Abstract
Dynamic configuration of IP Network Address Translators (NATs) and firewalls through application aware instances has been used within the Internet for quite some time. While current approaches, such as integrated application level gateway, are suitable for specific deployments only, the path-coupled signaling for NAT and firewall configuration seems to be a promising approach in a wide range of scenarios. Path-coupled signaling ensures that signaling messages and data flow are traveling the same route through the network and traversing the same NATs and firewalls. The path-coupled NAT/firewall signaling protocol is based on IETF’s NSIS protocol suite. The NSIS-based NAT/firewall protocol specification is close to maturity and still needs a suitable and scalable security solution. This paper presents a framework to secure the NSIS-based path-coupled NAT/firewall signaling protocol across different administrative domains, based on zero-common knowledge security.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Martin, M., Brunner, M., Stiemerling, M., Fessi, A.: Path-coupled signaling for NAT/Firewall traversal. In: IEEE HPSR 2005, Kong Kong (May 2005)
Hancock, R., Karagiannis, G., Loughney, J., van de Bosch, S.: Next Steps in Signaling: Framework. In: RFC 4080 (June 2005)
Stiemerling, M., Tschofenig, H., Aoun, C., Davies, E.: NAT/Firewall NSIS Signaling Layer Protocol (NSLP). Internet Draft (work in progress, 2007) (draft-ietf-nsis-nslp-natfw-14.txt)
Schulzrinne, H., Hancock, R.: GIST: General Internet Signaling Transport. Internet Draft (work in progress, 2007) (draft-ietf-nsis-ntlp-13.txt)
Manner, J., Karagiannis, G., McDonald, A.: NSLP for Quality-of-Service signaling. Internet Draft (work in progress, 2007) (draft-ietf-nsis-qos-nslp-13.txt)
Steiner, M., Tsudik, G., Waidner, M.: Diffie-Hellman Key Distribution Extended to Group Communication. In: Proceedings 3rd ACM Conference on Computer and Communications Security (1996)
Lamport, L.: Password authentication with insecure communication. Communications of the ACM 24(11), 770–772 (1981)
Bradner, S., Mankin, A., Schiller, J.I.: A Framework for Purpose-Built Keys (PBK), Internet Draft (January 2003) (draft-bradner-pbk-frame-06.txt)
Weimerskirch, A., Westhoff, D.: Zero-Common Knowly Authentication for Pervasive Networks. In: Matsui, M., Zuccherato, R.J. (eds.) SAC 2003. LNCS, vol. 3006, pp. 73–87. Springer, Heidelberg (2004)
Braden, B., Zhang, L., Berson, S., Herzog, S., Jamin, S.: Resource ReSerVation Protocol (RSVP). RFC 2746, Version 1 Functional Specification. RFC 2746 (September 1997)
Srisuresh, P., Kuthan, J., Rosenberg, J., Molitor, A., Rayhan, A.: Middlebox communication architecture and framework. RFC 3303 (August 2002)
Fessi, A., Kappler, C., Fan, C., Dressler, F., Klenk, A.: Framework for Metering NSLP. Internet Draft (October 24, 2005)
IETF NSIS working group (June 2007), http://www.ietf.org/html.charters/nsis-charter.html
Roedig, U., Goertz, M., Karsten, M., Steinmetz, R.: RSVP as Firewall signaling Protocol. In: Proceedings of the 6th IEEE Symposium on Computers and Communications, Hammamet, Tunisia, July 2001, IEEE Computer Society Press, Los Alamitos (2001)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2007 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Felis, S., Stiemerling, M. (2007). Securing a Path-Coupled NAT/Firewall Signaling Protocol. In: Medhi, D., Nogueira, J.M., Pfeifer, T., Wu, S.F. (eds) IP Operations and Management. IPOM 2007. Lecture Notes in Computer Science, vol 4786. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-75853-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-540-75853-2_6
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-75852-5
Online ISBN: 978-3-540-75853-2
eBook Packages: Computer ScienceComputer Science (R0)