9. 穿越防火牆技術

NAT 是一種將內部IP 與外部IP互相轉換之技術。

... 通常NAT 是將每一部電腦所用的(IP, port number)， 本文稱為內部位址，對應到(共用IP, ... 9.2 防火牆/NAT的種類. 9.¬ï¶V¨¾¤õÀð§Þ³N VoIP­è±À¥X¤§ªì´Á¡A¨ü¨ì¦UºØ¦]¯À¤§¤zÂZ¡A¥H­P«D±`Ãø¥Î¡A»Ý­n¸g¹LÁc½Æªº³]©w¤~¯à¨Ï¥Î¡C ³Ì±`¨£¨ìªº¬O¬Y¤@Ã䪺¨Ï¥ÎªÌªº¹q¸£³]©w¦³°ÝÃD¾É­P³æÃä¨S¦³Án­µ¡A¦]¦¹¦¬¸Üµo¸Ü¨âºÝ³£¥²¶·¬O ¹q¸£°ª¤â¤~¯à¶¶§Q¶i¦æÂù¤è³q¸Ü¡C¥t¥~¤@­Ó«Ü¤jªº­­¨î¬O¡A¦¬¸Üµo¸Ü¨âºÝ³£¥²¶·¶ñ¤J©Ò¥Î¹q¸£ªº IP¦a§}¡A ¤~¯àÅý¨â¤è¬Û³s¡C¹ï©ó¦b®a¤¤§Q¥Î¼·±µ©ÎADSL³]³Æ¤Wºô©Î¦b¨¾¤õÀð«á­±ªº¨Ï¥ÎªÌ¦Ó¨¥¡A ³o¬O¤@¶µÃø¥H¹F¦¨ªº¥ô°È¡AµL½×¨Ï¥ÎªÌ©Î¹q¸£¥»¨­³£Ãø¥H»´©öÀòª¾¨ä¹ï¥~ªºIP¦ì§}¡C ³oºØ²{¶H¤@ª½µ¥¨ìSkype±À¥X¤§«á¤~Àò±o¤j´T§ïµ½¡A¤j¤j´£°ª¤F VoIPªº¥i¥Î«×¡A¨Ï±o¤@¯ëªº¹q¸£¨Ï¥ÎªÌ¤]¥i¥H«Ü»´©öªº¨Ï¥ÎVoIP¡C§Y¨Ï¨Ï¥ÎªÌ¬O¦b¨¾¤õÀ𠤧«á¡AVoIP¤]¥i¥H¶¶§Q¹B§@¡A³o¬OÂk¥\©ó¡uVoIP¬ï¶VNAT¨¾¤õÀð¡v§Þ³N¡C 9.1NAT¤Î¨¾¤õÀ𤧨ӷ½ NAT¬O¤@ºØ±N¤º³¡IP»P¥~³¡IP¤¬¬ÛÂà´«¤§§Þ³N¡C¨ä°_·½¬O¦]¬°IPv4¦ì§} µ}¤Ö¡A¦Ó«Ü¦h¥ø·~©Îºô¸ô¤½¥q¦b¾Ö¦³¤Ö¼ÆIP¦a§}¦Ó¤½¥q¤º³¡½T¦³¤Ó¦h¹q¸£®É ¦Ó±Ä¥Î¦@¥ÎIPªº¸Ñ¨M¤èªk¡AÅý¤@­ÓIP¦a§}µ¹¦h­Ó¹q¸£¨Ï¥Î¡C¦p¤µ³Ì±`¨£ªº IP¤À¨É¾¹©ÎµL½u°Ï°ìºô¸ôAccessPoint³£¦³NATªº¥\¯à¡C¨Ï¥ÎªÌ§Q¥ÎADSL¤Wºô «á¡A®³¨ì¤@­ÓIP¦a§}¡A¦ÓIP¤À¨É¾¹©ÎWLANAP«h±N¤@²Õ±M¨Ñ¤º³¡¨Ï¥Îªº¨p¦³IP¡A ³q±`¬O192.168.0.x¡A¤À°tµ¹©Ò¦³¤º³¡¹q¸£¡A¤º³¡¨C³¡¹q¸£¾Ö¦³¤@­Ó192.168.0.xªºIP¦ì§}¡A ¦ýWLANAP¹ï¥~«o¥u¦³¤@­Ó¥Ñºô¸ô¤½¥q½á¤©ªºIP¦ì§}¡C ³q±`NAT¬O±N¨C¤@³¡¹q¸£©Ò¥Îªº(IP,portnumber)¡A ¥»¤åºÙ¬°¤º³¡¦ì§}¡A¹ïÀ³¨ì(¦@¥ÎIP,portnumber)¡A¥»¤åºÙ¬°¥~³¡¦ì§}¡A ¦ÓNAT­t³d±N¶i¥X«Ê¥]ªºªíÀY¶i¦æÂà´«¨Ï±o¤º³¡¹q¸£¥i¥H ³z³qªº»P¥~³¡ºô¸ô³s½u·¾³q¡C ¥ø·~¨Ï¥Î¨¾¤õÀð¹ïºô¸ô¶i¦æ±±ºÞ¬O«Ü¦ÛµMªº¨Æ¡A³q±`¦³¤T¶µ¥D­n¥\¯à¡G ¦s¨ú±±ºÞ(AccessControl) ¨­¥÷ÃѧO(Authentication) ¦w¥þ½]®Ö ±`¥Îªº¨p¦³IP¦ì§}¬O 10.0.0.0/8 172.16.0.0-172.31.0.0. 192.168.0.0/24 NAT»P¨¾¤õÀð¹ï©óVoIPªº³s½u³y¦¨«Ü¤jªº§xÂZ¡A ¹G±oVoIP¬ã¨s¤H­ûµo®i¥X¤@®M«Ü½ÆÂøªº§Þ³NÅýVoIP¯à ¬ï¶V¨¾¤õÀð¡AÅý¦b¨¾¤õÀð«á­±ªº¨Ï¥ÎªÌ¯à¦Û¥Ñªº¨Ï¥ÎVoIP¡C 9.2¨¾¤õÀð/NATªººØÃþ ¨¾¤õÀð³q±`¾ã¦X¦bNAT¸Ì­±¡A®Ú¾Ú©Ò¥Îªº¨¾¤õÀð§Þ³N¡ANAT¥i¥H¤À¦¨ ´XÃþ¡C¥D­nªº¥|Ãþ¦pªí9.1©Ò¥Ü¡G ªí9.1ConeNATºØÃþ NATType Operation FullCone Anyexternalhostcansendapackettotheinternalhost, bysendingapackettothemappedexternaladdress. RestrictedCone(AddressRestrictedCone) Anexternalhost(withIPaddressX)cansendapackettotheinternalhostonlyifthe internalhosthadpreviouslysentapackettoIPaddressX. Onceaninternaladdress(iAddr:port1)ismappedtoanexternaladdress(eAddr:port2), anypacketsfromiAddr:port1willbesentthrougheAddr:port2. AnyexternalhostcansendpacketstoiAddr:port1bysendingpacketstoeAddr:port2 PortRestrictedCone AportrestrictedconeNATislikearestrictedconeNAT, buttherestrictionincludesportnumbers. SymmetricNAT EachrequestfromthesameinternalIPaddressandporttoaspecificdestinationIP addressandportismappedtoauniqueexternalsourceIPaddressandport. Ifthesameinternalhostsendsapacketevenwiththesamesourceaddressandport