Aoun, Cédric (2005) A NAT and Firewall signaling framework for the Internet. PhD thesis Informatique et Réseaux, ENST - INFRES Informatique et Réseaux, ENST.
Full text available as:
|
|
Abstract
This thesis analyses the impact of Network Address Translators (NATs) and Firewalls on the Internet's applications and proposes a novel approach to solve NATs and Firewall issues for these applications. Several applications are disrupted by NATs and Firewalls, primarily Voice over IP (VoIP) and Video over IP which are becoming essential for today's economy and social life. Following a detailed analysis and comparison of the various potential solutions to solve the applications' issues with NATs and Firewalls, a signaling protocol solution appears to be required. A thorough analysis of the signaling protocols species indicates that a new breed of signaling protocols must be used, the "Path-Directed" signaling protocols. That signaling protocol family is characterized by its topology agnostic property, where signaling messages are send to a specific destination while network intermediaries intercept and react to the intercepted signaling messages.
The concepts used in this thesis were developed in parallel with the IETF NSIS WG standardization activities were the author has co-authored the NAT and Firewall signaling protocol proposal. However the author had a global approach to solve the problem by leveraging the Internet's applications' properties to detect network failures and simplify the overall signaling protocol framework. The work goes beyond the description of a protocol framework and discusses deployment considerations as well as integration models within existing NAT and Firewall implementations such as the Open BSD PF (Packet Filter).
| Item Type: | PhD Thesis (PhD) |
|---|---|
| Thesis Supervisor: | Serhrouchni, Ahmed |
| Date: | December 2005 |
| Board of examiners: | Najm, Elie and Paul, Olivier and Boutaba, Raouf and Agoulmine, Nazim and Cherkaoui, Omar |
| Ecole Doctorale: | ED 130 INFORMATIQUE, TELECOMMUNICATIONS ET ELECTRONIQUE (EDITE) |
| Discipline: | Informatique et Réseaux |
| Collection (Fonds): | ENST ENST |
| Institution: | ENST |
| Department: | ENST - INFRES Informatique et Réseaux |
| Subjects: | 2. Information and Communication Sciences and Technologies 2. Information and Communication Sciences and Technologies |
| Uncontrolled Keywords: | Nat, Firewall, Signaling, Architecture, Framework, Topology agnostic |
References
[1] W.R.Cheswick, S. M. Bellovin, and A.D.Rubin. Firewal ls and Internet security: repel ling the Wily Hacker. Addison-Wesley, 1994.
[2] P. Srisuresh and M. Holdrege. IP Network Address Translator (NAT Terminology and
Considerations. IETF Informational document, RFC 2663, August 1999.
[3] P.Srisuresh and K. Egevang. Traditional IP Network Address Translator (Traditional
NAT). IETF Informational document, RFC 3022, January 2001.
[4] J. Rosenberg, H. Schulzrinne, G. Camarillo, A. Johnston, J. Peterson, R. Sparks, M. Handley, and E. Schooler. SIP: Session Initiation Protocol. IETF Standards Track document,
RFC 3261, June 2002.
[5] C. Aoun and E. Davies. Reasons to Move NAT-PT to Experimental. IETF Draft (work in progress), draft-ietf-v6ops-natpt-to-exprmntl-02, October 2005.
[6] Packet Cable, http://www.packetcable.com.
[7] ITU-T SG16, Q.F, G, K, 2-5/16 Rapporteur Meeting, Summary of NAT and Firewall issues, AVD-2499, Beijing, 11-14 May 2004.
[8] C. Aoun, E. Davies, H. Tschofenig, and S. Thiruvengadam. Interaction of Firewalls and
Network Address Translators with Internet Applications. In IEEE Contel 2005 workshop proceedings, June 2005.
[9] J. Rosenberg, J. Weinberger, C. Huitema, and R. Mahy. STUN - Simple Traversal of
User Datagram Protocol (UDP) Through Network Address Translators (NATs). IETF proposed standard, RFC 3489, March 2003.
