Firewalls and Networks Address Translators (NATs) are essential components of
today's IP network infrastructure. The continuously increasing number of
attacks from the public Internet makes firewalls indispensable for the operation
of private networks. The limited address space of IPv4 leads (and the
requirement for hiding private network structures and renumbering them in a
flexible way) leads to a rapid growth of deployed NATs. However, both, firewalls
and NATs, are also obstacles for IP traffic. They limit global reachability
among hosts in the Internet and in particular they block peer-to-peer
communication. Blocked services include IP telephony, video conferencing, and
peer-to-peer games. The talk gives an introduction to firewall and NAT
functions, application scenarios and impact on the overall architecture.
Different architectures are shortly discussed based on a classification scheme.
Then the talk focuses operational aspects starting with configuration issues,
covering maintenance problems and concluding with challenges of the integration
into service control and management. Finally, the talk discusses several
approaches addressing these challenges. Particularly, competing solutions for
dynamic control of firewalls and NAT for peer-to-peer services are presented and
compared including existing and upcoming standards.
About the speaker:
Martin Stiemerling is a research staff member at NEC Europe Ltd. in Heidelberg,
Germany, where he developed firewall and NAT control solutions. He is active in
several areas of the IETF and IRTF. Currently, he is editor of the upcoming
IETF MIDCOM standard for firewall and NAT control by application servers and
editor of the upcoming IETF NSIS standard for firewall and NAT control from
terminals. Furthermore, he is co-author of RFC 3816, RFC 3989, RFC 4540, "Middlebox
Traversal Issues of Host Identity Protocol (HIP) Communication". Currently, he
is working in the EU IST Ambient Network Project (http://www.ambient-networks.org/)
and focusing on peer-to-peer networks.
Reading list:
- P. Srisuresh, K. Egevang, "Traditional IP Network Address Translator
(Traditional NAT)", RFC 3022,
http://www.ietf.org/rfc/rfc3022.txt
- T. Hain, "Architectural Implications of NAT", RFC 2993,
http://www.ietf.org/rfc/rfc2993.txt
- M. Stiemerling, J. Quittek, L. Eggert "Middlebox Traversal of HIP
Communication", Workshop on HIP and Related Architectures, Washington, DC, USA,
November 6, 2004,
http://hiprg.piuha.net/workshop/stiemering_hip_middlebox.pdf