings and DeleteReservations(): Deletes previously installed matchings and
pinholes for the signaling traffic. pinholes for the signaling traffic.
CreateBinding(): Creates a public/private network translation binding CreateBinding(): Creates a public/private network translation binding
on a NAT device for the requesting entity. on a NAT device for the requesting entity.
DeleteBinding(): Deletes a previously created a public/private DeleteBinding(): Deletes a previously created a public/private
network translation binding on a NAT device for the requesting network translation binding on a NAT device for the requesting
entity. entity.
StartTimer(identifier): This procedure starts a timer with a certain StartTimer(identifier): This procedure starts a timer with a certain
skipping to change at page 8, line 27 skipping to change at page 8, line 33
subsequent StartTimer(identifier), StopTimer(identifier), subsequent StartTimer(identifier), StopTimer(identifier),
(identifier)_TIMEOUT refer to the same timer labeled x. This (identifier)_TIMEOUT refer to the same timer labeled x. This
timer is required to time the lifetime of state, which means that timer is required to time the lifetime of state, which means that
when it times out, it indicates the current machine state should when it times out, it indicates the current machine state should
be left or its validation has expired. This procedure starts the be left or its validation has expired. This procedure starts the
timer 'identifier'. If a timer with the same 'identifier' has timer 'identifier'. If a timer with the same 'identifier' has
already been started and not yet stopped, the timer is now stopped already been started and not yet stopped, the timer is now stopped
and restarted. After the timer has timed out, the procedure and restarted. After the timer has timed out, the procedure
(identifier)_TIMEOUT evaluates to TRUE. The timer does not (identifier)_TIMEOUT evaluates to TRUE. The timer does not
restart automatically, but must be started again with a restart automatically, but must be started again with a
StartTimer(identifier). Notice that this function can call as StartTimer(identifier). Used identifier are STATE, REFRESH,
statetimer or as refreshtimer which represents the CREATE, REA or RESPONSE.
"Start.REFRESH_TIMER(identifier)" procedure in version 01.
StopTimer(identifier): This procedure stops the timer labeled StopTimer(identifier): This procedure stops the timer labeled
'identifier'. If it has already been stopped, this procedure has 'identifier'. If it has already been stopped, this procedure has
no effect. If the timer has already timed out, this procedure no effect. If the timer has already timed out, this procedure
removes the timeout-state from the timer 'identifier', so removes the timeout-state from the timer 'identifier', so
subsequent calls to (identifier)_TIMEOUT evaluate to FALSE. A subsequent calls to (identifier)_TIMEOUT evaluate to FALSE. A
timeout cannot occur until the timer 'identifier' has been timeout cannot occur until the timer 'identifier' has been
(re-)started. (re-)started.
(identifier)_TIMEOUT: This procedure evaluates to TRUE if the (identifier)_TIMEOUT: This procedure evaluates to TRUE if the
(identifier)-timer has timed out and indicates a state lifetime (identifier)-timer has timed out and indicates a state lifetime
expiration. This procedure cannot evaluate to TRUE if the timer expiration. This procedure cannot evaluate to TRUE if the timer
skipping to change at page 9, line 38 skipping to change at page 9, line 44
5.3. Constants 5.3. Constants
counterLimit(CREATE): Contains the maximum number of retransmission counterLimit(CREATE): Contains the maximum number of retransmission
attempts of a CREATE message after it is aborted and the attempts of a CREATE message after it is aborted and the
application is being notified. application is being notified.
counterLimit(REA): Contains the maximum number of retransmission counterLimit(REA): Contains the maximum number of retransmission
attempts of a REA message after it is aborted and the application attempts of a REA message after it is aborted and the application
is being notified. is being notified.
6. State machine for the NAT/FW NI 6. State machine for the NAT/FW NI/NR+
This section presents the state machine for the NSIS initator which This section presents the state machine for the NSIS initator which
is capable of NAT/FW NSLP signaling. is capable of NAT/FW NSLP signaling.
