Microsoft and Cisco Systems today jointly announced their support for the developing Interactive Connectivity Establishment (ICE) technology for enabling voice over IP and multimedia services to traverse firewalls and network address translators.

The goal is to enable VoIP and IP-based multimedia to easily and securely traverse more networks, using a standards-based approach that allows existing security devices to continue to function. Approaches used today, by companies such as Skype, involve proprietary tunneling schemes that are not standards-based.

ICE, which is currently before the IETF to become a standard, is deployed in client devices and in servers within the network to allow SIP signaling to be established when NAT/firewall devices are being used, in order to set up voice and video calls over IP networks, said Russell Bennett, program manager for the Real Time Collaboration Group of Microsoft.

“What Skype does is unreliable, insecure and only works on a small scale,” he said. “That may be okay for a consumer VoIP service, but it doesn’t work for broader applications.”

A prime benefit of ICE is that it can be deployed in today’s networks without disrupting their security schemes, Bennett said.

“NATs and firewalls are widely deployed in all kinds of networks--even in-home Linksys wireless routers typically have a firewall device,” he said. “They are there for a good reason, but they will also block real-time media like voice and video.”

The problem revolves around IP addresses and how devices are identified for real-time communication services such as voice and video, Bennett explained. Normally, IP devices send out their addresses to both send and receive traffic on an IP network.

“In a voice or video interaction, the RTP media stream is established directly between the two clients,” he said. “The SIP message contains reachable addresses. But when there are NATs in the signaling path, they can misdirect SIP signaling.”

This occurs because the NAT/firewall translates between an internal an external numbering scheme--from within or outside an enterprise, for example--and translates that change in the media packet header, but not in the SIP header.

The ICE approach users servers in the network, built on one existing and one developing standard--known as STUN (RFC 3489) and TURN--to create a secure signaling path that enables client devices to properly identify their IP addresses for a VoIP or video service without disabling the security function of the NAT/firewall.

“It doesn’t matter where TURN and STUN servers are or who owns them--all that matters is that they are discoverable,” Bennett said. “The client device communicates with the service and basically says, ‘I think my IP address is this, but what does it look like when it gets to you?' and the STUN server says, 'Well, you look like that to me.’ The ICE client then knows how the outside world views its IP address, and can use that in the SIP message and start putting correct IP addresses in the media packets.”

This signaling process takes place in milliseconds, he added.

Bennett conceded that Microsoft and Cisco wield major market power but said neither company has "an axe to grind here--this is about enabling the industry to move forward."