[10] R. P. Swale, P. A. Mart, P. Sijben, S. Brim, and M. Shore. Middlebox Communications
(midcom) Protocol Requirements. IETF Informational document, RFC 3304, August
2002.[11] Upnp forum, Internet Gateway Device (IGD) standardized control protocol.
[12] M. Borella, J. Lo, D. Grabelsky, and G. Montenegro. Realm Specific IP: Framework.
IETF experimental standard, RFC 3102, October 2001.
[13] M. Leech, M. Ganis, Y. Lee, R. Kuris, D. Koblas, and L. Jones. SOCKS Protocol Version
5. IETF standards track document, RFC 1928, March 1996.
[14] M. Stiemerling, H. Tschofenig, and C. Aoun. NAT/Firewall NSIS Signaling Layer Protocol (NSLP). IETF draft (work in progress), draft-ietf-nsis-nslp-natfw-08, October 2005.
[15] T. Tsenov, H. Tschofenig, X. Fu, C. Aoun, and E. Davies. GIST State Machine. IETF draft (work in progress), draft-ietf-nsis-ntlp-statemachine-01, October 2005.
[16] R. Hancock, G. Karagiannis, J. Loughney, and S. van den Bosch. Next Steps in Signaling:
Framework. IETF Informational document, RFC 4080, June 2005.
[17] H. Schulzrinne and R. Hancock. GIST: General Internet Signaling Transport. IETF draft
(work in progress), draft-ietf-nsis-ntlp-08, October 2005.
[18] C. Aoun and O. Paul. R ́esolution des probl`emes de routage asym ́etrique et de partage de charge dans les pare-feux. In Proceedings of Col loque Francophone sur l'Ing ́enierie des
Protocoles 2005, April 2005.
[19] C. Aoun, E. Davies, and H. Tschofenig. Securing Middlebox Discovery for Path-Directed
Signaling in the Internet. In IEEE ASWN 2005 workshop proceedings, July 2005.
[20] C. Aoun, E. Davies, H. Tschofenig, and M. Stiemerling. Path-directed signaling in the
Internet. In IEEE IPOM 2004 workshop proceedings, October 2004.
[21] The OpenBSD Packet Filter, http://www.openbsd.org/faq/pf/, 2003.
[22] IANA. Special-Use IPv4 Addresses. IETF Informational document, RFC 3330, September
2002.[23] IETF Next Steps In Signaling (NSIS) Working Group Charter.
[24] H. Tschofenig and D. Kroeselberg. Security Threats for NSIS. IETF Informational document, RFC 4081, June 2005.
[25] C. Aoun, H. Tschofenig, and M. Stiemerling. NATFW NSLP Migration Considerations.
Expired IETF draft, draft-aoun-nsis-nslp-natfw-migration-02, July 2004.
[26] A. Fessi, M. Stiemerling, S. Thiruvengadam, H. Tschofenig, and C. Aoun. Security
Threats for the NATFW NSLP. Expired IETF draft, draft-fessi-nsis-natfw-threats-02,
July 2004.
[27] C. Aoun, H. Tschofenig, M. Stiemerling, M. Brunner, and M. Martin. NATFW NSLP
Intra-Realm Considerations. Expired IETF draft, draft-aoun-nsis-nslp-natfw-intrarealm01 , July 2004.
[28] C. Aoun and N. Hamer. Potential Solutions to the Middlebox discovery problem. Expired
IETF draft, draft-aoun-midcom-discovery-01, May 2002.
[29] C. Aoun. Middlebox discovery integration solutions within the Midcom architecture.
Expired IETF draft, draft-aoun-middlebox-discovery-comparison-00, June 2002.
[30] P. Srisuresh, J. Kuthan, J. Rosenberg, A. Molitor, and A. Rayhan. Middlebox communication architecture and framework. IETF Informational document, RFC 3303, August
2002.[31] M. Barnes. Middlebox communications (MIDCOM) Protocol Evaluation. IETF Informational document, RFC 4097, June 2005.