----------- -----------
State: INITIALIZE State: INITIALIZE
----------- -----------
Condition Action State Condition Action State
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
skipping to change at page 11, line 36 skipping to change at page 11, line 38
| | | |
tg_TEARDOWN_PROXY |tx_CREATE(LIFETIME=0); | IDLE tg_TEARDOWN_PROXY |tx_CREATE(LIFETIME=0); | IDLE
| | | |
RESPONSE_TIMEOUT && |ReportAsyncEvent(); | IDLE RESPONSE_TIMEOUT && |ReportAsyncEvent(); | IDLE
(counter(CREATE) == | | (counter(CREATE) == | |
counterLimit(CREATE)) | | counterLimit(CREATE)) | |
| | | |
rx_RESPONSE(ERROR,CREATE) |ReportAsyncEvent(); | IDLE rx_RESPONSE(ERROR,CREATE) |ReportAsyncEvent(); | IDLE
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
7. State machines for the NAT/FW NF 7. State machine for the NAT/FW NF
This section describes the state machines for intermediate nodes This section describes the state machine for intermediate nodes
within the signaling path capable of processing NAT/FW NSLP messages. within the signaling path capable of processing NAT/FW NSLP messages.
These nodes typically implement firewall and/or network address These nodes typically implement firewall and/or network address
translation (NAT) functionality. translation (NAT) functionality.
Condition Action State Condition Action State
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
UCT |Initialize variables | IDLE UCT |Initialize variables | IDLE
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
----------- -----------
State: IDLE State: IDLE
Entry: DeleteSession(); Entry: DeleteSession();
Exit : CreateSession(); Exit : CreateSession();
----------- -----------
Condition Action State Condition Action State
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
(rx_REA) && (IS_PUBLICSIDE) |tx_RESPONSE(ERROR, REA); | IDLE (rx_REA) && (IS_PUBLICSIDE) |tx_RESPONSE(ERROR, REA); | IDLE
| | | |
(rx_CREATE) && |tx_CREATE(); | CREATE_ (rx_CREATE(Lifetime > 0)) |tx_CREATE(); | CREATE_
(CREATE(Lifetime) > 0) | | WAITRESP | | WAITRESP
| | | |
((rx_REA) && (!IS_EDGE) |tx_REA(); | NONEDGE_ ((rx_REA) && (!IS_EDGE) |tx_REA(); | NONEDGE_
&& (!IS_PUBLICSIDE)) | | REA && (!IS_PUBLICSIDE)) | | REA
| | | |
((rx_REA) && (IS_EDGE) |tx_RESPONSE(SUCCESS,REA); | EDGE_REA ((rx_REA) && (IS_EDGE) |tx_RESPONSE(SUCCESS,REA); | EDGE_REA
&& (!IS_PUBLICSIDE)) |tx_CREATE; | && (!IS_PUBLICSIDE)) |tx_CREATE; |
|if(proxy_object) then | |if(proxy_object) then |
| (tg_CREATE_PROXY);| | (tg_CREATE_PROXY);|
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
skipping to change at page 12, line 40 skipping to change at page 12, line 42
----------- -----------
Condition Action State Condition Action State
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
rx_RESPONSE(ERROR,CREATE) |tx_RESPONSE(ERROR,CREATE); | IDLE rx_RESPONSE(ERROR,CREATE) |tx_RESPONSE(ERROR,CREATE); | IDLE
|ReportAsyncEvent(); | |ReportAsyncEvent(); |
| | | |
STATE_TIMEOUT |tx_RESPONSE(ERROR,CREATE); | IDLE STATE_TIMEOUT |tx_RESPONSE(ERROR,CREATE); | IDLE
|ReportAsyncEvent(); | |ReportAsyncEvent(); |
| | | |
(rx_CREATE) && |tx_CREATE(Lifetime=0); | IDLE (rx_CREATE(Lifetime == 0)) |tx_CREATE(Lifetime=0); | IDLE
(CREATE(Lifetime) == 0) | |
| | | |
rx_RESPONSE(SUCCESS,CREATE) |tx_RESPONSE(SUCCESS,CREATE); | SESSION rx_RESPONSE(SUCCESS,CREATE) |tx_RESPONSE(SUCCESS,CREATE); | SESSION
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
----------- -----------
State: NONEDGE_REA State: NONEDGE_REA
Entry: StartTimer(REA); Entry: StartTimer(REA);
CreateReservations(); CreateReservations();
Exit : StopTimer(REA); Exit : StopTimer(REA);
DeleteReservations(); DeleteReservations();
----------- -----------
