Transcript PPT Version

H.323 NAT Traversal
Problem particular to H.323(RAS->Q.931->H.245):
RAS from private network to public network can pass NAT
Q931、H.245 adopts the TCP, if Q.931 is initialized from public
network (such as from GK)
Cannot initialize a TCP connection from outside to a terminal inside a
private network
SYN
A
SYN＋ACK
ACK
B
TCP utilizes three way
handshake, it has
direction.
SYN packet cannot
pass the NAT device
TE in private network
TE
TCP SYN packet
NAT
X
TE in public network
TE
Principle of UDP Enhanced Tunnel
Private Network
TE
xTC
Public Network
NAT
xTS
Tunnel
xTC -traversal Tunnel Client
xTS -traversal Tunnel Server
Signal and media stream share the same
tunnel between xTC and xTS
Server
UDP enhanced Tunnel Mechanism
Original
UTH Encapsulated
Data
Data
other-fields
TCP/UDP
TCP/UDP
Orig-protocol
IP
UTH
Standard UDP header
IP
The UDP enhanced Tunnel Header(UTH) is comprised of three parts:
a UDP header (standard RFC0768 header)
a protocol field (holds the protocol field of original IP header.)
other-fields (reserved for extension)
Different from RFC3948
RFC3948
UTH Encapsulated
Data
Data
other-fields
ESP
header
TCP/UDP
Orig-protocol
UDP
UTH
Standard UDP header
IP
IP
RFC3948 is specific for IPsec ESP packets
UTH can be used for more general aims
xTC behavior
Encapsulate:
Insert a UDP enhanced tunnel header
Modify the IP header, and the relation fields of the new IP header
are edited to match the resulting IP packet.
The destination should be one ip address of xTS.
And cause IP header is modified, a map entry should be recorded by
xTC for correct processing the packets sent from xTS.
The resulting packet is forwarded to xTS.
xTC behavior
Decapsulate:
The UTH header is removed from the packet.
The IP header is modified, the relation fields in the new IP
header are edited to match the resulting IP packet, in this
procedure, the map entry recorded earlier is used to aid the
process.
The resulting packet is forwarded to the real destination.
xTS behavior
Decapsulate:
The UTH header is removed from the packet.
Do the ALG process if needed.
The IP header is modified, and the relation fields in the new IP
header are edited to match the resulting IP packet.
The resulting packet is forwarded to the real destination.
xTS behavior
Encapsulate:
A properly formatted UDP enhanced tunnel header(UTH header) is
inserted.
Do the ALG process if needed.
Modify the IP header, and the relation fields in the new IP header
are edited to match the resulting IP packet. To accomplish this, the
map entry recorded in previously procedure should be used.
The resulting packet is forwarded to xTC.
How to use -Tunnel and Proxy (1)
Tunnel client integrated with Proxy:
 A dedicated proxy is deployed in the private network;
 Tunnel is established between internal proxy and external proxy.
 Terminals don't require modifications;
 No public IP address will be consumed by proxy.
Private Network
Public Network
TE1
TE2
Proxy xTC
NAT
TEn
Tunnel
xTS Proxy
Server
How to use -Tunnel and Proxy (2)
Tunnel client integrated within the terminal:
 No additional device is needed;
 Tunnels are established between the terminals and proxy.
 Terminals require modifications;
 No public address will be consumed by terminals.
Private Network
Public Network
TE xTC
TE xTC
NAT
TE xTC
Tunnel
xTS Proxy
Server