NAPT devices, in general, do not allow unknown traffic flows to be initiated from the core network side. The first message, typically, is sent to the core network by an endpoint behind the NAPT device on the access network. This creates a new binding on the NAPT device. This behavior creates difficulties for media streams to be sent to devices behind NAPT devices as the IP address and port combination inserted into the signaling message(s) is not the IP address and port combination to be used when sending media packets to such endpoints. To overcome this problem, media address learning can be used.
The first-hop media entity in the core network or public domain from the endpoint perspective sends media packets to the endpoint only after it receives a first media packet from the endpoint. After that first media packet, the first-hop media entity sends media packets to the source IP address and port combination of the first media packet received from the endpoint.
A problem with media address learning is security. The first-hop media entity uses the source IP address and port of the first packet received on the port allocated for this session, but there is no guarantee that the packet is really sent by the endpoint behind the NAPT device. An attacker can continuously send packets to media ports of the first-hop media device and cause media traffic not to be received by the endpoint.