No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Feature Description - NAT and IPv6 Transition 01

This is NE20E-S2 V800R010C10SPC500 Feature Description - NAT and IPv6 Transition
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
NAT Security

NAT Security

The NAT device implements security through, the limit on the number of sessions that can be established, session table aging, and so on.

Session Limiting

NAT is a stateful address translation technique, and session tables are core NAT resources. If deny of service (DoS) attacks, such as SYN-Flood attacks, are initiated, all NAT session table resources may be used up, which causes a failure to establish session tables for common users and therefore access failures. With this function, a NAT device counts the number of TCP, UDP, and ICMP sessions established using a single IP address.

  • If the number of sessions initiated using a source IP address or destined for a destination IP address reaches a specified threshold, the IP address cannot be used to initiate new connections.
  • After the total number of TCP, UDP, and ICMP sessions used by the IP address falls below the configured threshold, the IP address can be used again to initiate TCP, UDP, and ICMP connections.

Session Table Aging

The aging time for application-specific NAT session entries in a NAT table can be set on a NAT device. After the aging time elapses, the NAT device automatically ages the entries and releases session resources. The NAT device can be configured to forcibly age all session tables or a specific type of session tables.

User-specific Flow Construction Speed Limiting

A NAT device uses a multi-core structure and allows the flow construction and forwarding processes to share CPU resources. The NAT device dynamically learns the sizes of flows and limits the speed and resources used to construct flows.

If the number of user sessions reaches a specified upper limit, constructing flows deteriorates the performance of other services. To minimize the impact, the speed at which the NAT device constructs flows can be set. Alternatively, the committed access rate (CAR) function can be configured to limit the speeds at which the NAT device constructs flows for all users to help properly transmit user services.

NAT Blacklist

The NAT blacklist function protects against attacks initiated using the network-side first packets on a specific set of an IP address, port number, and protocol type or on all IP addresses. If no internal server is deployed or public network traffic has no matching entry in the session table on a NAT device, traffic reaching a specified rate threshold is considered attack traffic. The IP address, destination UDP port number, and destination TCP port number of the attack traffic is added to a NAT blacklist on the NAT device. The NAT device discards network-side traffic that matches the blacklist entry of the specified IP address, port numbers, and protocol types. If public network traffic that matches only the IP address in the blacklist, statistics about the traffic are collected, and traffic is not discarded.

In addition, NAT blacklist entries can be automatically cleared. If the reverse attack traffic rate is less than 16 kpps within 10 minutes, the blacklist entry ages automatically or is aged manually.

Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055472

Views: 2325

Downloads: 3

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next