[VOIPSEC] IPv6 and the demise (or not) of NAT (was Re: Interactive Connectivity Establishment (ICE))

Simon Horne s.horne at packetizer.com
Mon Nov 14 17:03:38 CST 2005 

At 05:52 AM 15/11/2005, Bipin_Mistry at 3com.com wrote:
So I agree with you Phillip.  There should be a standard way of telling
the Firewall which ports it needs to open and close and not rely on
session border controllers.

There is, it is called UPnP IGD or Universal Plug 'n Play (Internet Gateway 
Device) refer www.upnp.org and most home/small office routers now support it.

I recently wrote an implementation of it (using an Intel UPnP Stack not 
microsoft's) and released it open source.  It can easily be done in H.323 & 
SIP and from a programmers point of view works in a similar way to STUN. 
The implementation is considered experimental.

The biggest problem is that it potentially adds a security risk to the 
network, other malicious programs running on the LAN can open ports up as 
they wish, there is no security to filter which programs can us it . For 
this reason a lot of people are very hesitant to turn it on in their routers.

Another method is to manually set port forwards in the router. (In H.323, 
RTP does not need to be symmetric)

The ideal solution is to do it natively Diana Cionoiu mentioned an idea 
last week which has been around the Open Source community for quite some 
time and several projects both SIP and H.323 implement a variant of it. It 
provides native outbound calling from behind a NAT box.to supported devices.

A couple of server projects (like SER and GNUGK (H.323) ) also support 
inbound calling by allowing the NATed UA/EP to open a keep alive TCP signal 
port to the external server and when a call is received, the server 
notifies the UA/EP,   The UA/EP then sends out a packet from the RTP media 
ports to the server to open the pinhole and to notify the server the port 
to stream media to. The media is then streamed to the pinhole port.  This 
idea has also been adopted by the ITU in the new H460.18/19 standards. We 
are busy adding support for it as well.

Simon




>"Hallam-Baker, Phillip" <pbaker at verisign.com>
>Sent by: Voipsec-bounces at voipsa.org
>11/14/2005 02:51 PM
>
>To
>"Robert Moskowitz" <rgm at icsalabs.com>, <dan_york at Mitel.com>, "Geoff
>Devine" <gdevine at cedarpointcom.com>
>cc
>Voipsec at voipsa.org
>Subject
>Re: [VOIPSEC] IPv6 and the demise (or not) of NAT (was Re: Interactive
>Connectivity Establishment (ICE))
>
>
>
>
>
>
>While I agree with your conclusion, I don't think you can carry the
>argument using 'don't go there'.
>
>NAT is nothing more than a return to the original concept of an
>internetwork, a network of networks. The fact that there is ip traffic on
>both sides doe not change the need for gates and gatekeepers.
>
>There are still people who don't get security, they are still wrapped up
>in theological discussions on end to end. Like many theologians through
>the ages the texts they cite are usually silent on the case they claim or
>actually say the opposite. End to end is no exception, the original paper
>is not a security argument.
>
>The point is that if people want voip to work well through nat it would be
>best to write the missing spec that allows a device to tell the firewall
>what it wants to do, how it will do it and ask the nat/firewall nicely to
>be let through.
>
>Let's get out of the business of ad hoc workarounds.
>
>
>
>-----Original Message-----
>From:   Robert Moskowitz [mailto:rgm at icsalabs.com]
>Sent:   Mon Nov 14 11:24:59 2005
>To:     dan_york at Mitel.com; Geoff Devine
>Cc:     Voipsec at voipsa.org
>Subject:        Re: [VOIPSEC] IPv6 and the demise (or not) of NAT (was Re:
>Interactive Connectivity Establishment (ICE))
>
>At 02:26 AM 11/14/2005, dan_york at Mitel.com wrote:
> >Goeff,  (or the (many?) others who have opinions on this subject)
> >
> > > Any solution to this problem is imperfect until we all migrate to IPv6
> > > where NAT is no longer necessary.
>
>Throughout the IPng discussions, I had always held that NAT would not
>go away.  Neither for corporate use or for home use.
>
>And this is not just because I am one of the authors of RFC 1918!
>
>The arguements are many; I don't see any value of going into it here.
>
>Just don't build your IPv6 business plan on no more NATs....
>
>
>
>For time is the longest distance between two places.
>
>Tennessee Williams
>
>
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
>_______________________________________________
>Voipsec mailing list
>Voipsec at voipsa.org
>http://voipsa.org/mailman/listinfo/voipsec_voipsa.org

Simon Horne
Director
Packetizer Labs
www.packetizer.com/labs

More information about the Voipsec mailing list