H.460.18介绍: H.323信令穿越NAT和防火墙

 

简介

      H.460.18的全称是H.323信令穿越NAT和防火墙,它是国际电联(ITU-T)制定的H.323系统中信令穿越NAT和防火墙的标准,与之密切相关的协议是H.248.19,它媒体穿越NAT和防火墙的标准方法。它有以下两个特点:

1) 它基于Client-Server模型,并不是p2p穿NAT和防火墙的方法(如IETF的ICE)

2) 没有进行NAT类型检查(不能实现p2p的RTP码流传输,具有有限的扩展性)

基本原理

      内网终端呼叫外网终端的流程与正常的H.323呼叫过程一样。当外网终端呼叫内网终端时候,呼叫被寻址到TS的外网IP。TS使用一条RAS消息,请求内网终端向TS建立H.225.0通道。
 

外网终端呼叫内网终端的H.225.0呼叫流程

1) 为了建立TS到内网终端EPA的呼叫,TS发送一条H.225.0 SCI RAS消息给EPA, SCI包含一个IncoimgCallIndication的genericData字段;
2) EPA收到SCI消息,回应一条SCR响应消息给TS;
3) EPA根据IncoimgCallIndication中的callSigallingAddress字段规定的地址建立一个TCP连接,然后发送一条H.225.0 FACILITY消息,携带有callIdentifier字段(根据前面收到的IncoimgCallIndication的callIdentifier字段设置);
4) TS收到FACILITY消息(注意不要转发该消息),根据FACILITY消息中的callIdentifier确定这个呼叫与TCP连接的关联;
5) 在刚建立的H.225.0 TCP连接上,TS发送一个H.225.0 SETUP消息,后面的过程就与正常的呼叫流程一样了。
 

H.245连接建立

1) EPA收到来自TS消息中含有H245Address字段后,根据这个地址向TS建立H.245通道。若EPA在要建立H.245通道时,还没有收到H245Address字段,EPA主动向TS发一条FACILITY消息,它包含设置为startH245的reason字段。TS收到FACILITY消息,回应一个FACILITY消息,并携带H245Address字段。
2) 当EPA与TS建立H.245通道后,EPA在通道上发出的第一条消息就是genericIndication指示消息,包含callIdentifier和answerCall标识;
3) TS收到genericIndication指示消息,注意不能转发此消息,TS根据callIdentifier和answerCall标识,唯一确定这个TCP连接与哪个呼叫关联。
 

keep-alive机制

      为了维持NAT上打的"孔", 需要在各个通道上实现一个keep-alive机制。对于RAS通道,keep-alive实现就是靠轻量级的RRQ RAS消息和对应的RCF响应。对于H.225.0和H.245通道,keep-alive实现是靠发送空的TPKT包。 

FAQ(from TANDBERG)

What's the problem with getting H.323 through a firewall?
Firewalls typically block inbound connections. They can be configured to allow connections on a predetermined port to a given IP address. Unfortunately H.323 uses dynamically chosen ports for its call control and media. Some devices will chose these dynamic ports from a limited range, but this varies between manufacturers. This makes it difficult to statically configure firewall rules to allow inbound connections.
The typical symptoms of this problem are one way audio and video.

What's the problem with getting H.323 through a NAT?
A NAT device (Network Address Translation) hides the private IP addresses behind it, replacing them with a public IP address. Packets arriving at the NAT device are directed to the appropriate private IP address. H.323 messages often contain address information buried within them. A NAT device which does not understand H.323 will forward the message body on unaltered, passing unusable address information to the receiving endpoint.


Does H.460.18/19 tunnel through the firewall?
No. Tunneling involves packaging one protocol up within another to hide it - for example passing H.323 off as HTTP. H.460.18/19 is an extension to the H.323 standard that adds additional information to the existing H.323 messages.

参考:

ITU-T Recommendation H.460.18 (2005), Traversal of H.323 signalling across network
address translators and firewalls.

你可能感兴趣的:(H.460.18介绍: H.323信令穿越NAT和防火墙)