[LINK] There goes the neighbourhood...

Kim Holburn kim at holburn.net
Wed May 11 20:25:12 AEST 2011 

On 2011/May/11, at 7:52 PM, Karl Auer wrote:
>> The main reason NAT is a problem for VOIP/SIP/H323 is that they put IP
>> addresses in the data.  If they relied on IP headers like every
>> sensible protocol designer it would never have been an issue.
> 
> Are you sure? I don't know that those protocols put IP addresses in the
> packet data. The problem has nothing to do with that, the problem is NAT
> itself. How do I connect to you, if you are behind NAT? There are only
> two ways - port forwarding or an external rendezvous server. STUN is the
> latter, and Skype does it just the same way. But instead of a few
> locations that have to be well-known, they piggyback STUN-like services
> onto their unfortunate supernodes.
> 
> I doubt that "VOIP/SIP/H323" put IP addresses in the payloads, but I
> could be wrong.
> 
>>  You wouldn't need STUN servers or anything else.  Just the packets.
> 
> To get through NAT you would indeed require more than "just the
> packets". NAT stops one user connecting to another user. They require
> the services of an intermediary OR they need to know each other well
> enough to set up port forwarding.

Yeah, I realised that after I wrote it.

> 
>>  The other fault is that they splatter udp connections with lots of
>> ports.  Not necessary.
> 
> I'll have to go read up on it, but I'm not sure that's the case. Can you
> provide a pointer to evidence of this profligate port usage? Not a
> challenge, just interested! I've used Ekiga from behind a pretty tight
> firewall[1], and have had no difficulty, and no need to open up a
> zillion ports.
> 
> Regards, K.
> 
> [1] Basically this: allow inbound established and related; allow inbound
> ssh; allow inbound useful icmp; allow outbound; deny all.

This site has data for polycom Tandberg and Sony but all mixed together.
http://vcoutonalim.org/2007/01/16/ports-used-in-videoconferencing/
Polycoms come configured (or used to) to use a large range of ports - maybe 1024-65535 but you could restrict TCP to 3230–3233 and UDP to 3230–3235 but they use various other ports for other things.  If you want data transfer like white boards, power point or T120 they use even more ports.  

Here's another site with some other brands:
http://www.1pcn.com/customer_service/support/firewall/port_forwarding.htm

It might be OK with known router hardware setups but trying to do port forwarding at home with a home-brand router can be tricky.

Here is a discussion of the ip address in data issue:

http://www.1pcn.com/customer_service/support/firewall/port_forwarding.htm

> The important aspect to remember of the relationship between the H.323 application and the network router is that the application is unaware that traffic is running through a NAT facility. Another problem exists because NAT's typically set up their port mappings by examining the applications packet header. While this works well for most applications, the H.323 standard requires IP address and port information to be stored in the data portion (payload) of the IP packet.



-- 
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408  M: +61 404072753
mailto:kim at holburn.net  aim://kimholburn
skype://kholburn - PGP Public Key on request

More information about the Link mailing list