Nat penetration method of voip in vrovoip settings

NAT/ALG Mode

Normal NAT implements address translation by modifying the UDP or TCP packet header address information. However, for VOIP applications, address information must also be included in the TCP/UDP net load, ALG Mode means that the VOIP Terminal in the private network fills in the private network address in the Net Load. The address information is changed to the external address on the NAT when it passes through the NAT.

In this case, the ALG function is required to reside on NAT/Firewall devices, and the devices must be smart in application recognition. Supports IP voice and video protocols (H323, SIP, MGCP/H248) Identification and NAT/Firewall control, at the same time, each new application will need to be upgraded to NAT/Firewall.

There are still some trade-offs in terms of security requirements. Because ALG cannot identify the encrypted message content, it is necessary to ensure that the message is transmitted in plaintext, this poses a major security risk when packets are transmitted over the Internet. NAT/ALG is the easiest way to support voip nat penetration. However, because a large number of NAT/FW devices have been deployed on the network, in practice, it is difficult to use this method.

MIDCOM Method

Unlike NAT/ALG, the basic framework of MIDCOM is to use a trusted third-party (MIDCOM Agent) to control Middlebox (NAT/FW). The identification of VOIP protocols is not completed by Middlebox, it is implemented by the external MIDCOM Agent, so the protocol used by VOIP is transparent to Middlebox.

Because the application protocol function is moved from Middlebox to the external MIDCOM Agent, based on the structure of the MIDCOM, the basic features of the Middlebox do not need to be changed, by upgrading the MIDCOM Agent, you can support more new services, which is a great advantage of the NAT/ALG method.

In actual VOIP applications, the Middlebox function can reside in NAT/Firewall, and IP voice and video protocols (H323, SIP, MGCP/H248) are implemented through Softswitch devices (I .e., MIDCOM Agent) the identification and control of NAT/Firewall to complete the VOIP Application traversing NAT/Firewall. in terms of security, the MIDCOM method supports control message encryption and media stream encryption, so the security is relatively high.

To identify the SIP/H323/MGCP/H248 protocol on a Softswitch device, you only need to add the midco m protocol to the softswitch and NAT/FW devices, in addition, new application business identification will be supported by Softswitch in the future. This solution is a promising solution, however, it is required that the existing NAT/FW configurations need to be upgraded to support the MIDCOM Protocol. In this regard, it is also very difficult for a large number of deployed NAT/FW devices, the NAT and ALG methods have the same problems.

STUN Mode

Another way to solve the problem of NAT penetration is that the VOIP Terminal in the private network obtains the external address on the egress NAT through a certain mechanism, then, fill in the address information entered in the net load to the external address on the egress NAT, instead of the private IP address of the terminal in the private network, in this way, the content in the Net Load does not need to be modified when it passes through NAT. You only need to convert the IP address of the packet header according to the normal NAT process, the IP address information in the net load is consistent with the header address information. The STUN Protocol solves the problem of switching layer addresses based on this idea.

The full name of STUN is Simple Traversal of UDP Through Network Address Translators, which is a Simple NAT Traversal method of UDP. The application (stun client) sends a request STUN message to the stun server outside NAT through UDP. The stun server receives the request message, generates the response message, and carries the source port of the request message in the Response Message, that is, the external port corresponding to the stun client on the NAT.

Then the response message is sent to the stun client through NAT. The stun client learns the external address on the NAT through the content in the response body, and fills it in the UDP load of the Call Protocol in the future, inform the peer that the local RTP Receiving address and port number are external addresses and port numbers of NAT. Because the STUN Protocol has already created a NAT ing table for a media stream in advance on the NAT, the media stream can smoothly traverse the NAT.

The biggest advantage of the STUN Protocol is that you do not need to make any changes to the existing NAT/FW device. In practice, a large number of NAT/FW instances exist, and these NAT/FW instances do not support VoIP applications. If you use MIDCOM or NAT/ALG to solve this problem, it is not easy to replace the existing NAT/FW.

The use of the STUN method does not require the modification of NAT/FW, which is the biggest advantage. At the same time, the STUN method can be used in multiple NAT connection network environments, however, the midco m method cannot effectively control multi-level NAT.

The limitations of STUN are that the VOIP Terminal must support the stun client function, and STUN is not suitable for TCP connection traversal. Therefore, H323. In addition, STUN does not support firewall traversal, does not support Symmetric NAT (Egress NAT is usually used in enterprise networks with high security requirements) traversal.

TURN Mode

Similar to STUN, the turning method solves NAT problems. It is also used by VOIP terminals in the private network to obtain the service address on the public network in advance through a certain mechanism (the address obtained by STUN is the external address on the egress NAT, in TURN mode, the address is the public address on the TURN Server), and then fill in the address information required in the packet net load.

The TURN method is fully called Traversal Using Relay NAT, that is, the Relay method is used to traverse NAT. the TURN application model allocates the address and port of the TURN Server as the external accept address and port of the VOIP Terminal in the private network. That is, the packets sent by the terminal in the private network must be forwarded by the TURN Server for Relay, in addition to the advantages of the STUN method, this method also solves the defects that STUN applications cannot penetrate symmetric NAT (Symme tric NAT) and similar Firewall devices. Meanwhile, the TURN method supports TCP-based applications, for example, H323 protocol. In addition, the TURN Server controls the allocation of addresses and ports, and can allocate RTP/RTCP address pairs (the RTCP port number is the RTP Port Number plus 1) as the receiving address of the private network end user, this avoids the arbitrary allocation of the RTP/RTCP address and port number of the egress NAT in STUN mode, so that the client cannot receive the RTCP packet sent from the peer (when the peer sends the RTCP packet, the destination port number is sent by the RTP Port Number plus 1 by default ).

The limitation of TURN is that the VOIP Terminal must support the TURN Client, which is the same as that of STUN for network terminals. In addition, all packets must be forwarded by the TURN Server, which increases the packet delay and the possibility of packet loss.