50 likes | 202 Vues
Presentation given by Hannes Tschofenig Implemented by Henning Peters. NAT/FW NSLP Implementation. Current Status. Working C++ NATFW NSLP prototype Based on Univ. Goettingen GIST implementation
E N D
Presentation given by Hannes Tschofenig Implemented by Henning Peters NAT/FW NSLP Implementation
Current Status Working C++ NATFW NSLP prototype Based on Univ. Goettingen GIST implementation Most essential features are covered, including proxy modes (DS behind NAT, DR behind NAT) and all basic behavior, (CREATE/REFRESH/TEARDOWN/RESPONSE, REA/RESPONSE) TODO: Firewall Interaction Interaction with a AAA server Performance evaluation and improvements (including refinement of memory management) Development time: ~ 2 man-months (including work on GIST)
Details GNU/Linux kernel 2.6.x as development platform NAT/FW API using Linux iptables/netfilter Splitted into three processes: GIST server, NAT/FW server, NAT/FW client All GIST / NAT/FW client/server communication over UNIX sockets See performance overhead paper from X. Fu et. al on GIST: http://www.tmg.informatik.uni-goettingen.de/publications Using code generation for object construction and FSM: ~1000 lines of code Virtual machines were used for testing
Conclusion • Issues filed as part of the implementation experience. • E.g., REA/UCREATE separation, Missing ports using REA, how to update MRI at NATs, terminology • Some already resolved in the current draft • https://kobe.netlab.nec.de/roundup/nsis-natfw-nslp/index • Some amount of energy went into GIST code to make things more generic (e.g., FSM, objects, timers). Easier job for new NSLP implementation using this GIST implementation