Introduction to technical requirements for cross-Firewall

 

I. Problem Description

The existence of Network Address Translation and firewall (NAT/FW) blocks multiple multimedia communication protocols, including H.323, because the NAT device only translates the IP address/port of the message header, the message's IP header is inconsistent with the address/port information in the message's Net Load. As a result, the Message Receiver cannot correctly respond to the message, and the media channels of both parties cannot be properly established.

In H.323 multimedia communication, the transport layer port is dynamically allocated and negotiated through H.245 messages. However, firewall devices in the network cannot know the port number in advance, which will prevent the media from flowing through it. In addition, when the firewall device does not send a message from the Intranet, it also blocks messages from the Internet, resulting in failure of multimedia communication.

Ii. traversal scenarios

According to the owner of GK (Network Guard), H.323 multimedia systems can be divided into carrier systems and enterprise network systems.

1. Carrier H.323 Multimedia System

In the H.323 Multimedia System of the carrier, terminals (clients) are usually placed in the first-level or multi-level private network to save IPv4 addresses, while GK/GW/MCU and other network-side devices (servers) deployed in a public network with unique addresses. There are not only NAT devices, but also firewalls between the client and the server, as shown in figure 1.

In some cases, to ensure the security of devices such as GK, GW, and MCU, the carrier may also deploy the server device in a private network after the NAT device with the firewall function, 2.

For carrier network configuration, H. fwreq specifications describe seven possible application scenarios, that is, terminals can communicate with each other in different private networks of the public network, single-level private network, or multi-level private network. In addition, all terminals can be called or called.

2. Enterprise Network H.323 Multimedia System

In the H.323 multimedia system of the enterprise network, GK is usually provided by the enterprise network owner. The enterprise network may consist of multiple first-level or multi-level private networks connected to the public network, as shown in 3. In this network, the enterprise GK (E-GK) and terminal are located in the enterprise network.

In this network scenario, the H.323 terminal located in the enterprise network may roam to another network, such as roaming to the public network, the call initiated by the terminal needs the enterprise network GK (E-GK) work with the carrier GK (S-GK) to complete the call connection. The NAT/FW traversal scheme based on this scenario must be able to solve the H.323 traversal problem in the above circumstances.

H. fwreq for the enterprise network itself to provide GK networking, describes 11 possible application scenarios, including one or more E-GK in the enterprise network in a one-level or multi-level private network, or at different levels of the multi-level private network. The terminal is located in a certain level or multi-level private network of the enterprise network, and all combinations of different levels or in the public network of the multi-level private network. It also defines the application scenarios in which two terminals roam to the public network.

In addition, some enterprise networks do not have their own GK, as shown in 4 by leasing the GK in the carrier network as their own virtual GK (V-GK. The traversal problem under such conditions must also be considered in the NAT/FW traversal solution for H.323.

Iii. technical requirements for H.323 multimedia NAT/FW Traversal

H. fwreq provides the following requirements for the NAT/FW traversal solution of H.323 multimedia systems:

(1) The traversal scheme should consider all the above scenarios and support multi-level NAT/FW traversal. All terminals in the network can be called or called. In the traversal scheme, GK must be located in the private network and public network networking environments. All traversal mechanisms should specify the scope of application, that is, the method in which NAT traversal can be implemented.

(2) The implementation of the traversal scheme must describe the impact of this mechanism on the existing H.323 terminals and GK, that is, whether to upgrade (which) network entities.

(3) The traversal scheme should consider NAT devices suitable for various working modes as much as possible. The impact on the existing traditional NAT devices should also be explained, that is, whether to upgrade the existing NAT devices.

(4) The traversal scheme should be capable of simultaneously traversing media streams and signaling streams. The traversal scheme using protocol extension mechanisms should be implemented based on the existing ITU-T H.323 family; if the terminal is located after the same Nat, the media streams between them can be established either through the NAT device or only between the communication parties. If a terminal is located in a different address domain, its media stream must pass through the relevant NAT device.

(5) The impact on Nat performance should be considered in the traversal scheme, and the impact on the performance of H.323 multimedia systems should also be considered.

(6) The traversal scheme should not reduce the network security of the existing H.323 multimedia system. In addition, when possible, the scheme should consider providing certain security measures.

(7) The implementation of the traversal scheme shall not affect the work of the network management system of the H.323 multimedia system, nor shall it affect the work of the existing billing system as far as possible.

(8) The traversal scheme should minimize the impact on network reliability.

(9) The implementation of the traversal scheme should consider how to coexist with the existing traversal scheme in the current network, and cannot affect the development and implementation of new businesses by service providers.

(10) The traversal scheme shall not affect the roaming and normal calls of mobile H.323 terminals.

Http://www.chinavideo.com.cn/readfile.asp? Fileid = 46