VoIP through NAT and firewall methods

Source: Internet
Author: User
Keywords Firewalls VOIP traversing
First, Nat/alg way ordinary NAT is to modify the UDP or TCP message header address information to achieve address conversion, but for VoIP applications, in the UDP net load also need to take address information, ALG means that in the private network of VoIP terminals in the net load to fill in the private network address, This address information is modified to an external address on Nat via Nat. The recognition of voice and video protocols (H323, SIP, mgcp/h248) and the control of Nat/firewall, and each additional new application will require Nat/firewall upgrades. In the security requirements also need to make some compromises, because ALG can not identify the encrypted message content, so must ensure that the message is transmitted in clear text, which makes the message in the public network transmission has a great security risks. Nat/alg is one of the easiest ways to support VoIP NAT penetration, but because of the fact that the network is already deploying a large number of NAT/FW devices that do not support this feature, it is difficult to use this approach in practical applications. Second, midcom Way and Nat/alg is different, the basic framework of midcom is to use a trusted third party (midcom Agent) to Middlebox (NAT/FW) control, VOIP protocol recognition is not done by Middlebox, Rather, it is done by an external midcom agent, so the protocol used by VoIP is transparent to middlebox. Since the function of the recognition application protocol is moved from Middlebox to the external midcom agent, according to the midcom structure, With no need to change the basic characteristics of middlebox, through the upgrade of the midcom agent can support more new business, which is a relatively nat/alg way of a great advantage. In the practical application of VoIP, the Middlebox function can reside in Nat/firewall, through the SoftSwitch device (that is, midcom Agent) to recognize the IP voice and video protocol (H323, SIP, mgcp/h248) and control the Nat/firewall To complete VoIP applications through Nat/firewall. In the security, the midcom mode can support the encryption of the control message, it can support the encryption of the media stream, so the security is relatively high. If the recognition of sip/h323/mgcp/h248 protocol is realized on SoftSwitch device, only the midcom protocol can be added to SoftSwitch and NAT/FW device, and the new application service recognition will be supported by SoftSwitch, this scheme is a promising solution. However, it is also difficult for the existing NAT/FW equipment to be upgraded to support the Midcom protocol, which is very hard for the NAT/FW equipment that has been heavily installed.The AT/ALG approach has the same problem. Third, STUN way to solve the problem of penetrating Nat another idea is that the VoIP terminal in private network obtains the external address of the export NAT in advance through some mechanism, then fills in the address information which fills in the net load to fill out the external address of the export NAT directly, not the private IP address of the terminal in the private network, In this way, the contents of net load need not be modified after NAT, only the IP address of the message head can be converted by the ordinary NAT process, the IP address information and the message header address information in the net load are consistent. Stun protocol is based on this idea to solve the application layer address conversion problem. Stun's full name is the simple traversal of the UDP Through receptacle address translators, which is simply a way for UDP to traverse NAT. The application (that is, STUN CLIENT) sends a request STUN message via UDP to STUN server outside of NAT, STUN server receives the request message, generates a response message, and the source port in the response message that carries the request message, that is, the STUN Client's corresponding external port on the NAT. The response message is then sent via NAT to STUN Client,stun CLIENT learns the external address on its NAT by responding to the contents of the message body and fills it in the UDP payload of the subsequent call protocol, informing the end-to-end that the RTP receive address and port number for the address and port number on the external NAT. Since the NAT map entries for media streams have been established in advance of the NAT via the stun protocol, the greatest advantage of streaming smoothly across the Nat.stun protocol is that no existing NAT/FW devices can be changed. Since there are already a large number of NAT/FW in practical applications, and these NAT/FW do not support VoIP applications, it is not easy to replace the existing NAT/FW if the problem is addressed in a midcom or nat/alg manner. However, it is the best advantage to adopt stun mode without alteration of NAT/FW, while stun mode can be used in the network environment of multiple NAT series, but the midcom way can not realize the effective control of multilevel Nat. Stun's limitations are the need for VoIP terminals to support stun client functionality, while stun is not suitable for TCP connections to traverse, and therefore does not support H323. In addition, the stun method does not support traversing the firewall, and does not support symmetric NAT (symmetric NAT) type (in a security-demanding enterprise network, export NAT is usually this type) traversing. Four, turn way turn way to solve the NAT problem is similar to the stun, is also a private network of VoIP terminals through a mechanism in advance of the public Network Service address (stun way to get the address for export NATDepartment address, the turn way to obtain the address is the public network address on turn server, and then the address information required in the message is filled out directly to the public network address. [Page] Turn is called traversal using Relay NAT, that is, Relay through the Nat.turn application model by assigning the address and port of turn server as the external receiving address and port of VoIP terminals in private networks, That is, the message sent by the private network terminals through the turn server for relay forwarding, in addition to the advantages of stun methods, but also solve the stun application can not penetrate the symmetric NAT (symmetric NAT) and similar firewall device defects, At the same time turn supports applications based on TCP, such as the H323 protocol. In addition, turn server controls the allocation of addresses and ports, can assign RTCP address pairs (RTCP port number for the RTP port number plus 1) as the recipient of private network end user address, to avoid the stun mode of export NAT to RTCP address port number of arbitrary allocation, So that the client can not receive the RTCP message to the end (RTCP message to the end, the destination port number by default to the RTP port number plus 1 sent). Turn's limitations lie in the need for VoIP terminals to support turn Client, which, like stun, requires a network terminal. In addition, all messages must be forwarded through the turn server, increasing the likelihood of packet delay and packet loss. "Responsible editor: Zhao TEL: (010) 68476636-8001" to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title of the party (0 votes) passed by (0 votes) text: VoIP through the NAT and firewall method return to the Network security home page

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.