buttoadifferentdestination,adifferentmappingisused. Onlyanexternalhostthatreceivesapacketfromaninternalhostcansendapacketback. ªí9.2ConeNAT¯S©Ê NATType Addressbinding Portbinding Bindingspersession UDPNAT TCPNAT Sessiondirection FullCone no -> 1 yes no RestrictedCone(AddressRestrictedCone) no -> 1 yes no -> PortRestrictedCone no -> 1 yes yes -> SymmetricNAT no no 0 yes yes -> 9.2.1FullConeNAT FullCone¥u¬O³æ¯Âªº°µ¦ì§}Âà´«¡A¨Ã¥¼¹ï¶i¥Xªº«Ê¥]³]­­¡C ¨ä¹B§@¤è¦¡¦p¹Ï9.1,9.2©Ò¥Ü¡C ¹Ï9.1FullConeNAT ¹Ï9.2FullConeNAT¤§¹B§@ 9.2.2RestrictedConeNAT(AddressRestrictedCone) RestrictedConeNAT¹ï©ó«Ê¥]¶i¥Xµy¥[­­¨î¡C±q¤º³¡°e¥X¤§«Ê¥]ªº¥Øªº¦a IP¦ì§}·|³Q°O¦í¡C¥u¦³³o¨Ç´¿¸g¦¬¹L³o¨Ç«Ê¥]ªº¦ì§}¥i¥H°e«Ê¥]¶i¤J NAT¡C¥Ñ¨ä¥L¦ì§}°e¶i¨Óªº«Ê¥]¡A³£·|³QÀɤU¡C´«¨¥¤§¡A ¥u¦³¦¬¹LNAT¤º³¡°e¨Óªº«Ê¥]ªº¦a§}¤~¯à±N«Ê¥]°e¤JRestrictConeNAT¤º¡A ¨ä¹B§@¦p¹Ï9.3,9.4©Ò¥Ü¡C ¹Ï9.3RestrictedConeNAT ¹Ï9.4RestrictedConeNAT¤§¹B§@ 9.2.3PortRestrictedConeNAT PortRestrictedCone¹ï©ó«Ê¥]¶i¥X¤ñRestrictedCone¼W¥[¤F¤@­Ó­­¨î¡A ±q¤º³¡°e¥X¤§«Ê¥]ªº¥Øªº¦aªºIP¦ì§}¤ÎPortNumber·|³Q°O¦í¡C ¥Ñ¥~³¡°e¶i¨Óªº«Ê¥]¡A°£¤F¥Ñ¨º¨Ç±µ¦¬¹L¤º³¡©Ò°e¥X ªº«Ê¥]ªºIP¦ì§}¤ÎPortNumber©Ò°e¨Óªº«Ê¥]¤§¥~¡A³£·|³QÀɤU¡C´«¨¥¤§¡A ¥u¦³¦¬¹LNAT¤º³¡°e¨Óªº«Ê¥]ªº¦a§}¤ÎPortNumber¤~¯à±N«Ê¥]°e¤JRestrictConeNAT¤º¡C ¨ä¹B§@¦p¹Ï9.5,9.6©Ò¥Ü¡C ¹Ï9.5PortRestrictedConeNAT ¹Ï9.6PortRestrictedConeNAT¤§¹B§@ 9.2.4SymmetricNAT ¹Ï9.7SymmetricNAT SymmetricNAT¦b¥|ºØConeNAT¤¤³Ì¬°ÄYÂÔ¡C «e¤TºØNAT¦b°µ¦ì§}Âà´«®É¡AµL½×«Ê¥]¬O°e©¹¦ó³B¡ANAT¤º³¡¦P¤@¤º³¡¦ì§} ³£¹ïÀ³¨ì¦P¤@­Ó¥~³¡¦ì§}¡A¦ý¦bSymmetricNAT¤º«h¨C¤@¤º³¡¦ì§}¹ï¤£¦Pªº¥Øªº¦a¡A ³£¹ïÀ³¨ì¤£¦Pªº¥~³¡¦ì§}¡C SymmetricNAT¥u¤¹³\¥ý¥Ñ¨p¦³ºô°ì¤ºªº¨Ï¥ÎªÌµo°e«Ê¥]¨ìºô»Úºô¸ô¤¤ªº¨Ï¥ÎªÌ ¥i¥H¦^¶Ç«Ê¥]¡A¨ä¹B§@¦p¹Ï9.7,9.8©Ò¥Ü¡C ÀHµÛºô¸ô¦w¥þªº­n¨D¶V¨Ó¶V°ª¡A¨Ï¥Î¦¹ºØNAT¦³¶V¨Ó¶V¦hªºÁͶաC ¹Ï9.8SymmetricNAT 9.3NAT³y¦¨ªº°ÝÃD SIP¬O¦b·í¤µªººô»Úºô¸ô¸Ì³Ì±`¨Ï¥ÎªºVoIP³q°T¨óij¡C ¨Ï¥ÎªÌºÝ(CPE)©Ò³s±µªºAgentºÙ¬°UserAgent(UA)¡A ¨Ï¥ÎªÌºÝ©Ò»Ýªº³nÅé¥\¯à³£«Ø¸m¦bUA¤¤¡A ºô¸ô¤W¨Ã«Ø¸m¦³¦UºØ¦øªA¾¹¡A´£¨Ñ¦U¦¡¦U¼ËªºªA°È¡A ¦@¦P«Øºc¥X¤@­Ó¹B§@¶¶ºZªº¹q¸Üºô¸ô¡C§Ú­Ì¥HSIP¬°¨Ò»¡©úNAT¨¾¤õÀð ¹ïVoIP³q°T¨ó©w³y¦¨ªº°ÝÃD¡C¬°¤è«K»¡©ú°_¨£¡A¥»¤å±N¥HSIP§@¬°½d¨Ò»¡©ú ¦UºØVoIP§Þ³N¡C«e¤å©Ò¨Ï¥Îªº¡u¨Ï¥ÎªÌ¹q¸£¡v¡A¦bSIP¬[ºc¤U¡A¨ä¹ê´N¬O§êºt UAªº¨¤¦â¡C ¦bSIP¨óij¤¤¡AUA¥²¶·¥D°Ê¦Vregistrars¦øªA¾¹µù¥U¡AÅýregister¦øªA¾¹´x´¤UA°ÊºA¡C ­n«Ø¥ß³q¸Üsession®É¡Aµo¸ÜºÝUA¥D°Ê¦Vproxyservers ©M¨ü¸ÜªºUAµo¥XINVITE½Ð¨D¡C ¦Ó³o¨âºØ¦Û¨¾¤õÀð¥~©Òµo¥Xªº½Ð¨D·|³Q¨¾¤õÀð©Òªý¾×¡C ©Ò¥Hregister¦øªA¾¹¤£¯à©ñ¦b¨¾¤õÀ𤧤º¡C¦ýUA´N¤ñ¸û³Â·Ð¤F¡AÃø§K ·|¦³¬Û·í¼Æ¶qªºVoIP¨Ï¥ÎªÌ¬O¦ì©ó¨¾¤õÀ𤧤ºªº¡A¥L­Ì ¥i¥H¤£¨ü¤zÂZªº¥D°Êµo¸Ü¦V¥~³s±µ¡C¤£¹L¡A¥L­Ì«o«ÜÃø±µ¦¬¥L¤Hªº©I¥s¡C ´«¨¥¤§¡A¦pªG¨S¦³¾A·íªº¸Ñ¨M¤è®×¡A¦ì©ó¨¾¤õÀ𤧤ºªºVoIP¨Ï¥ÎªÌ¡A¥u¯à ¹ï¥~µo¸Ü¡A«oµLªk±µ¨ü¹q¸Ü¡C 