T 4.59 Non-accessibility of VoIP due to NAT

In the Internet, a computer can be uniquely identified by means of its IP address. In Internet Protocol version 4 (IPv4), which is currently the version most often used, the IP address is composed of four numbers between 0 and 255, for example 194.95.176.226. In the newer Internet Protocol version 6 (IPv6), an IP address consists of eight four-digit hexadecimal numbers, for example FEDC:BA98:7654:3210:FEDC:BA98:7654:3210. The main disadvantage of version 4 when compared to version 6 (which has not prevailed yet) is the low number of public IP addresses available in the address space. Only very few organisations are able to obtain enough IP addresses to assign every workstation computer its own static IP address. This problem can be eliminated using Network Address Translation (NAT). In this case, only the system located between the public network and the private network needs one (or just a few) public IP address(es). The actual workstation computers are assigned internal IP addresses, and when a packet is forwarded by one of the active network components (usually a NAT gateway), the internal IP address is converted into an external IP address.

A new UDP or TCP connection needs to be opened for the media stream, which is needed to transmit the voice information. The IP addresses and port numbers required for this purpose are transmitted in the signalling information. NAT modifies the source IP address in the IP header and the source port number in the UDP or TCP header of the media stream. The specifications for the source IP address and port number in the message section of the signalling information remain unchanged.

As a result, media streams cannot be sent to a VoIP telephone located behind a NAT gateway. VoIP devices located in the Internet cannot send any media streams to a VoIP telephone located behind a NAT gateway, since the private IP address is not routed in the Internet. Voice communication with VoIP devices located behind a NAT gateway because the configuration is critical and needs to be secured is therefore impossible even when there are no errors in signalling.

Protocols such as IAX (InterAsterisk eXchange) or Skype are exceptions. In these protocols, signalling as well as the media transport is performed using an existing connection. Since no additional connections to the computers in the private network need to be established, the problems with NAT described above are eliminated when using one of these protocols. However, since no more checks are performed on the network gateway when these protocols are used, other security problems can arise.

To enable VoIP communication via a NAT gateway, the media stream of the NAT gateway can be forwarded statically to the VoIP devices. This potential solution is often encountered on private customer connections to SIP providers. However, this can lead to problems. In this case, the sender located outside of the LAN establishes a connection to the NAT gateway using a reserved port number. The NAT gateway transfers this connection to the end device assigned to this port number. This approach assumes that the devices participating in the connection know the reserved port numbers. A more serious disadvantage, though, is that the forwarded ports of the VoIP system behind the NAT gateway can be accessed from the public data network.

© Federal Office for Information Security. All rights reserved.