[asterisk-users] RE: OT (a little): IPV6 Ramifications Article

Tzafrir Cohen tzafrir.cohen at xorcom.com
Thu Apr 19 04:36:38 MST 2007 

On Thu, Apr 19, 2007 at 10:24:18AM +0100, Tim Panton wrote:
> Putting my Westhawk Ltd protocol consultancy hat on.....
> 
> Due to old age and good luck, westhawk as a full class C (256 ipv4  
> addresses)
> so all our machines have routable adresses, putting us in a similar  
> position to
> the way the rest of you would be when/if v6 takes off.

I may add that even though I am from Asia and not from the US, I had the
luck of being in networks that were on public IP ranges in 1996-1997 and
later in 1999-2000 .

> 
> This is quite relevant to this list because people are working to add  
> ipv6 support
> to asterisk, and as such the community needs to be up-to-speed on the
> benefits/drawbacks.
> 
> On 19 Apr 2007, at 05:39, Tzafrir Cohen wrote:
> 
> >Hi
> >
> >To be slightly less off-topic:
> >>
> >>
> >
> >If you have no shortage of IP addresses in the US, then why is it that
> >when you want to set up a home IP address you have a use a NAT router
> >(of some sort: be that a device or a software on a computer)? This  
> >means
> >that peer-to-peer protocols don't Just Work [tm].
> >
> >We all know that SIP is generally broken in the presense of NAT and  
> >how multiple partial workarounds have been found.
> >
> >Any VoIP call between two NAT-ed clients will required a proxy outside
> >the NAT. Hence more delay and more complicated setup.
> 
> That's the theory, but if you remove the NAT router, you have to put
> an equally extensive firewall in place - probably stricter because  
> all the devices in your network are now routable. SIP/RTP 's bad design 
> makes it very hard to firewall well without running a full proxy in the 
> router. (Ok, at least you don't need STUN if you have ipv6).
> 
> So you still have to mess with the (more complex because v6 is  
> tricky) firewall to let the right RTP/SIP packets in.

You replace the NAT router with a firewall. One positive result of NAT
is that session tracking became a mandatory requirement of firewalls.

Linux now has SIP session tracking support as of kernel 2.6.18 (before
that you had to apply an external patch), and thus RHEL5, Debian Etch
and just about any other modern distro should now support it or soon
will. 

In the worst case you kindly ask the sysadmin to unblock the firewall
for 30 seconds and see if then you can establish a call.

-- 
               Tzafrir Cohen       
icq#16849755                    jabber:tzafrir at jabber.org
+972-50-7952406           mailto:tzafrir.cohen at xorcom.com       
http://www.xorcom.com  iax:guest at local.xorcom.com/tzafrir

More information about the asterisk-users mailing list