Hi Damir/All, Thank you very much Damir for your detailed explanation. Can you please explain, when security mechanisms like IpSec and TLS are used in this architecture, what NAT can do. Does it understand the data which is encrypted by IPSec/TLS mechanisms? What capabilities should the NAT have in this architecture when IPSec/TLS are used?
Thanks and regards, - sunil vatnal -----Original Message----- From: Bilajbegovic Damir [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 6:05 PM To: [EMAIL PROTECTED] Subject: RE: RE: [Sip-implementors] ALG in SIP networks with TLS and/or IP Sec security Since there is communication between SIP- proxy and UE in private network I am not shure how it will work at all. The problem that I was dealing is similar. UE -----------------------/DSL line wiht NAPT/-----------------------SIP-Proxy privte addresses public addresses First implementation was to have SIP-ALG that will control NAPT. Ok Now the communication can quite good but on the other hand there was a need for security. We were using HTTP digest but it is the same for all security concepts. The comuniation between UE and Proxy will be broken since the SIP-ALG is not going to be albe to read the session parameters (or in HTTP digest case sucessfully change them). UE =====================================SIP-Proxy (= is secure tunnel) /DSL line with NAPT/ -> It changed only IP level but not the upper level informations (no voide communication posible only sip messagess) so the solution was to have SIP-ALG that will create security connection between Proxy and SIP-ALG. This seemed to be the most fitttable solution. But in that case we assumed that connection form SIP-ALG in home network to UE is secure... UE -----------------------/DSL line wiht NAPT/===========SIP-Proxy Not the best solution but aslo not the worst. I do not know how will this help but this is only a try... Best Regards, Damir Bilajbegovic -----Original Message----- From: MVATNAL SUNIL [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 26, 2004 10:53 AM To: Bilajbegovic Damir Subject: Re: RE: [Sip-implementors] ALG in SIP networks with TLS and/or IPSec security Hi Damir, The NAT is being used at the edge of the private network. All the traffic leaves and enters the NAT. Please see the simple acrhitecture below. Private network | | ALG | | NAT | | TCP/IP | | Public Network When IPSec and TLS are used in the above architecture, how the ALG is going to function since the data is encrypted? Thanks and regards, - sunil vatnal ------- Original Message ------- Sender : Bilajbegovic Damir<[EMAIL PROTECTED]> Date : Oct 26, 2004 17:20 Title : RE: [Sip-implementors] ALG in SIP networks with TLS and/or IPSec security I think the question is where do you put NAT? Where is the NATs place and what is your (planned) network arhitecture... Best Regards, Damir Bilajbegovic -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of MVATNAL SUNIL Sent: Tuesday, October 26, 2004 10:13 AM To: [EMAIL PROTECTED] Subject: [Sip-implementors] ALG in SIP networks with TLS and/or IPSec security Hi, My question is on functionalities of the ALG used with NAT in SIP networks with security mechanisms like TLS and/or IPSec. Please read the following paragraphs first. The NAT (Network Address Translator) modifies IPv4 addressing, and takes special care of protocols such as UDP and TCP to avoid port conflicts and it may also carry out port number translation. When NAT is used in SIP networks, the IPv4 address is copied into the protocol data and thus becomes impossible for the NAT to translate it without using an ALG (Application Level Gateway). The ALG performs special translation not only for the IP addresses and port numbers but also within the payload (voice/data). As new protocols are created, new ALGs may have to be added in order for the applications to work. My question : In the above scenario (NAT used in SIP networks), if the security mechanisms TLS and IPSec are used, what functionalities should the ALG have? The main task of the ALG is to take care of the addresses and port numbers changed by NAT. But, these addresses and port numbers are encypted and encapsulated by IPSec and TLS mechanisms. How does ALG work in this situation? Also, please provide me any information or example implementations or white papers on the above scenario. Lots of thanks, - sunil vatnal _______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors _______________________________________________ Sip-implementors mailing list [EMAIL PROTECTED] http://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