Condition Action State Condition Action State
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
(rx_REA) && |StopTimer(REA); | NONEDGE_ (rx_REA(Lifetime > 0)) |StopTimer(REA); | NONEDGE_
(REA(Lifetime) > 0) |StartTimer(REA); | REA |StartTimer(REA); | REA
|tx_REA(); | |tx_REA(); |
| | | |
rx_RESPONSE(SUCCESS, REA) |tx_RESPONSE(SUCCESS,REA); | NONEDGE_
| | REA
| |
rx_RESPONSE(ERROR, REA) |tx_RESPONSE(ERROR,REA); | IDLE rx_RESPONSE(ERROR, REA) |tx_RESPONSE(ERROR,REA); | IDLE
|ReportAsyncEvent(); | |ReportAsyncEvent(); |
| | | |
(rx_REA) && |tx_REA(Lifetime=0); | IDLE (rx_REA(Lifetime == 0)) |tx_REA(Lifetime=0); | IDLE
(REA(Lifetime) == 0) |ReportAsyncEvent(); | |ReportAsyncEvent(); |
| | | |
REA_TIMEOUT |ReportAsyncEvent(); | IDLE REA_TIMEOUT |ReportAsyncEvent(); | IDLE
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
----------- -----------
State: EDGE_REA State: EDGE_REA
Entry: StartTimer(REA); Entry: StartTimer(REA);
CreateReservations(); CreateReservations();
Exit : StopTimer(REA); Exit : StopTimer(REA);
DeleteReservations(); DeleteReservations();
----------- -----------
Condition Action State Condition Action State
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
(rx_REA) && |StopTimer(REA); | NONEDGE_ (rx_REA(Lifetime > 0)) |StopTimer(REA); | EDGE_REA
(REA(Lifetime) > 0) |StartTimer(REA); | REA |StartTimer(REA); |
|tx_REA(); | |tx_RESPONSE(SUCCESS, REA); |
| | | |
rx_RESPONSE(ERROR, REA) |tx_RESPONSE(ERROR,REA); | IDLE (rx_REA(Lifetime == 0)) |tx_REA(Lifetime=0); | IDLE
|ReportAsyncEvent(); | |ReportAsyncEvent(); |
|if(proxy_mode) then | |if(proxy_mode) then |
| (tg_TEARDOWN_PROXY);| | (tg_TEARDOWN_PROXY);|
| | | |
(rx_REA) && |tx_REA(Lifetime=0); | IDLE
(REA(Lifetime) == 0) |ReportAsyncEvent(); |
|if(proxy_mode) then |
| (tg_TEARDOWN_PROXY);|
| |
REA_TIMEOUT |ReportAsyncEvent(); | IDLE REA_TIMEOUT |ReportAsyncEvent(); | IDLE
|if(proxy_mode) then | |if(proxy_mode) then |
| (tg_TEARDOWN_PROXY);| | (tg_TEARDOWN_PROXY);|
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
----------- -----------
State: SESSION State: SESSION
Entry: StartTimer(CREATE) Entry: StartTimer(CREATE)
CreatePinhole(); CreatePinhole();
CreateBinding(); CreateBinding();
Exit : StopTimer(RESPONSE); Exit : StopTimer(RESPONSE);
StopTimer(CREATE); StopTimer(CREATE);
DeletePinhole(); DeletePinhole();
DeleteBinding(); DeleteBinding();
----------- -----------
Condition Action State Condition Action State
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
RESPONSE_TIMEOUT |StopTimer(RESPONSE); | SESSION RESPONSE_TIMEOUT |StopTimer(RESPONSE); | SESSION
|tx_RESPONSE(ERROR,CREATE); | |tx_RESPONSE(ERROR,CREATE); |
| | | |
(rx_CREATE) && |StopTimer(CREATE); | SESSION (rx_REA(Lifetime > 0)) |StopTimer(CREATE); | SESSION
(CREATE(Lifetime) > 0) |StartTimer(RESPONSE); | |StartTimer(RESPONSE); |
|tx_CREATE(); | |tx_CREATE(); |
| | | |
rx_RESPONSE(SUCCESS,CREATE) |StopTimer(RESPONSE); | SESSION rx_RESPONSE(SUCCESS,CREATE) |StopTimer(RESPONSE); | SESSION
|StartTimer(CREATE); | |StartTimer(CREATE); |
|tx_RESPONSE(SUCCESS,CREATE); | |tx_RESPONSE(SUCCESS,CREATE); |
| | | |
CREATE_TIMEOUT |ReportAsyncEvent(); | IDLE CREATE_TIMEOUT |ReportAsyncEvent(); | IDLE
| | | |
(rx_CREATE) && |tx_CREATE(Lifetime=0); | IDLE (rx_REA(Lifetime == 0)) |tx_CREATE(Lifetime=0); | IDLE
(CREATE(Lifetime) == 0) | |
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
8. State machine for the NAT/FW NR 8. State machine for the NAT/FW NR/NI+
This section presents the state machines for the NSIS responder which This section presents the state machines for the NSIS responder which
is capable of NSLP NAT/FW signaling. is capable of NSLP NAT/FW signaling.