[32] C. Aoun, K.Chan, L-N.Hamer, R.Penno, and S.Sen. COPS applicability as the MIDCOM
PROTOCOL. Expired IETF draft, draft-aoun-midcom-cops-02, May 2002.
[33] S. Sen, C. Aoun, and T. Taylor. Applicability of MEGACO to Middlebox Control. Expired
IETF draft, draft-sct-midcom-megaco-02, May 2002.
[34] Packet-based multimedia communications systems. ITU-T H.323 recommendation.
[35] F. Andreasen and B. Foster. Media Gateway Control Protocol (MGCP) Version 1.0.
IETF informational document, RFC 3435, January 2003.
[36] C. Groves, M. Pantaleo, T. Anderson, and T. Taylor. Gateway Control Protocol Version
1. IETF Standards Track document, RFC 3525, June 2003.
[37] M. Holdrege and P. Srisuresh. Protocol Complications with the IP Network Address
Translator. IETF Informational document, RFC 3027, January 2001.
[38] IETF MIDdlebox COMmunication (MIDCOM) Working Group Charter.
[39] B. Carpenter and S. Brim. Middleboxes: Taxonomy and Issues. IETF Informational document, RFC 3234, February 2002.
[40] E. Nordmark and R.E. Gilligan. Basic Transition Mechanisms for IPv6 Hosts and Routers.
IETF draft (work in progress), draft-ietf-v6ops-mech-v2-07, March 2005.
[41] F. Audet and C. Jennings. Nat Behavioral Requirements for Unicast UDP. IETF draft
(work in progress), draft-ietf-behave-nat-udp-00, January 2005.
[42] J. Rosenberg, R. Mahy, and C. Huitema. Traversal Using Relay NAT (TURN). IETF draft (work in progress), draft-rosenberg-midcom-turn-06, October 2004.
[43] C. Boulton and J. Rosenberg. Best Current Practices for NAT Traversal for SIP. IETF draft (work in progress), draft-ietf-sipping-nat-scenarios-01, October 2004.
[44] C. Aoun, M. Wakley, and T. Sassenberg. A NAT package for MGCP NAT traversal.
IETF draft (work in progress), draft-aoun-mgcp-nat-package-02, February 2003.
[45] R. Braden and R. Lindell. A Two-Level Architecture for Internet Signaling. IETF draft
(expired), draft-braden-2level-signaling-01.txt, November 2002.
[46] R. Braden, L. Zhang, S. Berson, S. Herzog, and S. Jamin. Resource ReSerVation Protocol
(RSVP) - Version 1 Functional Specification. IETF Standards Track document, RFC
2205 , September 1997.
[47] D. Katz. IP Router Alert Option. IETF Standards Track document, RFC 2113, February
1997.[48] C. Partridge and A. Jackson. IPv6 Router Alert Option. IETF Standards Track document, RFC 2711, October 1999.
[49] Mattia Rossi and Michael Welzl. On the Impact of IP Option Processing. Preprint-Reihe des Fachbereichs Mathematik - Informatik, No. 15, October 2003.
[50] Mattia Rossi and Michael Welzl. On the Impact of IP Option Processing - Part 2.
Preprint-Reihe des Fachbereichs Mathematik - Informatik, No. 26, 2004.
[51] Pierre Fransson and Andreas Jonsson. End-to-End Measurements on Performance Penalties of IPv4 Options. 2004.
[52] Load balancing with Cisco Express Forwarding. Technical report, Cisco Systems, 1998.
[53] Configuring Equal-Cost Multipath Load Sharing. Technical report, Juniper Networks.
[54] Explanation of Function: Traffic distribution across a Passport 1200 and Passport 8600
Multi-Link Trunk (MLT), Customer Support Bulletin. Technical report, Nortel, 2001.
[55] Information technology Open systems interconnection The Directory: Public-key and attribute certificate frameworks. ITU-T X.509 standard, 2000.
[56] R. Moskowitz and P. Nikander. Host Identity Protocol Architecture. IETF draft (work in progress), draft-ietf-hip-arch-02, January 2004.
