Yes. Going back to my original point about IPsec, if you use AH then you shouldn't need to do port-based filtering. If you don't use port-based filtering and you don't need NAT, then you don't need proxies, right?
And I don't think anything in MEGACO (yet) uses dynamic ports anyway, right?
At 05:08 PM 3/31/99 -0800, Gary A. Thom wrote:
This problem is independent of the type of encoding being used (PER or
text). The problem that
you describe is related more to the use of dynamic ports which prevents
simple packet filtering.
An h.323 proxy must parse the call signalling and H.245 messages to find
the dynamic ip
address/port pair assignments. The h.323 proxy will be required whether
the encoding is asn.1 or
text or anything else.
Gary
From: Melinda Shore shore@ITHACA-VIENNASYS.COM Subject: Re: H.320 gateways a MEGACO / ITU Date: Wed, 31 Mar 1999 16:45:05 -0500 To: ITU-SG16@MAILBAG.INTEL.COM
There's a problem in that it makes the signaling channel sufficiently complicated to parse that you end up having to put a proxy, or something that looks an awful lot like a proxy, on the firewall in order to pick up dynamically-allocated address/port tuples. This has somewhat negative architectural implications in that in a multi-firewall environment (which is, alas, the norm when traversing multiple administrative domains) you end up with tandemed signaling loops.
The short answer is that IP is supposed to be end-to-end and that firewalls create a big disconnect between the IP network and the IP telephony application-layer network.
Melinda
Name : Gary A. Thom Company: Delta Information Systems, Inc. Address: 300 Welsh Rd., Bldg 3 Horsham, PA 19044 USA Phone : +1-215-657-5270 Fax : +1-215-657-5273 E-mail : gthom@delta-info.com