1 / 9

NATFW NSLP Status draft-ietf-nsis-nslp-natfw-10.txt

This draft provides the finalized version of the NATFW NSLP status, including minor changes to fulfill 3GPP2 requirements. It addresses issues raised by 3GPP2 and introduces new concepts for session states and policy rules.

sapplebaum
Télécharger la présentation

NATFW NSLP Status draft-ietf-nsis-nslp-natfw-10.txt

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NATFW NSLP Statusdraft-ietf-nsis-nslp-natfw-10.txt M. Stiemerling, H. Tschofenig, C. Aoun, and E. Davies stiemerling@netlab.nec.de NSIS Working Group, 65th IETF meeting

  2. Status • draft-ietf-nsis-nslp-natfw-09 • Minor changes to deal with 3GPP2 request • draft-ietf-nsis-nslp-natfw-10 • Draft got stuck in submission but NOW out • “Finalized” version • Added Elwyn Davies as author • Fulfilling 3GPP2 requirements • Diff to -09 available here • http://www.stiemerling.org/ietf/nsis/draft-ietf-nsis-nslp-natfw-10-diff-to-09.html • NATFW issue trackerhttps://kobe.netlab.nec.de/roundup/nsis-natfw-nslp/

  3. 3GPP2 and NSIS • "Requirements for Firewall Configuration Protocol" (draft-bajko-nsis-FW-reqs-04.txt) • 3GPP2 is calling this protocol NFCCP(Network Firewall Configuration & Control Protocol) • Presentation of the NATFW NSLP at the Jan 17th meeting by John • TSG-X, PSN, WG 3.1 • Slides are here http://www.stiemerling.org/ietf/nsis/3gpp2/3gpp2_nsis_natfw_overview_final.ppt • 3GPP2 WG is in favour of the path-coupled NSIS approach • NSIS NATFW NSLP will be the NFCCP!

  4. Issues Raised by 3GPP2 • port range parameter field • Added in -09, see Section 4.2.3 • ICMP support • Added in -10, see Section 4.2.10 • Query method for firewall capabilities • No technical discussion on this yet • Mobile IPv6 support • Separate document, not in the NSLP document • One shot signaling message • to teardown a whole set of policy rules belonging to a specific IP address • Added in -10, see next slide and Section 3.8.4

  5. NSLP Session NOTIFY NF1 NF2 NF3 NR NI Notification Storms • Added semantics to mitigate NOTIFY storms • Using NTLP’s explicit routing • NATFW NOTIFY message • SID set to 0 • MRI wildcarded • Sent upstream • Upstream node must regard corresponding sessions as void • Same mechanism used for one shot termination message X

  6. Conceptual States of Session • New section “NATFW NSLP Signaling Sessions” • Conceptual states for a session • Pending:The signaling session created and node waits for a RESPONSE message. • Established:A positive RESPONSE message has been received. • Dead:The node has received an error RESPONSE message and the signaling session can be deleted. • Transit:The node has received a NOTIFY, and can delete the signaling session if needed.

  7. More Changes • Fixed terminology for policy rules • Remembered, Reserved, Installed • Added response codes and NATFW_INFO object • Update security section • Unified REA and REA-F • A single REA • Path-coupled if only firewalls • Loose-end if NAT’ed • Reworked proxy section • Removed NATFW_PROXY object and added a proxy flag to NSLP header • Applicability statement for REA and firewalls • Added examples on policy rule to NAT/firewall resources

  8. Way Forward • Major issues closed • 7 issue pending • 2 are non serious bugs • RAO value allocation • Missing padding in one object • 5 are wishes • IANA considerations issues • Authors see document ready for WGLC

  9. Thank you! Question?

More Related