[57] C. Neuman, T. Yu ans S. Hartman, and K. Raeburn. The Kerberos Network Authentication Service (V5). IETF Standards Track document, RFC 4120, July 2005.
[58] L-N. Hamer, B. Gage, and H. Shieh. Framework for session set-up with media authorization. IETF Standards Track document, RFC 3521, April 2003.
[59] H. Schulzrinne, S. Casner, R. Frederick, and V. Jacobson. RTP: A Transport Protocol for
Real-Time Applications. IETF Standards Track document, RFC 3550, February 2005.
[60] Data protocols for multimedia conferencing. ITU-T T.120 recommendation.
[61] FreeBSD UNIX, http://www.freebsd.org.
[62] R. Braden. Requirements for internet hosts - communication layers. IETF Standards
Track document, RFC 1122, October 1989.
[63] Sun Solaris UNIX Operating System, http://www.sun.com/software/solaris/index.jsp.
[64] IBM AIX UNIX Operating System, http://www-03.ibm.com/servers/aix/os/53desc.html.
[65] TCG Specification Architecture Overview. TCG document, April 2004.
[66] K. Nichols, S. Blake, F. Baker, and D. Black. Definition of the Differentiated Services
Field (DS Field) in the IPv4 and IPv6 Headers. IETF Standards Track document, RFC
2474 , December 1998.
[67] S. Deering and R. Hinden. Internet Protocol, Version 6 (IPv6) Specification). IETF
Standards Track document, RFC 2460, December 1998.
[68] S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. IETF Standards
Track, RFC 2401, November 1998.
[69] T. Dierks and C. Allen. The TLS Protocol Version 1.0. IETF Standards Track, RFC
2246 , January 1999.
[70] P. Ferguson and D. Senie. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address. IETF Best Current Practices document, RFC 2827,
May 2000.
[71] F. Baker and P. Savola. Ingress Filtering for Multihomed Networks. IETF Best Current
Practices document, RFC 3704, March 2004.
[72] Internet Assigned Number Authority. Ipv6 router alert option values.
[73] R. Rosenberg. Interactive Connectivity Establishment (ICE): A Methodology for Network
Address Translator (NAT) Traversal for Multimedia Session Establishment Protocols.
IETF draft (work in progress), draft-ietf-mmusic-ice-03, October 2004.
[74] G. Camarillo and J. Rosenberg. The Alternative Network Address Types (ANAT) Semantics for the Session Description Protocol (SDP) Grouping Framework. IETF Standards
Track document, RFC 4091, June 2005.
[75] T. Kivinen, B. Swander, A. Huttunen, and V. Volpe. Negotiation of NAT-Traversal in the IKE. IETF Standards Track document, RFC 3947, January 2005.
[76] A. Huttunen, B. Swander, V. Volpe, L. DiBurro, and M. Stenberg. UDP Encapsulation of IPsec ESP Packets. IETF Standards Track document, RFC 3948, January 2005.
[77] C. Huitema. Real Time Control Protocol (RTCP) attribute in Session Description Protocol (SDP). IETF Standards Track document, RFC 3605, October 2003.
[78] C. Aoun, H. Tschofenig, and M. Stiemerling. NAT/Firewall NSLP Intra-Realm Considerations. Expired IETF draft, draft-aoun-nsis-nslp-natfw-intrarealm-01, July 2004.
[79] H. Schulzrinne, A. Rao, and R. Lanphier. REAL Time Streaming Protocol. IETF Standards Track document, RFC 2326, April 1998.
[80] J. Hodges and R. Morgan. Lightweight Directory Access Protocol (v3): Technical Specification. IETF Standards Track document, RFC 3377, September 2002.
[81] R. Housley, T. Polk, W. Ford, and D. Solo. Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. IETF Standard Track document,
RFC 3280, April 2002.
[82] R. Housley. Cryptographic Message Syntax (CMS). IETF Standards Track document,
RFC 3852, July 2004.
[83] R. Housley. Protecting multiple contents with the Cryptographic Message Syntax (CMS).