----------- -----------
State: INITIALIZE State: INITIALIZE
----------- -----------
Condition Action State Condition Action State
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
skipping to change at page 16, line 17 skipping to change at page 16, line 17
Exit : CreateSession(); Exit : CreateSession();
----------- -----------
Condition Action State Condition Action State
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
(rx_CREATE) && !(CHECK_AA())|tx_RESPONSE(ERROR,CREATE); | IDLE (rx_CREATE) && !(CHECK_AA())|tx_RESPONSE(ERROR,CREATE); | IDLE
| | | |
tg_REA |tx_REA(); | REA_ tg_REA |tx_REA(); | REA_
| | WAITRESP | | WAITRESP
| | | |
(rx_CREATE) && |tx_RESPONSE(SUCCESS,CREATE); | SESSION (rx_REA(Lifetime > 0)) |tx_RESPONSE(SUCCESS,CREATE); | SESSION
(CREATE(Lifetime) > 0) | |
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
----------- -----------
State: REA_WAITRESP State: REA_WAITRESP
Entry: ResetCounter(REA); Entry: ResetCounter(REA);
StartTimer(RESPONSE); StartTimer(RESPONSE);
Exit : StopTimer(RESPONSE); Exit : StopTimer(RESPONSE);
----------- -----------
Condition Action State Condition Action State
skipping to change at page 18, line 4 skipping to change at page 17, line 33
|StartTimer(RESPONSE); | |StartTimer(RESPONSE); |
| | | |
RESPONSE_TIMEOUT && |ReportAsyncEvent(); | IDLE RESPONSE_TIMEOUT && |ReportAsyncEvent(); | IDLE
(counter(REA) == | | (counter(REA) == | |
counterLimit(REA)) | | counterLimit(REA)) | |
| | | |
rx_RESPONSE(ERROR,REA) |ReportAsyncEvent(); | IDLE rx_RESPONSE(ERROR,REA) |ReportAsyncEvent(); | IDLE
| | | |
tg_TEARDOWN |tx_REA(Lifetime=0); | IDLE tg_TEARDOWN |tx_REA(Lifetime=0); | IDLE
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
----------- -----------
State: SESSION State: SESSION
Entry: StartTimer(STATE); Entry: StartTimer(STATE);
Exit : StopTimer(STATE); Exit : StopTimer(STATE);
----------- -----------
Condition Action State Condition Action State
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
(rx_CREATE) && |tx_RESPONSE(SUCCESS,CREATE); | SESSION (rx_CREATE(LIFETIME > 0)) |tx_RESPONSE(SUCCESS,CREATE); | SESSION
(CREATE(LIFETIME) > 0) |StopTimer(STATE); | |StopTimer(STATE); |
|StartTimer(STATE); | |StartTimer(STATE); |
| | | |
tg_TEARDOWN |tx_CREATE(LIFETIME=0); | IDLE (rx_CREATE(LIFETIME == 0)) |ReportAsyncEvent(); | IDLE
| |
(rx_CREATE) && |ReportAsyncEvent(); | IDLE
(CREATE(LIFETIME) == 0) | |
| | | |
STATE_TIMEOUT |ReportAsyncEvent(); | IDLE STATE_TIMEOUT |ReportAsyncEvent(); | IDLE
----------------------------+-----------------------------+---------- ----------------------------+-----------------------------+----------
9. Security Considerations 9. Security Considerations
This document does not raise new security considerations. Any This document does not raise new security considerations. Any
security concerns with the NAT/FW NSLP are likely reflected in security concerns with the NAT/FW NSLP are likely reflected in
security related NSIS work already (such as [1] or [6]). security related NSIS work already (such as [1] or [6]).
