1

I'm going through the Whitepaper by RADVISION on NAT/Firewall traversal for H.323 endpoints. It is suggested there to use ITU-T H.460.18,17 and 19.

460.17 is very clear way for NAT traversal, but I'm not so clear about the 460.18. Both present a clear solution for Firewall, but how is 460.18 a solution for NAT traversal?

Regards,

Vineet Menon
  • 728
  • 2
  • 9
  • 25

2 Answers2

1

The problem with H.460.17 is that virtually no H.323 equipment supports it.

H.460.18 works nicely, even across vendors. It lets the endpoint behind the firewall poke a whole and then uses that whole for both ways of communication. Its rather simple when you read though the standards document. But beware that it is patented by Tandberg, so you have to get a (free) license before you can implement it.

You can look at the GNU Gatekeeper to see the details how H.460.18 gets through the firewall.

Gene Vincent
  • 5,237
  • 9
  • 50
  • 86
  • I didn't want to compare 17 or 18. I just wanted to know how 18 solves the NAT problem, while prima facie it appears that it can only solves firewall problem. – Vineet Menon Aug 11 '11 at 14:13
  • @Vineet: I also solves the NAT issue, using the same method. It lets the party behind the NAT open the pinhole and then the server sees hich IP/port UDP packets come from or can use the establshied TCP connection directly. – Gene Vincent Aug 12 '11 at 09:34
  • then does it mean that while dialling the number, you actually dial using the hidden internal IP?? – Vineet Menon Aug 12 '11 at 09:41
  • @Vineet: The endpoint dialing out isn't concered with the internal IP and it probably has no way of knowing it. The call routing is done by the H.460.18 server (usually a gatekeeper) based on the name or number the user dialed. – Gene Vincent Aug 12 '11 at 14:05
1

H.460.18 works by opening pinholes when moving from one protocol/network connection to the next. H.323 works in the following classic way to connect a call:

  • RAS is used over UDP to register to the gatekeeper
  • Q.931 is used over TCP (usually) to initiate a call
  • H.245 is used to negotiate media capabilities and open media channels
  • RTP/RTCP is used to send actual media

Now, to be able to open up Q.931 and H.245, you need the endpoint to be listening on a TCP address for incoming connections. If the endpoint is behind a NAT - that will be impossible to achieve.

So H.460.18 adds special messages to get these TCP connections from the inside out (=reverse).

On RAS, when a new TCP connection needs to be opened for Q.931, a RAS SCI (ServiceControlIndication) message will be sent to the endpoint so that the endpoint will open up the TCP connection for Q.931 instead of just waiting to get an incoming connection.

On Q.931, when a new H.245 connection needs to be opened, it is initiated today already on Q.931; but now it will always be done from the endpoint behind the NAT to a public address.

To sum it up:

  • H.460.17 uses a single connection outbound from the endpoint to the gatekeeper and then just tunnels everything on top of it.
  • H.460.18 just opens up a new pinhole from one protocol to the next by having the endpoint behind a NAT do the connecting instead of doing the listening.
Tsahi Levent-Levi
  • 2,351
  • 2
  • 18
  • 26