Date: 13 Apr 1999 12:41:04 -0400 From: Chris Shenton <cshenton@uucom.com> To: Kevin Van maren <vanmaren@cs.utah.edu> Cc: freebsd-questions@FreeBSD.ORG Subject: Re: H.323 support for natd Message-ID: <lflnfwjwwv.fsf@Samizdat.uucom.com> In-Reply-To: Kevin Van maren's message of "Mon, 12 Apr 1999 21:54:32 -0600 (MDT)" References: <199904130354.VAA19387@zane.cs.utah.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 12 Apr 1999 21:54:32 -0600 (MDT), Kevin Van maren <vanmaren@cs.utah.edu> said: Kevin> Is anyone working on adding support for H.323 (used for video Kevin> conferencing, like M$ netneeting, and Intel video cameras) to Kevin> libalias? H.323 is a nightmare of a protocol, obviously designed by committee, not coders. There are a couple random ports selected where the client and server rendezvous to then decide on which ports they really want to use for the data. Client/server address and port are transmitted in the payload rather than the IP header. This means the NAT (or proxy) would have to follow this gross port negotiation by grubbing through the payload. The protocol is yet another ITU production so the specs aren't on line like RFCs. I wrote a paper on NetMeeting security concerns a while back (www.shenton.org/~chris/nasa-hq/netmeeting/) and came to the conclusion that it was too difficult to proxy and therefore unsafe. The audio/video isn't bad, it's the app sharing that will kill you. Now there are a couple firewall vendors out there who do have application layer proxies (Raptor is one I think) so that might be a place to start. Make sure any NAT, proxy or whatnot gives you fine control over what's passed and by whom else all you're doing is rearranging the deck chairs on the Titanic. We insisted on decent security before we'd deploy because NetMeeting's application sharing gives remote users access to anything on your machine or LAN that you have access to, trivially, and there's nothing like strong user-level authentication built into it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?lflnfwjwwv.fsf>