9.4²{¦³¬ï¶V¨¾¤õÀð/NAT§Þ³N¤¶²Ð ²{¦³´X­Ó¬ï¶V¨¾¤õÀð/NAT§Þ³N¦p¤U¡G UPnP(UniversalPlugandPlay) STUN(SimpleTraversalofUDPThroughNetwoekAddressTranslators)-RFC3489 TRUN(TraversalUsingRelayNAT) ALG(ApplicationLayerGatewqy) ICE(InteractiveConnectivityEstablish) 9.4.1UniversalPlugandPlay(UPnP¡A§Y´¡§Y¥Î) UniversalPlugandPlay(UPnP)¬O·L³n¤½¥q´£¥Xªº¨ó©w¡A¨ä¥Øªº¬O­n ²¤Æ®a®x©Î¥ø·~¤¤´¼¼z³]³Æªº³sºô¹Lµ{¡D ¨Ï¥ÎTCP/IP¨ó©w³z¹Lºô¸ô¦Û°Ê©¼¦¹³s±µ¦b¤@°_¡A ¦Ó¥B³s±µ¹Lµ{¤¤µL»Ý¥Î¤áªº°Ñ»P ©M¨Ï¥Î¤¤¥¡¦øªA¾¹¡A UPnP³]³Æ¥i¥H¦Û°Ê±´¯Áºô¸ô¨Ã°t¸mºô¸ô¦a§}³]©w¡C ¨ä¬ï¶VNATªº¤è¦¡¦p¤U¡G VoIPÀ³¥Îµ{¦¡¥ý¹ï¬O§_¦ì©ó¤@­Ó¨ã¦³UPnP¯à¤OªºNAT³]³Æ¶i¦æÀË´ú¡C À³¥Îµ{¦¡±NÀò±o¦@¥ÎªºPublicIP¦a§}¤ÎPort¡A¬°NAT°µSignaling¤Îmedia¸ê°T¬y¨Ï¥Î¡C VoIP¨Ï¥ÎºÝ´N¥i¥H±N¦¹¸ê°T¥[¤JVoIPsignaling«Ø¥ß³q¸Ü¡C ¦¹³q¸Ü«Ø¥ß«á¡A¨Ï¥ÎÀò±oªº¥~³¡¦ì§}(PublicIP¦a§}¤ÎPort)¡A°µÂI¹ïÂIªº¶Ç¿é¡C ¹Ï9.9¬OUPnP¬ï¶V¨¾¤õÀ𤧹B§@¤§¨Ò¡C ¥¦ªº°ÝÃD¬O¡GNAT¤ÎVoIPClient(UA)¥²¶·¤ä´©UPnP¡A ¦ýUPnP©|¥¼±o¨ì©Ò¦³ªºUA¤ÎNATªº¤ä´© (­nÀò±o¥þ³¡UA¤ÎNAT¼t°Ó¤§¤ä´©¡Aµ´«D©ö¨Æ)¡C ¤×¨ä¬ONATªº°ÝÃD¡A°ò©ó¦w¥þ©Êªº¦Ò¼{¡A´XµLNATÄ@·N¤ä´©UPnP¡C ¹Ï9.9UPnP¬ï¶V¨¾¤õÀ𤧹B§@ 9.4.2STUN STUN(SimpleTraversalofUDPThroughNetworkAddressTranslators-RFC3489)¡A ¬O³ÌµÛ¦W©M³Ì±`³Q¨Ï¥ÎªºVoIP¬ï¶VNAT¨¾¤õÀ𪺸ѨM¿ìªk¡CSTUN§Q¥Î¦ì©ó Internet¤Wªº¦øªA¾¹À°§U¨¾¤õÀ𤺪ºUAÀòª¾¥L­Ì³QNATÂà´«¹Lªº¥~³¡¦ì§}¡A ¨Ã¨ó§U¥L¤HªºVoIP©I¥s¬ï³z¨¾¤õÀð°e¹FÀ𤺪ºUA¡C «Ü¦hÀ³¥Î¼hªºVoIPµ{¦¡¥²¶·¥õ¿àUA¥D°Ê´£¨Ñ¦Û¨­ªºIP¦ì§}¤Îportnumber¡A ÅýVoIP¨âºÝªºUA©¼¦¹ª¾¹D¹ï¤èªºIP¦ì§}¤Îportnumber¡A¤~¯à¤¬°e«Ê¥]¡A «Ø¥ßÂù¦Vªº³q¸Ü¡C¦ý¬O¦pªGUA¬O¦bNAT«á­±¡A ¦b¨S¦³¥~³¡ªº¨ó§U¤U¡A¤@­ÓUAµLªk¬Ý¨ì ¥¦¦Û¤v³QNATÂà´«¹Lªº¥~³¡¦ì§}¡A´NµLªk´£¨Ñ¦¹¶µ¸ê°T¡AÅýVoIP¶¶§Q¹B§@¡C ¹Ï9.10UA»PSTUN·¾³qÀòª¾¥~³¡¦ì§} STUN¦øªA¾¹¥i§@¬°¤¤¤¶ªÌ¨ó§UUA¬Ý¨ì¦Û¤v³QÂà´«¹Lªº¥~³¡¦ì§}¡A¦p¹Ï9.10©Ò¥Ü¡C UA°e¤@­Ómessageµ¹STUN¦øªA¾¹¡A¦ÓSTUN¦øªA¾¹¥i±q«Ê¥]¤¤«õ¥X¨Ó¸Ó UAªº¥~³¡¦ì§}¡A¨Ã±N¦¹¸ê°T¦^¶Çµ¹UA¡C ¦¹¥~¡ASTUN¦øªA¾¹¤]¥i³z¹L¤@¨t¦Cªº´ú¸Õ«Ê¥]Àòª¾NATªº«¬ºA¡A¨Ã´£¨Ñ ¬Û¹ïÀ³ªº¬ï¶V¤èªk¡A¹Ï9.11¤Î9.12Åã¥ÜSTUN¦øªA¾¹±´´úNAT«¬ºA¤§¬[ºc»P¬yµ{¡C ¥i±¤ªº¬O¡ASTUNµLªk¬ï³zSymmetricNAT¡A ¦Ó°¾°¾³oºØNAT¤w¸g¦¨¬°NAT¥«³õ¤Wªº¥D¬y¡C ¥H¤U¬O¤½²³STUN¦øªA¾¹ªº¦ì§}¡C stun.fwdnet.net stun.fwd.org(noDNSSRVrecord) stun01.sipphone.com(noDNSSRVrecord) stun.softjoys.com(noDNSSRVrecord) stun.voipbuster.com(noDNSSRVrecord) stun.voxgratia.org(noDNSSRVrecord) stun.xten.com stun1.noc.ams-ix.net(DNSSRVrecordondomainams-ix.netnotnoc.ams-ix.net) ¹Ï9.11STUN¦øªA¾¹±´´úNAT«¬ºA¤§¬[ºc ¹Ï9.12STUN¦øªA¾¹±´´úNAT«¬ºA¤§¬yµ{ 9.4.3TURN TURN´£¨Ñ¤ñSTUN§ó¬°±j¤jªº¤¤¤¶¥\¯à¡A¨¬¥H¬ï³zSymmetricNAT¨¾¤õÀð¡C ¤@­ÓVoIPsession¤¤ªº¨â­ÓºÝÂI©Ò°e¥Xªº«Ê¥]¥þ³¡¥ý°eµ¹TURNserver¡A¦A¥Ñ TURNserverÂà°eµ¹¹ï¤è¡C¨ä¹B§@¦p¹Ï9.13©Ò¥Ü¡C ¨Ï¥ÎTURNªA°ÈªºUA¦b±Ò°Ê®É¡A¶·¥H ¤@­ÓTURNclientªº¨­¥÷µo¥X¤@­Ó"TURNallocate"½Ð¨Dµ¹TURNServer¡C