[VOIPSEC] Interactive Connectivity Establishment (ICE)

Randell Jesup rjesup at wgate.com
Sat Nov 12 09:59:25 CST 2005 

"Geoff Devine" <gdevine at cedarpointcom.com> writes:
>ICE uses TURN in cases where STUN doesn't solve the problem.  TURN makes
>it easy to defeat firewall policy since you can no longer block traffic
>at the firewall based on source IP address.  For example, if employees
>in a company have access to a TURN server out in the internet, there's
>no way to block web surfing to porn based on the IP address of the
>offending web servers.  As a result, corporate firewalls typically don't
>allow TURN.

        Except that TURN servers for VOIP typically would be relaying UDP
packets, not TCP.  Also, if they have access to browse to anywhere except
"blocked" sites, they can browse to J-Random-Anonymizer.com and proxy their
traffic anyways.  Or set up a proxy at their home broadband connection.
Or SSH to their home and use SSH to tunnel HTTP traffic.  Or....

        So no real added vulnerability here.

>The specific case where STUN falls over is Double NAT: A device behind a
>NAT/Firewall talking to a device behind another NAT/Firewall.  STUN
>works well enough if only one of the endpoints is behind a NAT router
>and if the STUN service is embedded in the SIP proxy and media gateway
>so it works properly with symmetric NAT.

        Normally, I think of "double-nat" meaning a UA behind a NAT
that's behind another NAT.  This causes major problems for UPnP, but not
for STUN.

        STUN works well for non-symmetric NATs in general, even with both
ends behind NATs.  No need for the STUN server to be in the SIP proxy,
so long as it's out on an open IP.

>My biggest issue with ICE isn't security; it's the potential for
>significant delays in establishing talk path.  You potentially have to
>re-signal your SDP (SIP re-INVITE) several times as the endpoints try
>different ICE methods to traverse NAT.

        Yes, that's a concern of mine as well.   I wonder what the likely
expected call-setup delay for different ICE cases is.

>Any solution to this problem is imperfect until we all migrate to IPv6
>where NAT is no longer necessary.

        ROTFL ;-)  Not to say I wouldn't love to see it happen.

-- 
Randell Jesup, Worldgate (developers of the Ojo videophone), ex-Amiga OS team
rjesup at wgate.com

More information about the Voipsec mailing list