Firewalls, Network Address Translators(NATs), and H.323 Joon Maeng joon_maeng@vtel.com Chief Scientist VTEL Corp. October 11, 2000
Network Layers H.323 SIP FTP HTTP SNMP RTP TCP UDP IP ARP Ethernet SW Application (7) Presentation(6) Session (5) Transport(4) Layer Network(3) Data Link (2) Physical (1) H.323 SIP FTP HTTP SNMP RTP Header A/V RTP Port No. 2 80 1720 5060 161 TCP UDP * Dynamic port UDP Header RTP Header A/V Protocol ID 6 17 IP ARP IP Header UDP Header RTP Header A/V Type Code 0800H 0806H Ethernet Header IP Header UDP Header RTP Header A/V Ethernet SW Ethernet HW Media Stream MAC Address
Shared IP Network Landscape (e.g., Internet, Shared IP Backbone) Individuals w/ single host (no firewalls) Individual w/ multi-hosts Firewall NAT Mostly dialup modem Mostly DSL and Cable IP Network Firewall Corporate Network Universities NAT
Network Address Translator (NAT)* Corporate Network, Home Network (Private Network) NAT Internet or Public IP network NAT Address translation between public and private networks A large private network can use a small set of public addresses Security (private addresses are not known to public network) Private IP address (RFC 1918) 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) * ftp://ftp.isi.edu/in-notes/rfc2663.txt
NAT (Cont’d) Types of NATs Traditional NAT (Unidirectional NAT): Outbound NAT From private address realm to public address realm Network address and port translator (NAPT) s = 10.33.96.5 d = 198.76.28.4 s = 198.76.29.7 d = 198.76.28.4 Host Sever s = 198.76.28.4 d = 198.76.29.7 s = 198.76.28.4 d = 10.33.96.5 NAT Host A s = 10.33.96.5:1257 d = 198.76.28.4:80 s = 198.76.29.7:6345 d = 198.76.28.4:80 Sever s = 198.76.29.7:8896 d = 198.76.28.4:80 NAPT s = 10.33.96.10:237 d = 198.76.28.4:80 Host B
NAT (Cont’d) Bi-directional NAT or Two-way NAT Twice NAT: translate source and destination addresses Multi-homed NAT A NAT is a logical function, usually embedded in a border router (or in the same device with firewall) NATs are stateful devices. They maintain a table with a established list of active sessions Session termination TCP: detection of FIN in the packet or timeout UDP: timeout NATs default timeout (configurable) udp-timeout is 300 seconds (5 minutes) dns-timeout is 60 seconds (1 minute) tcp-timeout is 86400 seconds (24 hours) finrst-timeout is 60 seconds (1 minute)
Firewalls A system designed to prevent unauthorized Corporate Network, Home Network (Private Network) Firewall Internet or Public IP network A system designed to prevent unauthorized access to or from a network domain. Firewalls can be implemented in both hardware and software, or combination of both. Firewalls are used within private networks also.
