1 overview
Encounter this problem is usually those client network interactive applications developers, especially in the field of peer-to-peer network and VoIP. IPsec VPN client generally use NAT - T to optimize ESP packets through NAT purpose.
Although there are many through NAT technology, but no one is perfect, it is because the NAT behavior are standardized. Most of these technologies require a public server, and this server use is a well-known, from global anywhere can visit get IP address. Some methods in only establish a connection when need this server, while the other methods, through this server relay all data - this introduce bandwidth costs.
Two methods
A, NAT/ALG way
Ordinary NAT is modified by UDP or TCP packet address information to realize the address of the head, but for VOIP application conversion, the TCP/UDP net load also need to take address information ALG way is to point to in private net of net load in a VOIP terminal fill is its private web address, this address information in through the NAT when be modified for NAT on foreign address.
Voice and video protocol (H323, SIP and MGCP/H248) to identify and control, Firewall NAT/while each added a new application will need to NAT/Firewall updates. In safety requirements also need to make some compromise, because ALG can't identify encrypted message content, so must ensure that message transmitted by expressly, this makes a message in public network was immensely transfer in the safe hidden trouble.
NAT/support VOIP NAT penetrate ALG is one of the most simple way, but because the network actual situation is already deployed many not support such characteristics of NAT/FW equipment, therefore, in actual application, it is difficult to use this kind of means.
Second, MIDCOM way
With NAT/ALG different is, the basic framework is adopted MIDCOM trusted third party (MIDCOM Agent) to Middlebox (NAT/FW) control, VOIP agreement of recognition, but by not complete Middlebox external MIDCOM Agent finish, so use agreement for VOIP Middlebox is transparent
Due to the identification of application protocols Middlebox moved functions from the external MIDCOM Agent, according to the constitutive MIDCOM, in not need to change Middlebox basic characteristics of basis, through MIDCOM Agent upgrade can support more new business, this is relatively NAT/ALG way of a big advantage.
In practical application, VOIP Middlebox function can stay in NAT/Firewall, through the soft exchange equipment (namely MIDCOM Agent) for VOIP and video protocol (H323, SIP and MGCP/H248) to identify and control, Firewall NAT/VOIP application to accomplish through NAT/Firewall. In safety, MIDCOM mode can support control of a message encrypted, can support media stream encryption, so security is quite high.
If in the soft exchange equipment realize to SIP/H323 / MGCP/H248 agreement recognition, simply in the soft exchange and NAT/FW device to increase MIDCOM agreement can, and later the new application service recognition with the soft exchange support and support, this plan is a more promising solutions, but requires existing NAT/FW equipment need to upgrade support MIDCOM agreement, from this point, who has massive deployment of the NAT/FW equipment for, also be very difficult, with NAT/ALG way have similar problems.
Third, STUN way
To solve the problem through NAT another approach is that private net of VOIP terminal through some mechanism received prior export NAT on foreign address, then in net load in address information directly fill in the export of foreign address, NAT rather than private nets inside the terminal private IP address, so that the contents of the net load after NAT when it need not be modified, just press ordinary NAT process conversion message header IP address can, net load of IP address information and message header address information is consistent. Based on this thought is STUN agreement to solve application layer address conversion problem.
STUN's full name is the Simple Traversal of UDP benefiting after a English, namely UDP to the Simple Through way. NAT The application (i.e. to STUN) are outside the NAT STUN SERVER through UDP request to STUN news, STUN SERVER received request news, the response news, response message carried in a request of news source port, namely the NAT corresponding STUN are the external port. Then respond to messages are sent through the NAT STUN, STUN are through the contents of the body respond to messages about their NAT on external address, and its fill in later call agreement UDP load, inform end-to-end, this end your RTP receiving address and port for NAT external address and port. Because through STUN agreement has already established beforehand in NAT on media stream NAT mapping table item, so media stream can smoothly through NAT.
The biggest advantage is STUN agreement without existing NAT/FW equipment to do any changes. Because a large number of practical application, the NAT/FW, and these NAT/FW doesn't support VoIP application, if use MIDCOM or NAT/ALG way to solve this problem, need to replace the existing NAT/FW, this is not easy. And use STUN way without changes NAT/FW, this is the biggest advantage, and STUN mode can be in multiple NAT series of used in the network environment, but MIDCOM way is unable to realize the effective control of multilevel NAT.
The limitations of STUN is need support VOIP terminal STUN are functions, meanwhile STUN is not suitable for support through a TCP connection, so don't support H323. Another STUN way does not support for firewall through and does not support Symmetric NAT (Symmetric NAT) type (in safety to demand higher enterprise nets, export NAT is usually this type) across.
Four, TURN way
TURN way to resolve the problem of thinking and NAT STUN similar, but also private net of VOIP terminal through some mechanism in advance to the service address (lo-fi STUN way to get the address for export NAT on external addresses, TURN way to get address for the public network address TURN Server), and then in a message net load required in address information directly to fill in the public network address.
TURN the whole called Traversal hold Relay NAT, namely through Relay way through NAT. TURN application model by distribute TURN Server address and port as a private network VOIP terminal foreign acceptance address and port, namely private network terminal emit messages are through TURN Server for Relay forwarding, this way besides having STUN way outside the advantage, still solved the STUN applications cannot penetrate Symmetric NAT (Symmetric NAT) and similar Firewall disadvantages of equipment, and TURN support tcp-based applications, such as H323 agreement. Besides TURN Server control allocation address and port, can assign your RTP/RTCP address on your RTP (RTCP socket for socket add 1) as a private nets of end users accept address, avoid the way to STUN your RTP/export NAT RTCP address socket of arbitrary distribution, the client unable to receive end-to-end gipap RTCP message (end-to-end hair message RTCP, objective socket default according to your RTP socket add 1 send).
TURN the limitations of terminal support VOIP lies in need are TURN it to network with the same STUN terminal requirements. In addition, all messages must pass TURN Server forwarding, increases the packet delay and packet loss of possibilities.
Five, the ICE way
Should say ICE is currently the NAT penetration of [1] the most commonly used methods. ICE (Interactive Interactive login connection) - Establishment is a kind of comprehensive NAT through technology. Interactive connection is by an IETF MMUSIC workgroup developed a framework, can integrate various NAT penetrate technologies, such as STUN [2], TURN (Traversal hold Relay NAT), Specific IP RSIP (out), Specific domain IP) etc. This framework can let SIP client utilizing various NAT penetrate calls to wear remote firewall.
No comments:
Post a Comment