Hack technology: VoIP traversal of NAT and firewall approaches-vulnerability warning-the black bar safety net

ID MYHACK58:6220069511
Type myhack58
Reporter 佚名
Modified 2006-06-02T00:00:00


* * , NAT/ALG mode

Ordinary NAT is done by modifying the UDP or TCP packet header address information to achieve the address, but for VOIP application in TCP/UDP payload is also the need to bring the address information of the ALG mode refers to the private network in the VOIP terminal in the payload to fill its private network address, this address information in through the NAT is to modify the NAT on the external address.

This of course requires the ALG function resides in the NAT/Firewall device, the requirements these of the device itself with the application to identify the smart. Support IP voice and video Protocol H323, SIP, MGCP/H248-identification and the NAT/Firewall control, while each adding a new application will need to NAT/Firewall to upgrade.

In the security requirements but also the need for some compromise, since the ALG does not recognize the encrypted message content, so must ensure that the packets transmitted in plain text, which makes the packets in the public network transmission when there is a big security risk.

NAT/ALG support for VOIP NAT traversal one of the easiest way, but due to the actual situation of the network is already deployed a large number of Do not support this characteristic of the NAT/FW device, and therefore, the practical application, it is difficult to use this way.

Second, MIDCOM way

With the NAT/ALG is different, MIDCOM of the basic framework is the use of a trusted third party MIDCOM Agent to the Middlebox (NAT/FW control, VOIP protocols identified not by the Middlebox to complete, but by an external MIDCOM Agent to complete, so the use of VOIP Protocol Middlebox is transparent .

Since the identification of application Protocol functions from the Middlebox moved to the external MIDCOM Agent, according to the MIDCOM configuration, without the need to change the Middlebox basic characteristics on the basis of, through the MIDCOM Agent upgrade can support more new business, this is a relatively NAT/ALG way of a lot of advantages.

In VOIP practical application, the Middlebox function may reside in the NAT/Firewall, through the soft switching equipment, i.e. the MIDCOM Agent for IP voice and video Protocol H323, SIP, MGCP/H248-identification and the NAT/Firewall control, to complete VOIP application through the NAT/Firewall . In security, the MIDCOM approach can support the control packet encryption, can support media stream encryption, so security is relatively high.

If the soft-switching device implemented on the SIP/H323/MGCP/H248 Protocol of recognition, it is only required in soft switching and NAT/FW device on the increase in the MIDCOM Protocol, and after the new application service identified as the soft exchange support and support, this program is one of the more promising solutions, but the requirements of the existing NAT/FW devices to be upgraded to support the MIDCOM Protocol, from this point of view, to have a large number of deployed NAT/FW devices, it is also very difficult, with the NAT/ALG way to have the same problem.

Third, the STUN mode

Solution to penetrate the NAT problem another idea is that private net of VOIP terminal through some mechanism of pre-export NAT on the external address, and then in the net is contained in the fill in the address information directly fill in the export NAT on the external address instead of the private network terminal a private IP address, so that the net load in the content after NAT when there is no need to be modified, just as ordinary NAT process to convert the packet header of the IP address, the payload, the IP address information and message header address information is consistent. The STUN Protocol is based on this idea to solve the application layer address conversion issues.

STUN stands for Simple Traversal of UDP Through Network Address Translators, i.e., UDP on the NAT simple traversal way. Applications that the STUN CLIENT in the NAT external STUN SERVER by UDP, sends a request to the STUN message, the STUN SERVER receives the request message, generates a response message, the response message carries the request message source port, IE STUN CLIENT on the NAT corresponding external port. Then a response message through NAT sent to the STUN CLIENT, STUN CLIENT by responding to the message body in content that its the NAT on the external address, and fill in the subsequent call the Protocol the UDP load, informed peer, the end of the RTP receiving address and port number for the NAT external address and port number. Since by STUN Protocol on NAT on the pre-established media stream NAT mapping entries, so the media stream can smoothly through the NAT. The STUN Protocol is the biggest advantage is no need for the existing NAT/FW device to make any changes. Since practice, there have been a lot of NAT/FW, and these NAT/FW does not support VoIP applications, if the MIDCOM or NAT/ALG way to solve this problem, need to replace the existing NAT/FW, which is not too easy. While the use of STUN mode without changes to the NAT/FW, which is its biggest advantage, while STUN mode may be in multiple NAT series of network environment, but MIDCOM way is unable to realize the multi-stage NAT's effective control.

STUN limitations that require VOIP terminals support STUN CLIENT function, while the STUN does not support TCP connections through, and therefore does not support H323. In addition STUN mode does not support the firewall traversal, does not support symmetric NAT (Symmetric NAT type in the high security requirements of the enterprise network, the export NAT is usually this type of crossing.

Fourth, TURN

TURN way to solve the NAT problem the idea of the STUN is similar, also is a private network VOIP terminal through some mechanism in advance to give public service on the address of the STUN way to get the address for the export NAT external address, TURN way to get the address of the TURN Server on the public network address, then the packet payload in the required address information directly fill in the public IP address.

The TURN stands for Traversal Using Relay NAT, namely through the Relay way through the NAT. TURN application model by assigning the TURN Server address and port as a private network VOIP terminal external receiving address and port, i.e., the private network terminal sends the packets through the TURN Server for Relay forwarding, this way in addition to having the STUN mode of the advantages, but also solve the STUN application can not penetrate symmetric NAT(Symmetric NAT, and a similar Firewall device defects, while TURN supports TCP-based applications, such as H323 Protocol. In addition TURN Server Control allocation address and port, can be assigned RTP/RTCP address to the RTCP port number as RTP port number plus 1 as a private network the end user to accept the address, to avoid the STUN mode in the export NAT on RTP/RTCP address port number arbitrarily assigned, so that the client can not receive the peer sent RTCP packets for end of sent RTCP packets, the destination port number is the default by RTP port number plus 1 is sent in.

TURN the limitations that the need to the VOIP terminal support TURN Client, which is the same STUN as the network terminal. In addition, all packets must pass through the TURN Server forwards, increasing the packet delay and packet loss possibilities.