Framework for interfacing with NAT

1
Framework for interfacing with NAT

• ltdraft-ietf-nat-interface-framework-02.txtgt
• Pyda Srisuresh

2
Objective

• Identify service-neutral resources within an
  intermediate device of interest to ext. agents
• Identify NAT service specific resources.
• Illustrate resource interface mechanism for NAT
  service through an API.
• Provide a framework for the development of one
  or more protocols by which external agents can
  interface with NAT.

3
Intermediate Devices

• Network Address Translator devices (NAT)
• Proxy Servers
• Security Gateways, Tunnel terminators
• Firewalls
• Server-load Balancers
• QOS enforcement devices
• Etc...

4
Data flow across NATs
Ext. Agent
NAT
End-to-End Session
Client
Server
5
Proxy traffic across NAT Device
Proxy server
NAT Router
Users view of Session
Proxy-client Aplication
Target server
6
Router-to-Router Tunnel data flow
Ext. Agent
Internet
Router
Router
T u n n e l
Trusted Network Boundary
End-to-End Session
Server
Client
7
NAT Elements

• NAT Descriptor
• ID, Nat-Type, Address map and Type specific
  parameters.
• BIND Descriptor
• ID, Bind-Type, specific addresses (ports) bound,
  Lease time, Controlling Agent ID etc.
• SESSion Descriptor
• ID, Session Direction, Original and Translated
  session tuples, Application Tag, Controlling
  BIND-ID, Termination heuristic, Controlling agent
  ID etc.

8
External Agents

• Application Level Gateways (ALGs)
• Intermediate Application proxies
• RSIP (I.e., RSA-IP RSAP-IP) clients.
• Backup-NAT devices
• Management utilities enforcing NAT policies

9
External Agent Descriptor

• Agent ID
• Agent Type
• Agent Call-back Requirements
• Agent Call-back functions
• Agent Accessibility Information

10
Interface to external agents

• Service-neutral interface to external agents
• Functions applicable to any type of stateful IP
  service on an intermediate device - NAT,
  firewall, Server-load balancers, Security
  Gateways etc.
• Resource interface based on session identities.
• Versatile interface to allow addressing a
  specific instance of a service on a device that
  supports multiple instances of a variety of
  services.
• Asynchronous Call-back from device to ext.
  agents.
• NAT-service specific interface
• Functions manipulating NAT specific resources.
  I.e., BINDs and NAT specific session parameters.

11
Service-neutral interface

• Query available services on device
• service_enquire_Identity(service_type,
  service_info)
• Register agent with select services on device
• service_register_agent(service_id, agent_info)
• Session based manipulation and enquiries
• service_set_sess(), service_free_sess(),
  service_enquire_sess_range() etc.
• Asynchronous call-back to ext. agents
• agent_callback_event(event_type, event_info)
• agent_callback_periodic(info_type, length,
  info)
• agent_callback_packet(sess_id, pkt_direction,
  packet)

12
NAT-Service specific interface

• NAT service Identity
• NAT service type (Basic NAT, NAPT, RSIP etc.)
• Address Maps, RSIP tunnel-type supported etc.
• NAT specific session parameters
• Translated session tuples, BIND ID, Pkt mod funcs
• NAT BIND manipulations and enquiries
• nat_set_bind(), nat_free_bind(),
  nat_enquire_address_bind()
• Asynchronous Callback Interface
• Packet redirection to external agents
• BIND notification, NAT specific statistics
  notification

13
FTP-ALG Registration process
FTP-ALG
NAT
OK. Return NAT Descriptor that includes nat-id.
14
ALG interaction when FTP is active
FTP-ALG
NAT
15
FTP session termination notification
FTP-ALG
NAT