IETF Standards Track document, RFC 4073, May 2005.
[84] Open SSL Pro ject, http://www.openssl.org.
[85] Common Address Redundancy Protocol, Open BSD man pages, http://www.openbsd.org/cgi-bin/man.cgi?query=carp, 2003.
[86] K. Seo C. Lynn, S. Kent. X.509 Extensions for IP Addresses and AS Identifiers. IETF
Standard Track document, RFC 3779, June 2004.
[87] A. Gulbrandsen, P. Vixie, and L. Esibov. A DNS RR for specifying the location of services
(DNS SRV). IETF Standards Track document, RFC 2782, February 2000.
[88] B. Tung and L. Zhu. Public Key Cryptography for Initial Authentication in Kerberos.
IETF Draft (work in progress), draft-ietf-cat-kerberos-pk-init-29, October 2005.
[89] G. Tsirtsis and P. Srisuresh. Network Address Translation - Protocol Translation (NATPT). IETF Standards Track document, RFC 2766, February 2000.
[90] G. Van de Velde, T. Hain, R. Droms, B. Carpenter, and E. Klein. IPv6 Network Architecture Protection. IETF Draft (work in progress), draft-ietf-v6ops-nap-02, October
2005.[91] Windows 2003 Active Directory, http://www.microsoft.com/windowsserver2003/technologies/directo
[92] Portable Operating System Interface (POSIX). IEEE 1003 specification.
[93] Max Laier. Packet Filter (pf ), An Extended Introduction, http://people.freebsd.org/mlaier, 2004.
[94] PF: The OpenBSD Packet Filter - FAQ, http://www.openbsd.org/faq/pf/index.html,
2005.[95] J. Linn. Generic Security Service Application Program Interface Version 2, Update 1.
IETF Standards Track document, RFC 2743, January 2000.
[96] L. Zhu, K. Jaganathan, and S. Hartman. The Kerberos Version 5 Generic Security Service
Application Program Interface (GSS-API) Mechanism: Version 2. IETF Standards Track document, RFC 4121, July 2005.
[97] A. Medvinsky and M. Hur. Addition of Kerberos Cipher Suites to Transport Layer
Security (TLS). IETF Standards Track document, RFC 2712, October 1999.
[98] P. Eronen and H. Tschofenig. Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS). IETF draft (work in progress), draft-ietf-tls-psk-09, June 2005.
[99] W.R. Stevens and B. Fennerand A.M. Rudoff. UNIX Network Programming: The Sockets
Networking API. Volume 1 Third Edition. Addison-Wesley, 2004.
[100] S. Sakane, K. Kamada, M. Thomas, and J. Vilhuber. Kerberized Internet Negotiation of
Keys (KINK). IETF draft (work in progress), draft-ietf-kink-kink-07, May 2005.
[101] The GNU oSIP library, http://www.gnu.org/software/osip/osip.html.
[102] The sip Foundry ReSIProcate pro ject, http://www.sipfoundry.org/resiprocate/.
[103] S.M. Bellovin. Distributed firewalls. In Login, pages 37-39, November 1999.
[104] S. Ioannidis, A.D. A.D. Keromytis, S.M. Bellovin, and J.M. Smith. Implementing a distributed firewall. In Proceedings of Computer and Communications Security (CCS),
Athens, Greece, pages 190-199, November 2000.
[105] R. Draves. Default Address Selection for Internet Protocol version 6 (IPv6). IETF
Standards Track document, RFC 3484, February 2003.
[106] G. Ziemba, D. Reed, and P. Traina. Security Considerations for IP Fragment Filtering.
IETF Informational document, RFC 1858, October 1995.
[107] I. Miller. Protection Against a Variant of the Tiny Fragment Attack. IETF Informational document, RFC 3128, June 2001.
