With the rapid development of Internet, in online multimedia communications, such as Web conferencing, VoIP and other application quickly spread. With the large-scale application of these technologies, some of the existing network also highlights the conflict out. Limited number of network entities such as the current end of the packet (packet) by these entities refers to the firewall and network address translators.
1, H.323 profile
now commonly used web conferencing software and Internet telephony software used by the International Telecommunication Union (ITU-T) developed the H.323 protocol suite, including H.225, H.245, Q.931, etc., in addition to IETF the development of SIP (Session Initiation Protocol), SIP protocol used with the http command similar to the form of text, but the agreement is relatively simple, the future of Internet telephony and instant messaging direction. However, H.323 appeared earlier, a number of commercial applications, such as Microsoft's NetMeeting is used in more mature H.323, other Chinese telecom enterprises to implement IP phones do also apply to the H.323 protocol. So also will be a long time H.323 and SIP simultaneously.
H.323 standard defines a packet-based networks for flexible, real-time, interactive multimedia communication protocols set. Personal computers in packet-switched networks (internet and intranet) and circuit switched networks to transmit audio, video and data.
H.323 network, including terminal, gateway, gatekeeper (gatekeeper) and multi-point control unit (MCU).
gatekeeper to monitor the LAN all in their region H.323 call, it provides two main services: call access and address resolution. All in this region H.323 gatekeeper client must help start a call, another gatekeeper can also decide whether the current available bandwidth allows customers to call.
gateway provides the ability operation between heterogeneous networks, such as packet-switched network and the telephone network requires a gateway between the protocol and data conversion.
MCU (Multipoint Control Unit) to provide multi-party multimedia conferencing capabilities. It coordinates all the participants of the media and communications capabilities, provide audio mixing for the endpoints and video options (the endpoint itself can not accomplish this function).
H.323 point to point us to the following example to demonstrate the communication process communication. In this case, we use the H.323 communication Alice and Bob as two endpoints. Alice outside the firewall, Bob inside the firewall.
first, Alice to Bob's well-known H.323 port 1720 to establish a connection. Then, Bob and Alice in this connection to send Q.931 packets, in the exchange of packets, Bob and Alice to send a dynamic port is used to establish H.245 connection (that is, the figure CONNECT packet H.245 Address ).
Subsequently, the caller according to the Q.931 streams consultations to establish a temporary port to connect H.245. H.245 negotiation process all the call parameters, such as the use of encoding and decoding algorithms. Once these parameters consultations completed, H.245 session started OpenLogicalChannel, the process for a particular media stream (such as: audio or video) and send the transmission of RTP and RTCP sender address and port (ie the map OpenLogicalChannel and OpenLogicalChannelAck in RTP and RTCP Address). Then, these media streams can be transferred between two endpoints until the session ends.
2, H.323 through firewalls difficult
1, using lots of dynamic port
into the network through a firewall can limit the data packet type and flow (This limit can be based on source IP address, IP address or port number of purposes such as simple rules). For the H.323 protocol, need to open port 1718 or 1719 (issued a message to the Gatekeeper RAS port used), 1720 (the port used for call signaling messages). But this setting does not completely solve the issue of H.323 applications through the firewall, mainly because the media stream through RTP protocol to transfer, and transfer the required source port and destination port is dynamically determined, these ports may be any port greater than 1024, so make the H.323 data stream through the firewall, the firewall rules need to open all ports greater than 1024, is obviously very unsafe.
2, firewall, network address translation
In addition, with the Internet's rapid expansion, Ipv4 address space will run out in a serious situation. Network Address Translation (NAT) can solve this problem. Network address translation into traditional network address translation and network address port translation.
traditional network address translation is to convert the address through the firewall to allow an organization to use in the internal communications within a certain range of private addresses, when used with the external communication of a small pool of public IP addresses
another network address translation is the network address and port translation, the conversion in the form of an internal address, one or more external addresses, then the port number used to distinguish.
NAT gateway is placed on the border of two of its function is visible outside the network IP address and the address used within the network with mapping, so that each of the protected network can be reused within a specific range of IP addresses (192.168. xx), and these addresses are not used for public network. Come from outside the network with public network address information packet first arrived NAT, NAT good rule to use the default (the group element contains the source address, source port, destination address, destination port, protocol) to modify the data packets, and then forward to receiving points within the network. The outflow of data packets within the network have to go through this conversion.
NAT from a security point of view of external hidden within the network provided a means of topology, but also to the enormous trouble H.323 applications. Protocol message packet is usually embedded in a specific section of the IP address and port number, rather than placed in the IP header, so if only to use NAT, protocol in the IP and port number can not point to the right place, leading to the normal communication can not .
3, ASN.1 encoding
H.323 most of the control information is encoded using ASN.1, which is a very complex coding mode, the same version of the same application of the same purposes in connection will use different options, so that the members of the same in the data stream offset different. In order to extract useful information, the need for using ASN.1 encoded packets to decode carefully.