03/20/01Pyda Srisuresh - Jasmine Networks1 Framework for interfacing with NAT Pyda Srisuresh

03/20/01 Pyda Srisuresh - Jasmine Networks

1

Framework for interfacing with NAT

<draft-ietf-nat-interface-framework-02.txt>

Pyda Srisuresh


2

Objective• Identify the functions of a middlebox

device

• Identify NAT service specific resources.

• Illustrate resource interface mechanism for NAT service through an API.

• Provide a framework for the development of a protocol by which NAT MIDCOM agents can interface with NAT.


3

Middlebox Devices• Network Address Translator devices (NAT)

• Firewalls

• Security Gateways

• Server-load Balancers

• QOS enforcement devices

• Intrusion Detection Devices

• etc.


4

Data flow across NATs

End-to-End Session

Private networktraffic

PrivateNetworkBoundary

Client Server

Internettraffic

NAT

NAT-Midcom Agent


5

Proxy traffic across NAT Device

Proxyserver

Target serverProxy-clientAplication

User’s view of Session

ProxyExchange Server’s view

of Session

NAT Router


6

NAT device also terminating a tunnel

RouterNAT

End-to-End Session

Client Server

TrustedNetworkBoundary

TrustedNetworkBoundary

Internet

T u n n e l

NAT-Midcom Agent


7

NAT Elements• NAT Descriptor

• ID, Nat-Type, Address map and Type specific parameters.

• BIND Descriptor• ID, Bind-Type, specific addresses (ports) bound,

Lease time, Controlling Midcom-agent ID etc.

• SESSion Descriptor• ID, Session Direction, Original and Translated

session tuples, Application Tag, Controlling BIND-ID, Termination heuristic, Controlling agent ID etc.


8

NAT-Midcom Agents • In-Path Application Level Gateways (ALGs)

• In-Path Application proxies

• Out-of-path Application Level Gateway

• Backup-NAT devices

• RSIP clients.

• End-Hosts


9

Nat-Midcom Agent Descriptor

• Agent ID

• Agent Type

• Agent Call-back Requirements

• Agent Call-back functions

• Agent Accessibility Information


10

Interface to Nat-Midcom agents• Session-oriented, Service-neutral interface

• Functions applicable to any type of stateful IP service on an intermediate device - NAT, firewall, Server-load balancers, Security Gateways etc.

• Resource interface based on session identities.

• Asynchronous Call-back from device to ext. agents.

• NAT specific interface • Functions manipulating NAT specific resources.

• Address BINDs

• NAT specific session parameters.


11

Midcom interface• Query the functions of a middlebox

• service_enquire_Identity(service_type, &service_info)

• Register a Midcom agent with NAT• service_register_agent(service_id, &agent_info)

• Session oriented settings and queries• service_set_sess(), service_free_sess(),

service_enquire_sess_range() etc.

• Asynchronous call-back to MIDCOM agents• agent_callback_event(event_type, &event_info)

• agent_callback_periodic(info_type, length, &info)

• agent_callback_packet(sess_id, pkt_direction, packet)


12

NAT specific Midcom interface• NAT service Identity

• NAT service type (Basic NAT, NAPT, RSIP etc.)

• Address Maps, RSIP tunnel-type supported etc.

• NAT specific session parameters• Translated session tuples, BIND ID, Pkt-mod funcs

• NAT BIND settings and Queries• nat_set_bind(), nat_free_bind(),

nat_enquire_address_bind()

• Asynchronous Callback Interface• Packet redirection to Midcom agents

• BIND notification, NAT statistics notification


13

Nat-Midcom agent Registration process

Nat-Midcom Agent(FTP) NAT

service_enquire_Identity()

OK. Return NAT Descriptor that includes nat-id.

service_register_agent(nat_id, &ftp_alg_descriptor)

OK. Return an agent-ID.


14

Nat-Midcom agent at run-timeNAT

ftp_alg_pkt_notify(nat_id, agent_id, sess_id, pkt_direction, pkt)

service_enquire_sess_info(nat_id, agent_id, &sess_info)

nat_enquire_address_bind(nat_id, agent_id, &bind_info)

nat_set_bind(nat_id, agent_id, &bind_info)

service_set_sess(nat_id, agent_id, &sess_info)

Nat-Midcom Agent (FTP)


15

Session termination notification

Nat-Midcom Agent (FTP) NAT

ftp_alg_notify(nat-id, agent-id, SESSION-TERMINATED, sess-id)

service_free_sess_bundle(nat_id, agent-id, sess-id)

Documents

03/20/01Pyda Srisuresh - Jasmine Networks1 Framework for interfacing with NAT Pyda Srisuresh