[VOIPSEC] IPv6 and the demise (or not) of NAT (was Re:Interactive Connectivity Establishment (ICE))
Simon Horne
s.horne at packetizer.com
Mon Nov 14 22:41:17 CST 2005
At 08:37 AM 15/11/2005, you wrote:
>There is a moral here.
>
>Try to enforce security by refusing to provide needed functionality in a
>safe fashion only leads to someone else providing it insecurely.
As I see it there are 6 alternatives with symmetric NATs
1 . Use static IP's and manually set the port forwards. (ok in H.323 but
problematic is SIP due to symmetric RTP restriction)
2. Use UPnP to automate the opening and closing of ports (with obvious
security risks)
3. Natively, by developing a standard where a proxy can assist in the
traversal. (versions already implemented in some open source servers)
4. Put a SBC or proxy on the NAT box. (which is impractical with home routers)
5. Don't bother and put the UA on the router (currently available)
6. Give up and lets all use SKYPE..
I prefer No. 3 and that is what we are currently working on..If we do
nothing and wait for IPv6 then I think 6 will rapidly become the default.
Simon
Simon Horne
Director
Packetizer Labs
www.packetizer.com/labs
More information about the Voipsec
mailing list