Vijay Srinivasan "Integrating NAT and Stateful Firewalls with RFC 2547-based PEs"

Abstract:

Service Providers have traditionally offered outsourcing services to manage customer premise equipment (CPE). Customers of these services maintain physical control of their edge, but leave the Service Provider to manage the complexity of provisioning and monitoring services such as VPN, NAT and Stateful Firewall.

RFC 2547 enables a new generation of service offerings where Service Providers fully manage customers' VPN backbones. The Service Providers own and have full control of the PE routers that maintain customers' VPN routes. More and more customers are now asking for other traditional CPE-based services such as NAT and firewall to be similarly owned by the Service Provider. While such solutions are technically available to the Service Provider from incumbent vendors, the deployment cost is too high since these vendors require separate devices for even the traditional NAT and firewall services. This has a led to a new generation of PE devices that integrate the VPN, NAT and Firewall functions. This generation of devices are further designed from the ground-up to offer advanced IP services including QoS and Security.

This study evaluates the integration of traditional NAT and Firewall services with PE routers, with special emphasis on issues in network-design and device-architecture.