ITU-T Study Group 16 (Study Period 2005-2008) |
Question 5/16 - Control of NAT and Firewall Traversal for H.300-Series Multimedia Systems |
|
(New Question)
- Motivation
By its very definition, the Internet is comprises an interconnected collection of public,
enterprise, and private IP networks. Increasingly, even large private networks share many
of these same characteristics with the Internet. H.323 systems rely on IP networks and are
often interconnected through firewalls or other types of remote access devices, which, in
addition to filtering traffic according to pre-administered or dynamic rules, often perform
some type of network address and/or port translation (NAT).
These types of firewall and NAT operations have proven problematic for H.323 multimedia protocols
that require the dynamic assignment and exchange of transport addresses for media and signalling.
Previous efforts to develop solutions to this collection of problems have resulted in inefficient
solutions (e.g., application level gateways), limited solutions (e.g., UDP tunnelling of IPSec), or
limited progress (e.g., midcom). Nevertheless, the need for robust solutions that will make the
deployment of H.323 multimedia communication easy for service providers, enterprises, and home users
has not abated, especially in light of increased security requirements and the increasing deployment
of H.323 multimedia applications.
This Question will not attempt to solve the more general problem of firewall and NAT traversal for all
applications – it is limited to a specific solution based on the specific characteristics of the H.300
series multimedia protocols.
- Study Items
- Service requirements for passage of H.323 signalling and media through firewalls, including access policy enforcement, inter-network policy enforcement, configurations, operations, and security;
- Architecture of communications devices and network(s) to support H.323 multimedia services, multimedia applications, and firewalls;
- Appropriate control protocol(s) that ensure security;
- Support of H.323 multimedia signalling and media transport protocols.
Firewall solutions will require close coordination with those Questions dealing with extensions to the address-transporting
protocols – Q.2/16 and Q.3/16 – and must be consistent with interoperating with SIP as well.
H.323 security issue solutions will require mechanisms to be described in H.235 under the responsibility of Q.G/16.
- Tasks
Tasks include, but are not limited to:
- Define Requirements (3Q 2004).
- Develop Architecture Specification (1Q 2005):
- Control Elements;
- Firewalls;
- Access policy;
- Inter-network policy;
- Gatekeepers, Gateways, SIP Proxies, SIP Registrars, and Endpoints;
- Network Topologies;
- Robustness.
- Define Protocols (1Q 2006):
- Controller/Firewall Authentication;
- Firewall and NAT Control;
- Robustness.
An up-to-date status of work under this Question is contained in the
SG 16 Work Programme.
- Relationships
Recommendations:
- H.225.0, H.245, H.248, H.235, H.323, H.501.
Questions:
- 24(F), 25(G), 29(K), 1, 2, 3, 4/16.
Study Groups:
Other Bodies:
» List of Questions « |
|