H.323 NAT Traversal Problem particular to H.323(RAS->Q.931->H.245):  RAS from private network to public network can pass NAT  Q931 、 H.245 adopts the TCP, if Q.931 is initialized from public network (such as from GK)  Cannot initialize a TCP connection from outside to a terminal inside a private network SYN packet cannot pass the NAT device TE in private network TE in public network NAT SYN SYN ＋ ACK ACK B B A A X TCP SYN packet TCP utilizes three way handshake, it has direction. NAT TE

Principle of UDP Enhanced Tunnel TE ServerNAT Private Network Public Network Tunnel xTSxTC xTC -traversal Tunnel Client xTS -traversal Tunnel Server Signal and media stream share the same tunnel between xTC and xTS

UDP enhanced Tunnel Mechanism IP TCP/UDP Data Original UTH Encapsulated Standard UDP header Orig-protocol other-fields TCP/UDP Data UTH IP The UDP enhanced Tunnel Header(UTH) is comprised of three parts:  a UDP header (standard RFC0768 header)  a protocol field (holds the protocol field of original IP header.)  other-fields (reserved for extension)

Different from RFC3948 TCP/UDP Data RFC3948 UTH Encapsulated Standard UDP header Orig-protocol other-fields UTH IP ESP header Data UDP IP RFC3948 is specific for IPsec ESP packets UTH can be used for more general aims

xTC behavior Encapsulate:  Insert a UDP enhanced tunnel header  Modify the IP header, and the relation fields of the new IP header are edited to match the resulting IP packet.  The destination should be one ip address of xTS.  And cause IP header is modified, a map entry should be recorded by xTC for correct processing the packets sent from xTS.  The resulting packet is forwarded to xTS.

xTC behavior Decapsulate:  The UTH header is removed from the packet.  The IP header is modified, the relation fields in the new IP header are edited to match the resulting IP packet, in this procedure, the map entry recorded earlier is used to aid the process.  The resulting packet is forwarded to the real destination.

xTS behavior Decapsulate:  The UTH header is removed from the packet.  Do the ALG process if needed.  The IP header is modified, and the relation fields in the new IP header are edited to match the resulting IP packet.  The resulting packet is forwarded to the real destination.

xTS behavior Encapsulate:  A properly formatted UDP enhanced tunnel header(UTH header) is inserted.  Do the ALG process if needed.  Modify the IP header, and the relation fields in the new IP header are edited to match the resulting IP packet. To accomplish this, the map entry recorded in previously procedure should be used.  The resulting packet is forwarded to xTC.

How to use -Tunnel and Proxy (1) Tunnel client integrated with Proxy:  A dedicated proxy is deployed in the private network;  Tunnel is established between internal proxy and external proxy.  Terminals don't require modifications;  No public IP address will be consumed by proxy. TE1 TE2 TEn ServerNAT Private Network Public Network Tunnel Proxy xTS Proxy xTC

How to use -Tunnel and Proxy (2) Tunnel client integrated within the terminal:  No additional device is needed;  Tunnels are established between the terminals and proxy.  Terminals require modifications;  No public address will be consumed by terminals. TE Proxy ServerNAT Private Network Public Network Tunnel xTC TE xTC TE xTC xTS