Post on 21-Dec-2015
SIP, NAT, Firewall
SIP
NAT
Firewall
How to Traversal NAT/Firewall for SIP
Outline
• NAT
• SIP Traversal of Firewall
• SIP Traversal of NAT
• Solution
• Summary
• Reference
Types of NAT
NAT
Computer BIP:222.111.88.2Port: 10101
Computer AIP:222.111.99.3Port: 20203
Computer CIP:10.0.0.1Port: 8000
Full ConeFull Cone Restricted Cone
Restricted Cone
IP:202.123.211.123Port: 12345
Port Restricted
Cone
Port Restricted
Cone
Computer BIP:222.111.88.2Port: 10102
Types of NATTypes of NAT
NAT
Computer BIP:222.111.88.2Port: 10101
Computer AIP:222.111.99.3Port: 20203
Computer CIP:10.0.0.1Port: 8000
SymmetricSymmetric
IP:202.123.211.123Port: 12345
IP:202.123.211.123Port: 45678
SIP Traversal of Firewall
Firewall
Port 5060SIP
RTP
Firewall do not know a certain address and emphermal port
Port ?
SIP
InternalExternal
SIP Traversal of NAT(1)
• SIP Signaling– Based on TCP
– Based on UDP
SIP Traversal of NAT(2)
• RTP – Media Stream
Solution
• Firewall Control Proxy (Middlebox Communications (MIDCOM) Protocol )
• Discovery Protocol
• Solution for Symmetric NATs
• Application Layer Gateway
Firewall Control Proxy (Midcom)
• Under this case:– SIP Provider is the IP Network Provider
• Middleboxes– RFC 3303 - Middlebox communication architecture
and framework
• Benefits– Load balancing/Lower Cost/Faster…….
Discovery Protocol
• Universal Plug and Play (UPnP)
• RSIP
• STUN
UPnP
• Universal Plug and Play (UPnP)
• A client can ask the NAT how it would map a particular IP:Port
• Pushed by Microsoft
• It won’t work in the case of cascading NATs
RSIP (1)
• To let the internal clients ask an RSIP server, for the specific public resource required by the application
RSIP (2)
STUN
• Simple Traversal of UDP Through NATs (STUN RFC3489)
• Kind of NAT Probe but it can also help determine which kind of NAT you are behind
• It won’t work in case of symmetric NATs
TURN -Solution for Symmetric NATs
• Connection Oriented Media– “Connection-Oriented Media Transport in
SDP, IETF draft”– Add a line a= direction:active
• Traversal Using Relay NAT– The client doesn’t support the tag above– If both endpoints are behind Symmetric
NATs
Traversal Using Relay NAT
Application Layer Gateway
• Special purpose code for particular applications/services
• With a NAT, ALG will examine the application data for occurrences of internal addresses and replace them with routable address
Implementation of ALG
Parse SIP message
Cancel Invite Cancel Ack Register 200 OK 404
Translate
1.Keep Call leg -> To- /From-/Call-ID
2.Record IP addresses and replace them
Calculate Checksum
Send Packet
Challenge of SIP ALG
• ALG cannot handle encrypted SIP messages
• Scalability
• Impracticality : speed of deploying new applications
• Reliability
Summary
• There is no single best solution yet
Reference
• “VoIP Traversal of NAT and Firewall”, Cisco White Paper
• “NAT Traversal in SIP”, Deltathree, Bruch Sterman, David Schwartz
• “SIP, NAT and Firewalls”, dynamicsoft, Jonathan Rosenberg
• “SIP, NAT and Firewalls”, Fredrik Thernelius