[VOIPSEC] IPv6 and the demise (or not) of NAT (was Re:Interactive Connectivity Establishment (ICE))
Mikael Johansson
mikael at ingate.com
Tue Nov 15 10:32:33 GMT 2005
An alternative 4b do exist:
Put a proxy on the enterprise firewall that supports "Remote SIP
Connectivity". This will allow for both near and far end NAT traversal
and this without changing or upgrading the NAT boxes of the home, hotel
etc., clients does not need any updates either.
Remote SIP connectivity is implemented and is available today on our SIP
aware firewalls and SIParators. It basically involves:
1. Identifying that remote clients are behind NAT.
2. Maintaining client connection by "pin-holing" the far end NAT.
3. Staying in the message path and enable session establishment by
updating SIP and SDP data.
/Mikael
Mikael Johansson
Director Development
Ingate Systems AB
SIP/SMTP: mikael at ingate.com
http://www.ingate.com/
> -----Original Message-----
> From: Voipsec-bounces at voipsa.org [mailto:Voipsec-bounces at voipsa.org]
On
> Behalf Of Simon Horne
> Sent: Tuesday, November 15, 2005 5:41 AM
> To: Hallam-Baker, Phillip
> Cc: Voipsec at voipsa.org
> Subject: Re: [VOIPSEC] IPv6 and the demise (or not) of NAT (was
> Re:Interactive Connectivity Establishment (ICE))
>
> At 08:37 AM 15/11/2005, you wrote:
> >There is a moral here.
> >
> >Try to enforce security by refusing to provide needed functionality
in a
> >safe fashion only leads to someone else providing it insecurely.
>
> As I see it there are 6 alternatives with symmetric NATs
>
> 1 . Use static IP's and manually set the port forwards. (ok in H.323
but
> problematic is SIP due to symmetric RTP restriction)
> 2. Use UPnP to automate the opening and closing of ports (with
obvious
> security risks)
> 3. Natively, by developing a standard where a proxy can assist in the
> traversal. (versions already implemented in some open source servers)
> 4. Put a SBC or proxy on the NAT box. (which is impractical with home
> routers)
> 5. Don't bother and put the UA on the router (currently available)
> 6. Give up and lets all use SKYPE..
>
> I prefer No. 3 and that is what we are currently working on..If we do
> nothing and wait for IPv6 then I think 6 will rapidly become the
default.
>
> Simon
>
> Simon Horne
> Director
> Packetizer Labs
> www.packetizer.com/labs
>
>
> _______________________________________________
> Voipsec mailing list
> Voipsec at voipsa.org
> http://voipsa.org/mailman/listinfo/voipsec_voipsa.org
More information about the Voipsec
mailing list