150 likes | 238 Views
Standards First!™. Liberating IP Voice and Video From Firewalls & NATs. Graham Seabrook Ridgeway gseabrook@ridgeway-sys.com. Standards First!™. What’s the Problem?. Firewalls & Security: VVoIP, whether SIP or H.323, uses dynamic ports
E N D
Standards First!™
Liberating IP Voice and Video From Firewalls & NATs Graham Seabrook Ridgeway gseabrook@ridgeway-sys.com Standards First!™
What’s the Problem? • Firewalls & Security: • VVoIP, whether SIP or H.323, uses dynamic ports • VVoIP declares where to send media to (IP address / Port number) NOT where it comes from • NATs: • VVoIP embeds IP addresses in payload • VVoIP is bi-directional • VVoIP declares where to send media to (IP address / Port number) NOT where it comes from
A Stalled Market • VVoIP does not traverse existing firewalls and NATs unaided • Midcom and IPV6 may offer solutions but are some way off • Midcom, ALGs are localized upgrade solutions that can’t guarantee end-to-end connectivity • Midcom, ALGs need symmetric RTP for proper functioning • There is an immediate need for solutions that can traverse existing firewalls & NATs
Firewall / NAT TraversalRequirements • Enable VVoIP through existing firewalls and NATs • Protocol Agnostic Solution • Work with SIP, Megaco, H.323, MGCP etc • Must be secure (in the firewall sense) • Must keep control with the administrator • Must be able to work with all flavours of NAT • 1 to 1, NAPT, Symmetric, Cone etc • Must work with existing Clients/Proxies • Must be compatible with real-time media transport requirements • Should not inhibit long term solutions (Midcom/IPv6) • Should not break end-to-end security
NAT Client Side Server Side FW NAT FW NAT X Y Z FW & NAT Traversal FW Solution Registrar Endpoint • FW solution = Define Well Known Ports X,Y,Z Program Firewall(s): • Client Any IP:Any Port Server IP:Port X - TCP • Client Any IP: Any Port Server IP: Ports Y,Z - UDP • Multiplex/De-multiplex traffic via Well Known Ports
NAT Client Side Server Side FW NAT FW NAT FW & NAT Traversal NAPT Solution X Y Z • NAT solution = Always initiate client-to-server connections Tunnel signaling over a permanent connection to well known Port X • On demand send ‘probes’ for UDP connections to well known Ports Y,Z
Signaling Relay Tunnel (Client) Tunnel (Server) Protocol ALG Media Relay Media Relay Proxy Interface Agent (PIA) Proxy Server S Transparent to endpoints • Client Side is protocol agnostic FW & NAT Traversal 1: Server Master NAT Client Side Server Side FW NAT FW NAT X Y Z
Protocol ALG Tunnel (Client) Tunnel (Server) Signaling Relay Media Relay Media Relay Proxy Server C Proxy Extension Agent (PEA) Transparent to endpoints • Server Side is protocol agnostic FW & NAT Traversal 2: Client Master NAT Client Side Server Side FW NAT FW NAT X Y Z
Deployment: Service Provider 3. SME: DSL / T1 Service Provider Network NAT FW Infrastucture Zone Access Zone Application Zone NAT Application Server (s) Billing & Management Servers 2. Cable Modem PS or PEA FW NAT FW Media GW PSTN SIP Registrar, Proxy Server. SoftSwitch 1. DSL/Res’l GW Internet NAT FW Client Variants: 1. Co-resident in UA 2. Co-located and gateway 3. Standalone
PEA or PSS Deployment: Enterprise 3. Remote Office PS or PIA NAT FW Head Office NAT 1. Home Worker, Road Warrior FW NAT FW DMZ NAT FW Internet
Transparent to endpoints SP or Enterprise solution No upgrade to firewall or NATs No change to protocols required Application Transparent / Protocol Agnostic/Future Proof Scales down and up Multiple SP connectivity Framework for media policies May assist in IPV6 rollout Additional Media Hops but: can be wire speed method can be extended to handle Cone NATs transparently to application/UA Firewall/NAT Traversal Pros Cons
Standardization? • Standardization will: • assist client manufacturers to produce plug-&-play UA/IP PBX’s • assist QOS for prioritizing traffic • enable the industry to move forward - NOW • IPFAN forum created by Intel, Ridgeway and Radvision to provide an informal focal point/resource centre • Adhoc session at IETF • over 60 people attended • Waiting for IETF AD’s to decide
Conclusion • Real-time voice and video to the desktop is stalled due to the FW/NAT ‘obstacle course’ • There are many deployments where the upgrade path is not appropriate or undesirable • Traversal techniques are valid, do not compromise security and are deployable now • Many applications need transparent traversal • The Industry urgently needs to standardize the traversal approach • Your support is needed!
Thank You www.ridgewaysystems.com