Normas para Establecimientos de tercera Edad y/o discapacitados

VOIP users will not tolerate excessive latency in the call setup process, which corresponds to lifting the receiver and dialing in a traditional system. Users may be annoyed with a setup process that requires more than a few seconds [12]. Many factors influence the setup time of a VOIP call. At the network level, these include the topology of the network and the location of both endpoints as well as the presence of a firewall or NAT. At the application level, the degree or lack of authentication and other data security measures, as well as the choice of protocol

used to set up the call, can dramatically alter the time necessary to prepare a VOIP connection.

7.4.1 Application Level Gateways

Application Level Gateways (ALGs) are the typical commercial solution to the firewall/NAT traversal problem [10]. An ALG is embedded software on a firewall or NAT, that allows for dynamic configuration based on application specific information. A firewall with a VOIP ALG can parse and understand H.323 or SIP, and dynamically open and close the necessary ports. When NAT is employed, the ALG needs to open up the VOIP packets and reconfigure the header information therein to correspond to the correct internal IP addresses on the private network, or on the public network for outgoing traffic. This includes modifying the headers and message bodies (e.g., SDP) in H.323 and SIP. ALG implementations are discussed for H.323 in [21] and SIP in [22]. The NAT problem is alleviated when the ALG replaces the private network addresses with the address of the ALG itself. It works by not only changing the IP address, but also mapping RTP traffic into ports the ALG can read from and forward to the correct internal machine. The need for consecutive ports for RTP and RTCP can cause a problem here [22] because all VOIP traffic on the network (and data traffic as well) is being routed through the ALG, so as call volume increases, finding enough consecutive ports may become an issue. So although both endpoints may have adequate ports to convene a conversation, the firewall’s deficiencies may cause the call to be rejected as “busy” by the ALG itself. There are significant performance and fiscal costs associated with the implementation of an ALG. Performance-wise, the manipulation of VOIP packets introduces latency into the system and can contribute to jitter when high call volumes are experienced. Depending on the firewall architecture, this can also slow down throughput in the firewall, contributing to general network

congestion. A firewall with ALG support can be expensive, and would need to be upgraded or replaced each time the standards for VOIP change. Also, the

addition of application intelligence to a firewall can introduce instabilities into the firewall itself. Some firewalls have been found vulnerable to an attack in which a high rate of call setups can be sent, depleting the connection tables of the firewall. These half-open VOIP sessions may not time out in the firewall for more than 24 hours. Still with all these detractions, an ALG remains the simplest and safest workaround to allow the coexistence of VOIP, firewalls, and NAT.

7.4.2 Middlebox Solutions

One drawback to ALGs is that they are embedded in the firewall itself, and thus the latency and throughput slowdown of all traffic traversing the firewall is aggregated and then compounded by the VOIP call volume. Middlebox-style solutions attempt to alleviate this malady by placing an extra device outside the firewall that performs many of the functions associated with an ALG. The device

that the application intelligence is extracted to can be an “in-path” system such as an H.323 gatekeeper or a SIP Proxy that sits in the control path of the session and is considered to be a “trusted system” [28] that parses VOIP traffic and instructs the firewall to open or close ports based on the needs of the VOIP signaling via a midcom protocol (see Figure 10). The midcom protocol has not been finalized yet by the IETF. Abstracting stateful inspection and manipulation of signaling packets from the NATs and firewalls (middleboxes) will improve scalability and in the long run, reduce the cost of updating the network[10] by not having to replace the firewall every time the protocols change. There is also a performance improvement that comes from abstracting two highly processor intensive tasks (VOIP parsing and packet filtering) into two separate spheres of influence. This strategy is currently being pursued by the IETF in the Middlebox

Communications (Midcom) Working Group.

Figure 10. Middlebox Communications Scenario

There are some drawbacks to this approach. First, the firewall must be configured for control by the application-aware device, which incurs an initial setup cost. Also, the middlebox itself requires protection from attackers. A compromised midcom agent is disastrous for the network at large because the firewall takes control cues from the “trusted” device running the midcom agent. Thus an intruder taking control of the midcom agent could open any ports in the firewall and then gain access to the private network. So if the application aware device (like a SIP Proxy) is placed outside the firewall, a second firewall would have to be used to protect that device.

7.4.3 Session Border Controllers

While application level gateways may carry scalability concerns, middlebox solutions have not found their way out of standards bodies and into commercial products as fast as might have been hoped. In the absence of a universally accepted solution to the issues associated with firewall/NAT traversal, product developers have brought to market a solution that has come to be known as a

Session Controller, or a Session Border Controller (SBC). SBCs are dedicated appliances that offer one or more of the following services to a VOIP perimeter: Firewall/NAT traversal, Call Admission Control, Service Level Agreement monitoring, support for lawful intercept, and protocol interworking. Third party analysis of these solutions is not widely available as of yet, but in the near term, the demand for these products is expected to grow.