Table of content
1 Introduction 1
1.1 Thesis goals - 2
1.2 How to read this dissertation - 2
1.3 Thesis publications and contributions - 4
2 Overview of NAT and Firewall issues with the Internet's applications 6
2.1 Introduction - 6
2.1.1 Terminology - 7
2.2 NATs and Firewalls Overview - 9
2.2.1 An Introduction to Firewalls - 9
2.2.2 An Introduction to Network Address Translation - 10
2.3 NAT and Firewall network deployment examples - 13
2.3.1 Typical corporate network deployments - 14
2.3.2 Global network deployments - 14
2.4 Impact of NATs and Firewalls on Internet Protocols - 15
2.4.1 Generic categorization of Firewall impacts - 15
2.4.2 Generic categorization of NAT impacts - 15
2.5 NAT and Firewall Traversal Solutions - 17
2.5.1 Concealment Solutions analysis - 18
2.5.2 Proxy Solutions analysis - 18
2.5.3 ALG Solutions analysis - 22
2.5.4 Signaling Solutions analysis - 23
2.6 Summary - 26
3 Architectural Framework for NAT and Firewall signaling in the Internet 28
3.1 Terminology - 28
3.2 NAT and Firewall signaling deployment considerations - 30
3.2.1 Middlebox deployment characterization - 30
3.2.2 Deployment staging and migration issues - 31
3.3 Signaling protocol options - 32
3.3.1 Path-Directed signaling protocols' modes of operation - 33
3.3.2 Path-Directed protocols: interception mechanism - 35
3.3.3 Path-Directed protocols: divergence from the data path - 37
3.3.4 Path-Directed protocols: issues with NATs - 38
3.3.5 Integration within existing security infrastructures - 42
3.3.6 Stale state handling on Middleboxes - 43
3.3.7 Protocol Extensibility - 45
3.4 Path-change detection - 45
3.5 A common layer for path-directed signaling protocols - 49
3.5.1 State refresh options for the NAT and Firewall PDSP protocol - 51
3.5.2 Functional split between the CPDSL and the PDSAPs - 54
3.6 Path-Directed NAT and Firewall Signaling security threats - 56
3.7 Summary - 57
4 The Common Path-Directed Signaling Layer (CPDSL) 58
4.1 Terminology - 59
4.2 PDSAP Interactions with the PDMTP - 60
4.3 PDMTP Overview - 60
4.3.1 Message Routing Information Properties - 65
4.3.2 Router Alert Option Setting - 69
4.3.3 PDMTP Message Encapsulation Summary - 71
4.3.4 MRS table cleanup - 71
4.4 PDMTP Signaling Initiator and PDMTP Signaling Responder Interactions Within the Same PDMTP Node - 72
4.5 Messaging Association Usage and Life Cycle - 74
4.5.1 Messaging Association Maintenance and Lifetime - 76
4.6 NAT Traversal Implications on the PDMTP - 79
4.6.1 PDMTP Interactions with Downstream/Upstream PDMTP Aware NAT 81
4.6.2 PDMTP Interactions with Downstream/Upstream PDNFS/PDMTP Unaware NAT - 90
4.6.3 PDMTP Only Aware NATs vs PDNFS Aware NATs - 92
4.6.4 IKEv1/v2 Considerations for PDSP Nodes behind NATs - 93
4.7 Firewall Traversal Implications on the PDMTP - 94
4.7.1 Message Traversal of PDMTP Aware Firewalls - 94
4.7.2 PDMTP Unaware Firewall Traversal - 95
4.8 Summary of PDMTP NAT and Firewall related considerations - 96
4.9 Special Message Routing Treatments - 96
4.9.1 Proxy Mode or the Last Downstream PDSP Hop Scenario - 96
4.9.2 Path-Decoupled Mode Of Operation - 97
4.10 Threats Analysis - 98
4.11 Protocol Semantics - 99
4.11.1 PDISC Semantics - 100
4.11.2 PDISC-RESP Semantics - 101
4.11.3 MRS-EST Semantics - 102
4.11.4 ERROR Semantics - 103
4.11.5 PDATA Semantics - 103
4.11.6 HELLO Semantics - 104
4.12 Summary - 104
5 Path-Directed NAT and Firewall Signaling (PDNFS) 105