skipping to change at page 19, line 15 skipping to change at page 18, line 38
12. Acknowledgments 12. Acknowledgments
The authors would like to thank Martin Stiemerling for his valuable The authors would like to thank Martin Stiemerling for his valuable
comments and discussions. comments and discussions.
13. References 13. References
13.1. Normative References 13.1. Normative References
[1] Stiemerling, M., "NAT/Firewall NSIS Signaling Layer Protocol [1] Stiemerling, M., "NAT/Firewall NSIS Signaling Layer Protocol
(NSLP)", draft-ietf-nsis-nslp-natfw-09 (work in progress), (NSLP)", draft-ietf-nsis-nslp-natfw-11 (work in progress),
February 2006. April 2006.
[2] Bradner, S., "Key words for use in RFCs to Indicate Requirement [2] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", March 1997. Levels", March 1997.
13.2. Informative References 13.2. Informative References
[3] Fajardo, V., "State Machines for Protocol for Carrying [3] Fajardo, V., "State Machines for Protocol for Carrying
Authentication for Network Access (PANA)", Authentication for Network Access (PANA)",
draft-ietf-pana-statemachine-03 (work in progress), draft-ietf-pana-statemachine-04 (work in progress), May 2006.
October 2005.
[4] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, "State [4] Vollbrecht, J., Eronen, P., Petroni, N., and Y. Ohba, "State
Machines for Extensible Authentication Protocol (EAP) Peer and Machines for Extensible Authentication Protocol (EAP) Peer and
Authenticator", draft-ietf-eap-statemachine-06 (work in Authenticator", draft-ietf-eap-statemachine-06 (work in
progress), December 2004. progress), December 2004.
[5] Institute of Electrical and Electronics Engineers, "DRAFT [5] Institute of Electrical and Electronics Engineers, "DRAFT
Standard for Local and Metropolitan Area Networks: Port-Based Standard for Local and Metropolitan Area Networks: Port-Based
Network Access Control (Revision)", IEEE 802-1X-REV/D9, Network Access Control (Revision)", IEEE 802-1X-REV/D9,
January 2004. January 2004.
skipping to change at page 20, line 16 skipping to change at page 20, line 16
Constantin Werner Constantin Werner
University of Goettingen University of Goettingen
Telematics Group Telematics Group
Lotzestr. 16-18 Lotzestr. 16-18
Goettingen 37083 Goettingen 37083
Germany Germany
Email: werner@cs.uni-goettingen.de Email: werner@cs.uni-goettingen.de
Xiaoming Fu (editor) Xiaoming Fu
University of Goettingen University of Goettingen
Telematics Group Telematics Group
Lotzestr. 16-18 Lotzestr. 16-18
Goettingen 37083 Goettingen 37083
Germany Germany
Email: fu@cs.uni-goettingen.de Email: fu@cs.uni-goettingen.de
Hannes Tschofenig Hannes Tschofenig
Siemens Siemens
skipping to change at page 20, line 40 skipping to change at page 20, line 40
Email: Hannes.Tschofenig@siemens.com Email: Hannes.Tschofenig@siemens.com
Cedric Aoun Cedric Aoun
Ecole Nationale Superieure des Telecommunications Ecole Nationale Superieure des Telecommunications
Paris Paris
France France
Email: cedric@caoun.net Email: cedric@caoun.net
Niklas Steinleitner Niklas Steinleitner (editor)
University of Goettingen University of Goettingen
Telematics Group Telematics Group
Lotzestr. 16-18 Lotzestr. 16-18
Goettingen 37083 Goettingen 37083
Germany Germany
Email: steinleitner@cs.uni-goettingen.de Email: steinleitner@cs.uni-goettingen.de
Intellectual Property Statement Intellectual Property Statement
 End of changes. 38 change blocks. 
58 lines changed or deleted 60 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/