ITU关于FIREWALL NAT的解决

原文在：http://www.itu.int/ITU-T/studygroups/com16/sg16-q5.html

Question 5/16 - Control of NAT and Firewall Traversal for H.300-Series Multimedia Systems

(New Question)

Motivation

By its very definition, the Internet is comprises an interconnected collection of public, enterprise, and private IP networks. Increasingly, even large private networks share many of these same characteristics with the Internet. H.323 systems rely on IP networks and are often interconnected through firewalls or other types of remote access devices, which, in addition to filtering traffic according to pre-administered or dynamic rules, often perform some type of network address and/or port translation (NAT).

These types of firewall and NAT operations have proven problematic for H.323 multimedia protocols that require the dynamic assignment and exchange of transport addresses for media and signalling. Previous efforts to develop solutions to this collection of problems have resulted in inefficient solutions (e.g., application level gateways), limited solutions (e.g., UDP tunnelling of IPSec), or limited progress (e.g., midcom). Nevertheless, the need for robust solutions that will make the deployment of H.323 multimedia communication easy for service providers, enterprises, and home users has not abated, especially in light of increased security requirements and the increasing deployment of H.323 multimedia applications.

This Question will not attempt to solve the more general problem of firewall and NAT traversal for all applications – it is limited to a specific solution based on the specific characteristics of the H.300 series multimedia protocols.

Study Items

Service requirements for passage of H.323 signalling and media through firewalls, including access policy enforcement, inter-network policy enforcement, configurations, operations, and security;

Architecture of communications devices and network(s) to support H.323 multimedia services, multimedia applications, and firewalls;

Appropriate control protocol(s) that ensure security;

Support of H.323 multimedia signalling and media transport protocols.

Firewall solutions will require close coordination with those Questions dealing with extensions to the address-transporting protocols – Q.2/16 and Q.3/16 – and must be consistent with interoperating with SIP as well.

H.323 security issue solutions will require mechanisms to be described in H.235 under the responsibility of Q.G/16.

Tasks

Tasks include, but are not limited to:

Define Requirements (3Q 2004).

Develop Architecture Specification (1Q 2005):

Control Elements;

Firewalls;

Access policy;

Inter-network policy;

Gatekeepers, Gateways, SIP Proxies, SIP Registrars, and Endpoints;

Network Topologies;

Robustness.

Define Protocols (1Q 2006):

Controller/Firewall Authentication;

Firewall and NAT Control;

Robustness.

An up-to-date status of work under this Question is contained in the SG 16 Work Programme.

Relationships

Recommendations:

H.225.0, H.245, H.248, H.235, H.323, H.501.

Questions:

24(F), 25(G), 29(K), 1, 2, 3, 4/16.

Study Groups:

ITU SGs 11, 13.

Other Bodies:

IETF;

ETSI TISPAN.