Scribd Logo
Upload

Welcome to Scribd!

  • Behave 1

    Uploaded by

    Aarushi Bhatnagar
    30 views11 pages
    NAT and firewall

    Original Title

    behave-1

    Copyright

    © © All Rights Reserved

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    NAT and firewall

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    30 views11 pages

    Behave 1

    Uploaded by

    Aarushi Bhatnagar
    NAT and firewall

    Copyright:

    © All Rights Reserved
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    NAT/FirewallBehavioral

    Requirements
    draftaudetnatbehave00

    FranoisAudetaudet@nortelnetworks.com
    CullenJenningsfluffy@cisco.com

    Background
    Authorsrealizedthattheybothwere
    draftingverysimilarrequirementsfor
    NAT/FWvendorstofacilitatepeertopeer
    media(VoIP,etc.)
    NAT/FWvendorswouldlikeguidanceon
    implementationNAT/FWthatdonotbreak
    applicationssuchasVoiceOverIP&
    gaming

    Goalsofdocument
    DefineterminologyforNAT/FWbehavior
    Currentterminologyisconfusingatbest

    DefineRequirementsforNAT/FWbehavior
    Simplerequirementssuitableforconsumer
    gradeNAT/FWs

    NAT/FWBehavior
    UDPNATbehavior

    AddressandPortbinding
    PortAssignment
    BindRefreshdirection
    BindRefreshscope

    UDPFirewallbehavior
    Filteringofunsolicitedpackets
    FilterRefresh

    OtherBehaviors

    Hairpinningbehavior
    Deterministicproperties
    ICMPbehavior
    Fragmentationbehavior
    TCPbehavior
    MulticastandIGMPbehavior

    Requirements
    REQ1:ANATMUSThavean"External
    NATBindingisendpointindependent"
    behavior(NB=I).
    REQ2:ItisRECOMMENDEDthataNAT
    havea"Noportpreservation"behavior.
    REQ2a:ANATMAYusea"Portpreservation"
    behavior.
    REQ2b:ANATMUSTNOThavea"Port
    overloaded"behavior.

    Requirements(cont.)
    REQ3:AdynamicNATUDPbindingtimerMUSTNOT
    expireinlessthan2minutes.
    REQ3a:ThevalueoftheNATUDPbindingtimerMAYbe
    configurable.
    REQ3b:Adefaultvalueof5minutesfortheNATUDPbinding
    timerof5minutesisRECOMMENDED.

    REQ4:TheNATUDPtimeoutbindingMUSThavea
    NATrefreshdirectionbehaviorof"Outbound"(i.e.based
    onoutboundtrafficonly).
    REQ4a:TheNATUDPtimeoutbindingMUSThaveaNAT
    refreshmethodbehaviorof"Perbinding"(i.e.refreshallsessions
    activeonaparticularbind).

    Requirements(cont.)
    REQ5:ItisRECOMMENDEDthatafirewallhavean
    "Externalfilteringisendpointaddressdependent"
    behavior.(EF=AD)
    REQ5a:AfirewallMAYhavean"Externalfilteringis
    endpointindependent"behavior.(EF=I)
    REQ5b:AfirewallMAYhavean"Externalfilteringis
    endpointaddressandportdependent"behavior.(EF=APD)

    REQ6:ThefirewallUDPfiltertimeoutbehavior
    MUSTbethesameastheNATUDPbindingtimeout.

    Requirements(cont.)
    REQ7:ANAT/FWMUSTsupportHairpinning"
    behavior.
    REQ7a:ANAT/FWHairpinningNATbehaviorMUSTbe
    "ExternalsourceIPaddressandport".

    REQ8:ANATMUSThavethecapabilitytoturnoff
    individuallyallALGsitsupports,exceptforDNSand
    IPsec.
    REQ8a:AnyNATALGforSIPMUSTbeturnedoffby
    default.

    REQ9:ANAT/firewallMUSThavedeterministic
    behavior.

    Requirements(cont.)
    REQ10:TheTCPbindingtimeoutforNATsandthe
    filterruletimeoutforfirewallsMUSTbegreaterthan
    7800seconds.
    REQ11:ANAT/firewallSHOULDsupportforwarding
    fragmentedpackets(SF).
    REQ12:ANAT/FWMUSTsupportICMPDestination
    Unreachable(SU).
    REQ12a:TheICMPtimeoutSHOULDbegreaterthan2
    seconds.

    REQ13:ANAT/FWSHOULDsupportforwarding
    multicastpackets(SM).

    Discussion
    Othersbehaviors?

    You might also like