[Serusers] Re: [Users] How Effective is STUN?
sip at arcdiv.com
Sun Nov 20 15:48:02 CET 2005
Many of the commercial, symmetric NATs have some form or fashion of SIP
awareness (granted, some of them are broken... like Checkpoint's) --
Checkpoint, Cisco, Astaro, etc.
Older Netgear boxes tend to be symmetric, but the more recent ones are not.
Linksys boxes are asymmetric, usually port-restricted cone. As for the rest, I
don't know for certain, but for my clients, I've run into FAR more asymmetric
home clients than not. Asymmetric NATs are far easier to implement and, done
correctly (prt-restricted cone), provide actually more security than symmetric
because it masks the identification of multiple servers behind a firewall, as
not all requests come from the same IP/port combination.
Ideally, a good UA would be able to have a STUN server put in, check for
whether or not VoIP would work with STUN, and default to that if necessary,
but not if NOT necessary. Some UAs simply aren't that intelligent, and some
UAs have broken STUN implementations (SJ Labs, for instance).
Of course, in the truly ideal world, all firewalls will become SIP aware...
On Sun, 20 Nov 2005 15:46:26 +0200, Daniel-Constantin Mierla wrote
> From what I have seen, the companies are protected mainly by
> symmetric NAT (more secure). In residential premises, it is hard to
> detect, there are a lot of devices. Sometimes the STUN
> implementation in the clients is broken, and do not help at all to
> label a NAT from SIP server side.
> On 11/19/05 01:36, Tavis P wrote:
> > I'm trying to find some statistics as to what the ratio of Cone vs
> > Symmetric NAT solutions deployed in the world are, has anyone done some
> > research into this?
> > I'm curious what percentage of users in certain demographics (broadband
> > clients, for example) i can expect to be serviced using STUN alone, so i
> > can come up with some figure to help me build out my network
> > Even just some anecdotal information of peoples experiences would be
> > very useful
> > Tavis
> > _______________________________________________
> > Users mailing list
> > Users at openser.org
> > http://openser.org/cgi-bin/mailman/listinfo/users
> Serusers mailing list
> Serusers at iptel.org
More information about the Users