Implementation and Performance Study of a New NAT/Firewall Signaling Protocol

Abstract

The NAT/Firewall NSIS Signaling Layer Protocol (NAT/Firewall NSLP) is a path-coupled signaling protocol for explicit Network Address Translator and firewall configuration within an extensible IP signaling framework currently being developed by the IETF Next Steps in Signaling (NSIS) working group. This new protocol allows end hosts to signal along a path to configure NATs and firewalls according to the data flow needs. In this paper we present a first open source implementation and performance evaluation of NAT/Firewall NSLP. The performance study shows that our implementation scales well and is able to support firewall signaling for up to tens of thousands of flows in parallel even in a low-end PC testbed environment. The overall performance bottleneck is found to lie in the utilized firewall implementation, not depending on the NAT/Firewall NSLP implementation.