| Draft Question 5/16 - Control of NAT and Firewall Traversal for Multimedia Systems |
(New Question approved 30 January 2004 - TSB
Circular 217 )
Motivation
By its very definition, the Internet is comprised of an interconnected collection of public,
enterprise, and private IP networks. Increasingly, even large private networks share many of
these same characteristics with the Internet. These individual networks are often interconnected
through firewalls or other types of remote access devices, which, in addition to filtering traffic
according to pre-administered or dynamic rules, often perform some type of network address and/or
port translation (NAT). The reasons for such services include both necessity (IP address reuse)
and security:
- preventing unauthorized outside access to internal services;
- hiding internal network addresses from the public internet;
- hiding internal network topologies;
- providing public access to (selected) internal addresses;
- compensating for scarcities of IPv4 addresses;
- providing conversion between public and private IP addresses;
- providing conversion between IPv4 and IPv6 addresses.
These types of firewall operation have proven problematic for multimedia protocols that
require the dynamic assignment and exchange of transport addresses for media and signalling.
Previous efforts to develop solutions to this collection of problems have resulted in inefficient
solutions (e.g., application level gateways), limited solutions (e.g., UDP tunnelling of IPSec),
or limited progress (e.g., midcom). Nevertheless, the need for robust solutions that will make the
deployment of multimedia communication easy for service providers, enterprises, and home users has
not abated, especially in light of increased security requirements and the increasing deployment of
multimedia applications. A practical solution that is easy for all users to deploy will contribute
to the success of the Next Generation Network.
As a practical matter, it is expected that much use will be made of existing work.
Study Items
- Service requirements for Firewalls, including access policy enforcement, inter-network policy enforcement, configurations, operations, and security;
- Architecture of communications devices and network(s), configuration of telephony elements, multimedia applications, and firewalls;
- Appropriate control protocol(s) that ensure security;
- Support of signalling and media transport protocols.
Tasks
Tasks include, but are not limited to:
- Define Requirements (3Q 2004).
- Develop Architecture Specification (1Q 2005):
- Control Elements;
- Firewalls;
- Access policy;
- Inter-network policy;
- Gatekeepers, Gateways, SIP Proxies, SIP Registrars, and Endpoints;
- Network Topologies;
- Robustness.
- Define Protocols (1Q 2006):
- Controller/Firewall Authentication;
- Firewall and NAT Control;
- Robustness.
An up-to-date status summary of work under this Question is contained in the SG 16 Work Program
(http://1f8a81b9b0707b63-19211.webchannel-proxy.scarabresearch.com/itudoc/itu-t/com16/workprog/01-04/index.html).
Relationships
Recommendations:
- H.225.0, H.245, H.248, H.235, H.323, H.501.
Questions:
Study Groups:
Other Bodies:
|
|
|