TURNServer·|°O¦í³o­Ó½Ð¨D©Ò¨Ó¦ÛªºIP¦ì§}©MPort¡A¨Ã¦^ÂФ@­ÓpublicIP ¦ì§}©MPort¡CµM«áTURNServer´N¦b¥¦¤À°tªºpublicport¤Wµ¥¸ê®Æ¶Ç¤J¡C±Ò°Ê §¹¦¨ªºTURNClient´N¥i±N«Ê¥]°e¨ì©Ò¤À°tªºPublicport¤W¡A¦¹Á|¬Û·í©ó ÅýUA»PTURNServer«Ø¥ß³q°T´ë¹D¡C ·íTURNServer¦¬¨ì«Ê¥]®É®É¡A TURNServer·|Àx¦s«Ê¥]¨Ó·½ªºIP¦ì§}©Mport¡AµM«áÂà°e¥¦©Ò´£¥X­n¨ìªº¦ì§} ªº½Ð¨Dµ¹¹ï¤è¡C TURNServer¤§«á´N§@¬°¦b¨â­Ó¦ì§}¤§¶¡ªºÂà±µªÌ¡C ±q²Ä¤@­Ó¦ì§}¦¬¨ìªº¥ô¦ó¸ê®Æ·| ³Q´£¨Ñµ¹²Ä¤G¦ì§}¡A ¨Ã¥B±q²Ä¤G¦ì§}¦¬¨ìªº¥ô¦ó¸ê®Æ¤]·|³Q´£¨Ñµ¹²Ä¤@­Ó¡C³oºØ¤è¦¡ÁöµM ¥i¥H¬ï¶V¨¾¤õÀð¡A¦ý³à¥¢¤F P2P³q°Tªº¯S¦â¡AÅܦ¨Client-Server¼Ò¦¡¡A¨Ï±o­t¸ü¶°¤¤©óTURNServer¤W¡A Server§ó¶·©Ó¾á©Ò¦³ÀW¼e¡A¥H­P ¨S¦³¥ô¦óVoIP·~ªÌ´±©ó±Ä¥Î¡C¦]¦¹¡A³o­Ó¸Ñ¨M¿ìªkÀ³¸Ó¬O¦b¸U¤£±o¤w¤U ¤~¯à¦Ò¼{¨Ï¥Îªº¡C ¹Ï9.13TURN 9.4.4ALG(ApplicationLayergateway) ApplicationLayerGateways(ALGs)¬O¤@¨ã¦³SIP¯à¤O(SIP-aware)ªº¨¾¤õÀð¬ï³z§Þ³N¡C ³o¶µ§Þ³N¥²¶·¨O´«²{¦³ªºNAT¡A¦]¦¹¦b±À¼s¤W¦³ÄY­«ªº­­¨î¡C ¬°¤F§JªA¦¹¶µ­­¨î¡AMiddleboxcommunication(MIDCOM)protocol³Q´£¥X¡A MIDCOM¤¹³\À³¥Îµ{¦¡¡A¨Ò¦pVoIPªºUA©M¦øªA¾¹¡A±±¨îNAT¡C ¦ý°ò©ó¦w¥þ²z¥Ñ¡AºôºÞ¤H­û±N¤£·|±µ¨ü¥Î¤áªºÀ³¥Îµ{¦¡±±¨î¥L­ÌªºNAT¡C ¦]¦¹¦b±À¼s¤W¤]¬O§xÃø­«­«¡C ¹Ï9.14ALG 9.4.5ICE(InteractiveConnectivityEstablishment) IETF´£¥XInteractiveConnectivityEstablishment(ICE)§Þ³N¡Aµ²¦XSTUN©MTURN¡A 2005¦~·L³n¤ÎCisco«Å§G±N±Ä¥ÎICE¡C¨ä¸Ô²Óªº¹B§@¤è¦¡½Ð¨£¹Ï9.15¡C ¹Ï9.15ICE 9.4.6Proprietarysolution ¥Ø«e·¥¨üÅwªïªºP2PVoIP¡ASkype¡A¦³¤@­Ó­«­nªº±M§Q¡AVoIP¬ï¶VNAT/Fs¸Ñ¨M¿ìªk¡C µ§ªÌ§â¥¦µø¬°¤À´²¦¡ªºTURN¡C ³sµ²SkypeªºClient©¼¦¹¤§¶¡·|¤¬¬Û¦X§@¡A¬Y¨Ç¸ê·½¸û¥R¨¬ªºClient ·|³Q¿ï§@¬°¶W¯Å¸`ÂI(SN)¡A°õ¦æ¤@¨Ç¦øªA¾¹ªº¥\¯à¡A¥H¤À´²¦øªA¾¹ªº­t¸ü¡C ¨C­ÓClient·|«O¦s¤@¤ÀÀH®É§ó·sªºSN¥Ø¿ý¡C¦bµn¤J®É¡A ¥¦´N§V¤O»P³o¨Ç¸`ÂI(SN)¤§ ¤@¥´¶}¤@­ÓTCP³s±µ¨Ã¥B«O«ù³o­Ó³s±µ¦b¶}±Òª¬ºA¡A¦p¦¹¡A SN»PSkypeClient¶¡ºû«ù¤@­Ó¥i¬ï³z¨¾¤õÀ𪺳q¹D¡C ¨C¤@­ÓClient·|ÂÇ¥ÑSN±´´úºÞ¨î¥¦­Ì¶i¥XªºNAT¨¾¤õÀ𪺦s¦b©M¨äÃþ«¬¡C SkypeClient¨Ï¥ÎTCP¨ó©w¶Ç°e±±¨î«H¸¹¡C¦b³Ì²³æªº±¡ªp¤U¡A ·í©I¥s»P³Q©I¥s¨â­ÓClient³£¦³¤½¦@ªºIP¦ì§}®É¡A ©I¥sªÌ»P³Q©I¥sªÌ¤§¶¡·|«Ø¥ß¤@­Óª½±µªºTCP³s±µ¶Ç°e±±¨î«H¸¹¡C µM«á¦h´CÅ骺«Ê¥]·|ª½±µ¨Ï¥ÎUDP¨Ó¶Ç°e¡C ¦pªG©I¥sªÌ©Î³Q©I¥sªÌ¬O¦bNAT¨¾¤õÀð«á­±¡A«hµLªkª½±µ¶Ç°e©I¥s«H¸¹ ©M¦h´CÅ骺«Ê¥]¡A¥L­Ì´N¥HSN§@¬°¤¤¤¶ªÌ½ÐSN¨ó§UÂà°e«Ê¥]¡C ¦pªG¦]¬°¨¾¤õÀð§@¯©¦ÓµLªk§Q¥ÎUDP¶Ç°e»y­µ«Ê¥]®É¡A Skype·|§ï¥ÎTCP¶Ç°e¡C¦pªGTCP¤]¥¢±Ñ¡A¥¦·|¹Á¸Õ¥ÎTCP ¶Ç°e«Ê¥]¨ì±`¥Îªº¨â­Óport¡AHTTP(80)©MHTTPS(443)¡C¤@¯ëªº¨¾¤õÀ𤣷| «Ê±þ³o¨â­Óport¡A¦ÓSkypeclient¦b¤@¶}©l´N¶}±ÒµÛ³o¨â­Óport¥H³Æ¨Ï¥Î¡C ¦p¦¹¡ASkype¬ï¶V¨¾¤õÀ𪺯à¤O¬Û·íªº°ª©ú¡AÃø©Ç¦p¦¹­·¦æ¡C °Ñ¦Ò¤åÄm SolvingtheFirewallandNATTraversalIssuesforMultimediaoverIPService,http://www.newport-networks.com/ SearchTekTarget.com Newportnetowrks,NATTraversalforMultimediaoverIP NGN§Þ³N¦b¥ø·~ºô¸ôªºÀ³¥Î¤ÀªR,³q«H¥@¬É,­JµY IETFRFC3489 NetworkAddressTranslation(NAT),AdvancedInternetServices,HenningSchulzrinne