Packet Filter Firewalls Operate purely at the IP and UDP/TCP layer Allowing or disallowing packets on the basis of the source and/or destination IP address Allowing or disallowing packets according to protocol (port number). Common policies No UDP packets in or out, TCP packets are allowed out. TCP packets are allowed in for specific servers such as http server on port 80 and for the open connections from inside
Application Level Firewalls Acts as a proxy for applications, performing all data exchanges with the remote system in their behalf. SOCKS (version 5, RFC 1928). Requires special proxy-client H.323 proxy firewalls, SIP proxy firewalls, etc Considered as the most secure firewalls A new proxy must be written for each protocol that you want to pass through the firewall. Proxy services introduce performance delays
Circuit Level Firewalls Validate the fact that a packet is either a connection request or a data packet belonging to a connection between two peer transport layers (TCP). Unlike the application level firewalls, it create a circuit between a client and a server without requiring that either application knows anything about the service. Generally faster than application level firewalls Cannot perform strict security checks on a higher-level protocol
H.323 Call Establishment Public Network H.323 Zone A H.323 Zone B Router H.323 Zone A Router Bob Alice H.323 Zone B H.323 GK-A H.323 GK-B Call scenario (from Alice to Bob) Alice asks GK-A to call Bob. GK-A finds IP address of GK-B from DNS GK-A asks GK-B Bob’s IP address GK-A sends “setup” message to Bob Bob sends “connect” to GK-A GK-A relays “connect” to Alice Alice exchanges H.245 (or media) with Bob
Problem 1: Private IP Address DNS Public Network (Public IP) Firewall, NAT H.323 Zone A (Private IP) Firewall, NAT Bob Alice H.323 Zone B (Private IP) H.323 GK-A H.323 GK-B Call scenario (from Alice to Bob) Alice asks GK-A to call Bob. GK-A finds IP address of GK-B from DNS (Private GK IP address) GK-A asks GK-B Bob’s IP address (Private IP address) GK-A sends “setup” message to Bob Bob sends “connect” to GK-A GK-A relays “connect” to Alice Alice exchanges H.245 (or media) with Bob (firewalls)
Issues in Deploying H.323* (also SIP**) Problem 2: Dynamic ports for media traffics H.323 (and SIP) uses TCP or UDP for call establishment and UDP for media transmission Dynamic ports are used for session bundling of media streams Most firewalls will not allow UDP ports It is not realistic to open all the dynamic ports H.323 application firewalls are needed *http://search.ietf.org/internet-drafts/draft-shore-h323-firewalls-00.txt **Session Initiation Protocol. http://www.ietf.org/rfc/rfc2543.txt
Issues (Cont’d) Problem 3: IP addresses and port numbers within IP payloads H.225 and H.245 may embed IP addresses in payloads (not in the IP header) For instance, “calling party” information element in the H.225 signaling stream contains the private address of calling the calling party. (SIP:Contact header, Record-Route, Via header, Call-ID, To and From fields may have IP addresses and port numbers) NATs cannot translate addresses and ports in the payloads unless it has Application Level Gateway (ALG) H.323 is harder to handle since it uses ASN.1 encoding compared to SIP (text based)
Issues (cont’d) Problem 4: Security and Authentication IPsec does not traverse NATs IPsec through firewall works but firewall cannot open the payloads nor determine which ports to open Bottom line: End-to-end encryption at IP layer will not work through firewalls Any changes by NAT with ALG will cause the signature to become invalid and fail the data integrity check
Issues (Cont’d) Problem 5: Lifetime issues NAT’s address binding has a lifetime equal to that of TCP connection. NAT will terminate the media streams as soon as TCP is closed. Problem 6: Multicast does not run through NAT Multicast protocol is defined for routers Devices behind a NAPT will not receive multicast since attached networks can appear like a single end station.
Realm Specific IP* Motivation: to restore end-to-end transparency in the Internet Granting a host from one addressing realm a presence in another addressing realm by allowing it to use resources from the second addressing realm ( borrowing a public address for a fixed duration in private network) This is being defined at IETF. Has a potential but too early to tell *http://ietf.org/internet-drafts/draft-ietf-nat-rsip-framework-05.txt
Other Attempts Firewall control protocol*? Interaction between firewalls and media servers was proposed at IETF meeting in Adelaide No consensus was reached H.323 application level firewalls and VPNs * http://search.ietf.org/internet-drafts/draft-tiphon-foglamps-00.txt, http://search.ietf.org/internet-drafts/draft-lear-foglamps-02.txt
Conclusions NATs and firewalls are here to stay between public and private networks. They are problems for H.323 as well as most media applications in IP networks To handle firewalls in H.323, one may have to use application level firewalls or VPNs depending on the network topologies and types of WAN To handle private addresses, one may have to use H.323 proxies