[VOIPSEC] IPv6 and the demise (or not) of NAT (was Re:Interactive Connectivity Establishment (ICE))
s.horne at packetizer.com
Tue Nov 15 04:41:17 GMT 2005
At 08:37 AM 15/11/2005, you wrote:
>There is a moral here.
>Try to enforce security by refusing to provide needed functionality in a
>safe fashion only leads to someone else providing it insecurely.
As I see it there are 6 alternatives with symmetric NATs
1 . Use static IP's and manually set the port forwards. (ok in H.323 but
problematic is SIP due to symmetric RTP restriction)
2. Use UPnP to automate the opening and closing of ports (with obvious
3. Natively, by developing a standard where a proxy can assist in the
traversal. (versions already implemented in some open source servers)
4. Put a SBC or proxy on the NAT box. (which is impractical with home routers)
5. Don't bother and put the UA on the router (currently available)
6. Give up and lets all use SKYPE..
I prefer No. 3 and that is what we are currently working on..If we do
nothing and wait for IPv6 then I think 6 will rapidly become the default.
More information about the Voipsec