From owner-freebsd-questions Tue Apr 13 9:43:38 1999 Delivered-To: freebsd-questions@freebsd.org Received: from Samizdat.uucom.com (samizdat.uucom.com [198.202.217.54]) by hub.freebsd.org (Postfix) with ESMTP id C3E8814BDA for ; Tue, 13 Apr 1999 09:43:25 -0700 (PDT) (envelope-from cshenton@uucom.com) Received: (from cshenton@localhost) by Samizdat.uucom.com (8.9.3/8.9.3) id MAA14627; Tue, 13 Apr 1999 12:41:04 -0400 (EDT) To: Kevin Van maren Cc: freebsd-questions@FreeBSD.ORG Subject: Re: H.323 support for natd References: <199904130354.VAA19387@zane.cs.utah.edu> From: Chris Shenton Date: 13 Apr 1999 12:41:04 -0400 In-Reply-To: Kevin Van maren's message of "Mon, 12 Apr 1999 21:54:32 -0600 (MDT)" Message-ID: Lines: 29 X-Mailer: Gnus v5.6.45/Emacs 20.3 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 12 Apr 1999 21:54:32 -0600 (MDT), Kevin Van maren said: Kevin> Is anyone working on adding support for H.323 (used for video Kevin> conferencing, like M$ netneeting, and Intel video cameras) to Kevin> libalias? H.323 is a nightmare of a protocol, obviously designed by committee, not coders. There are a couple random ports selected where the client and server rendezvous to then decide on which ports they really want to use for the data. Client/server address and port are transmitted in the payload rather than the IP header. This means the NAT (or proxy) would have to follow this gross port negotiation by grubbing through the payload. The protocol is yet another ITU production so the specs aren't on line like RFCs. I wrote a paper on NetMeeting security concerns a while back (www.shenton.org/~chris/nasa-hq/netmeeting/) and came to the conclusion that it was too difficult to proxy and therefore unsafe. The audio/video isn't bad, it's the app sharing that will kill you. Now there are a couple firewall vendors out there who do have application layer proxies (Raptor is one I think) so that might be a place to start. Make sure any NAT, proxy or whatnot gives you fine control over what's passed and by whom else all you're doing is rearranging the deck chairs on the Titanic. We insisted on decent security before we'd deploy because NetMeeting's application sharing gives remote users access to anything on your machine or LAN that you have access to, trivially, and there's nothing like strong user-level authentication built into it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message