5.1 Terminology - 105
5.2 The Path-Directed NAT and Firewall Signaling protocol requirements - 105
5.3 One vs two separate protocols for NAT and Firewall signaling - 106
5.3.1 NAT signaling protocol semantics - 107
5.3.2 Firewall signaling protocol semantics - 110
5.3.3 NAT and Firewall Implementation Variants Considerations - 112
5.3.4 Analysis of a Solution using Two Different Protocols - 112
5.3.5 Analysis of the Combined Approach where One Protocol is Used for Both
Firewall and NAT Signaling - 116
5.3.6 Comparison Results - 120
5.4 Requirements for Handling a PDNFS Aware Application Host Behind One or
More PDNFS Aware NATs - 121
5.4.1 Appropriate Security Model - 123
5.5 Requirements For Handling PDNFS Aware Application Hosts Behind One or
More PDNFS Aware Firewalls - 125
5.6 Requirements for Handling PDNFS Aware Application Hosts Behind a Mix of
One or More PDNFS Aware Firewalls and NATs - 127
5.7 Backward Compatibility Considerations - 128
5.7.1 Compatibility with STUN Deployments - 129
5.7.2 Compatibility with Targeted Middlebox Signaling Solutions - 130
5.8 Avoiding Non-Deterministic Behaviors - 130
5.9 Detailed Protocol Operations - 131
5.9.1 NAT Bind Creation and Mapped Address(es) Determination - 132
5.9.2 State Indexing and Correlation Between PDI and PDO Initiated Messages 136
5.9.3 Enabling Outbound Data Flow Packet Forwarding: Operations and Semantics - 138
5.9.4 Protocol Operations in Unilateral Usage Scenarios - 141
5.9.5 Asynchronous Notification Semantics and Usage - 146
5.10 PDNFS Instance and Middlebox Resource Refreshing Rules - 148
5.11 Operating the PDNFS Protocol in the Path-Decoupled Mode Of Operation - 149
5.12 Threats Analysis - 150
5.13 Authentication and Authorization Mechanisms for the PDNFS Protocol - 151
5.13.1 Authentication and Authorization of PDIs and PDOs - 152
5.13.2 Authentication and Authorization of PDNFS SFs - 153
5.14 Protocol Messages Detailed Semantics - 154
5.14.1 Mapped Address Determination (MAD) Message Semantics - 154
5.14.2 Allow Packet Forwarding (APF) Message Semantics - 155
5.14.3 PDNFS Response (PDRESP) Message Semantics - 156
5.14.4 NOTIFY Message Semantics - 157
5.15 Summary - 157
6 Engineering considerations for PDNFS deployments in the Internet 159
6.1 Deployment Planning and Infrastructure Impact Assessment - 159
6.1.1 Performance Potential Issues and Proxying - 160
6.1.2 Solving Asymmetric Routing Issues - 165
6.1.3 A Proposal for a Path-Directed Trigger Signaling Protocol - 167
6.1.4 Network Security Infrastructure Impacts - 168
6.2 Applicability of PDNFS to IPv6 Networks - 172
6.3 Summary - 174
7 PDNFS Implementation Examples 175
7.1 Overview of UNIX Access Control Mechanisms - 175
7.2 Integration of PDNFS with OpenBSD's PF - 177
7.2.1 Software Architecture Proposal - 177
7.3 Integration of PDNFS with an Application Client - 184
7.3.1 Software Architecture Proposal - 184
7.4 Co-Hosted Implementation of PDNFS with the BSD PF and an Application Client 187
7.5 Summary - 188
8 Summary and Future work 189
8.1 Summary of our Path-Directed NAT and Firewall signaling Proposal - 189
8.2 NAT and Firewall Traversal Challenges for Internet Applications' Developers and Network Architects - 191
8.3 Summary of our main contributions - 192
8.4 Future work - 193
| ID Code: | 1634 |
|---|---|
| Deposited By: | Cédric Aoun |
| Deposited On: | 24 March 2006 |
Repository Staff Only: edit this item