H.320 gateways a MEGACO / ITU

[Matt Holdrege]

Yes. Going back to my original point about IPsec, if you use AH then you
shouldn't need to do port-based filtering. If you don't use port-based
filtering and you don't need NAT, then you don't need proxies, right?

And I don't think anything in MEGACO (yet) uses dynamic ports anyway, right?


At 05:08 PM 3/31/99 -0800, Gary A. Thom wrote:
>This problem is independent of the type of encoding being used (PER or
text). The problem that
>you describe is related more to the use of dynamic ports which prevents
simple packet filtering.
>An h.323 proxy must parse the call signalling and H.245 messages to find
the dynamic ip
>address/port pair assignments. The h.323 proxy will be required whether
the encoding is asn.1 or
>text or anything else.
>
>Gary
>
>------------------------
>  From: Melinda Shore <shore at ITHACA-VIENNASYS.COM>
>  Subject: Re: H.320 gateways a MEGACO / ITU
>  Date: Wed, 31 Mar 1999 16:45:05 -0500
>  To: ITU-SG16 at MAILBAG.INTEL.COM
>
>
>> There's a problem in that it makes the signaling channel sufficiently
>> complicated to parse that you end up having to put a proxy, or something
>> that looks an awful lot like a proxy, on the firewall in order to
>> pick up dynamically-allocated address/port tuples.  This has somewhat
>> negative architectural implications in that in a multi-firewall
>> environment (which is, alas, the norm when traversing multiple
>> administrative domains) you end up with tandemed signaling loops.
>>
>> The short answer is that IP is supposed to be end-to-end
>> and that firewalls create a big disconnect between the IP network
>> and the IP telephony application-layer network.
>>
>> Melinda
>>
>
>------------------------------------------------------
>Name   : Gary A. Thom
>Company: Delta Information Systems, Inc.
>Address: 300 Welsh Rd., Bldg 3
>         Horsham, PA 19044 USA
>Phone  : +1-215-657-5270         Fax : +1-215-657-5273
>E-mail : gthom at delta-info.com
>------------------------------------------------------
>