Добавил:
Upload Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
understanding-SIP.pdf
Скачиваний:
113
Добавлен:
01.03.2016
Размер:
3.99 Mб
Скачать

Network Address Translation

243

have behavior to ensure that old mappings are expired and all resources freed up into the pool.

TCP mappings can be created and removed based on TCP signaling. For example, the exchange of SYN messages tells the NAT to create a new mapping for the connection. The exchange of FIN messages tells the NAT the connection is no longer needed and can be safely closed and the mapping state discarded. UDP, however, has no signaling, so the NAT must infer the creation and destruction of a UDP session. Usually, this is done using an inactivity timer. If no packet is received before this timer expires, the connection is considered terminated and the mapping removed. The recommended value is 5 minutes [6] although in practice some NATs use values as short as 30 seconds. Theoretically, a packet from either the inside or outside host can refresh the mapping, although it is usually a good security policy to only allow packets generated internally to refresh the mapping. Otherwise, an outside host could keep the mapping alive by sending refresh packets even after the inside host wants the connection closed.

10.5.8 Filtering Modes

By their basic function, NATs provide filtering functions. If a mapping between an external address and an internal address is not present, packets cannot be sent to that internal host. When a mapping is active, the NAT has options on what additional filtering it can provide. Essentially, these filtering rules control who is permitted to use the mapping. One filtering mode is known as Endpoint Independent Filtering. In this mode, any external endpoint is permitted to send packets to the internal host once the mapping is created. Another mode is called address dependent filtering. This mode allows only external hosts that have received a packet from the internal host to send a packet using the binding. A single packet sent to the external host “opens the latch” and will allow any number of packets to flow in the opposite direction. This filtering mode provides some firewall-like security. Another mode is called address and port dependent filtering. This mode only allows an external endpoint to send packets from the same external IP address and port to which the internal host has sent a packet. Endpoint independent filtering is best for SIP and RTP, while address dependent and address and port dependent filtering make things difficult. This information is summarized in Table 10.2.

Table 10.2

NAT Filtering Mode Summary

Endpoint independent filtering

Address dependent filtering

Address and port dependent filtering