Intertex Data AB, Sweden Firewall and NAT Traversal Bringing SIP the LAN Prepared for:International...
-
Upload
derek-martin -
Category
Documents
-
view
212 -
download
0
Transcript of Intertex Data AB, Sweden Firewall and NAT Traversal Bringing SIP the LAN Prepared for:International...
Intertex Data AB, Sweden
Firewall and NAT TraversalBringing SIP the LAN
Prepared for: International SIP 2003 By: Karl Erik Ståhl
President Intertex Data ABChairman Ingate Systems [email protected]
© 2003 Intertex Data AB 1
© 2003 Intertex Data AB 2
Is there a next big steps in Internet usage?
World Wide Web
Will there be Real Time Communication Person-to-Person?
© 2003 Intertex Data AB 3
VoIP as we have seen it…
InternetPC
PCWanna talkto me?
Remember how it started in 95?
Now it is coming back in a most useful form!
© 2003 Intertex Data AB 4
VoIP as we have seen it…
Gateway
Internet
Gateway
STO
LA
Then this service was offered to end users?
Nowdays long distance VoIP minutes are bought by the established telcos. Your normal international calls often run over the public Internet!
© 2003 Intertex Data AB 5
VoIP as we have seen it…
VoIP between branch offices
Gateway
PSTN
Europe
IP
InternetVPN VPN
USGateway
IP
- But NOT globally to others!
© 2003 Intertex Data AB 6
VoIP as we see it…
MGCP often used to phones
PSTN
FWInternet
Phones get locked to operator
SOFTSWITCH
© 2003 Intertex Data AB 7
Hmm, didn’t we pass this stage…
Paper was a very compatible media - So is POTS today…
But we need to move beyond!
PSTN
printer
fax
Organization 1Email system 1
Organization 2Email system 2
fax faxfax
© 2003 Intertex Data AB 8
What about universal connectivity?
Wouldn’t that be fine?
Black Phone
RJ45
LAN Intranet Internet
IP Phone
PSTN
RJ11
© 2003 Intertex Data AB 9
“We need QoS of PSTN…”
3 kHz bandwith?
Video?
Presence?
draft-ietf-simple-presence-07.txt
Instant Messaging?RFC3428, December 2002
And more…
Is black telephony all we want?
© 2003 Intertex Data AB 10
Is the protocol part of the game?
HTTP Created the Web
SIP Can Create IP Communication Person-to-Person!
SMTP Created Email
Voice & Video (XP)
.NET Server will include SIP server, with API (3Q2) Applications will arise
Windows Messenger 4.6 and later has SIP-mode Presence & IM
10:s of millions of RTC (SIP) users within a year
4255551212
Dial to phone Rich SIP APIs
Microsoft is pushing – New RTC is SIP-based
IAPIP PhoneIP Phone
IP Phone
IP Phone
Connect to PSTN when required!
PSTN
SIP/PSTNGateway
Internet
Home LANBusiness LAN
Let SIP clients talk to each other!
XP
PIM
SIPServer
IP PhoneIP Phone
IP Phone
IP Phone
PSTN
SIP/PSTNGateway
Internet
Home LANBusiness LAN
SIPServer
IAP
XP
PIM
Firewall/NAT problems!
DSLCableMTU
Operator network with NAT
NATFirewall
NAT
Status until recently:SIP is the Protocol for IP Communication Person-to-Person,BUT IT DOES NOT REACH THE EDGE!
But there is a problem…
© 2003 Intertex Data AB 14
What is the difference?
Typical Internet protocol (SMTP, HTTP…)
Internet
HOSTSERVER
SIP (and H.323…) connects person-to-person
Internet
PERSONPERSON
Locate the person - Set up a session - Open real time media streams
© 2003 Intertex Data AB 15
SIP Firewall Problems
Firewall Problems:
Sessions initiated from outside the firewall
- OK, open port 5060, but…
Media streams on dynamically allocated port numbers
- Ooops… !Even with public IP addresses inside
© 2003 Intertex Data AB 16
SIP NAT/PAT Problems
NAT & PAT Problems:Where is the device?
- Registration/location function
Private IP addresses and ports in SIP messages
- Rewrite with globally routable addresses
IP address and port of media stream has to be modified
- NAT engine has to be dynamically controlled
Worse with privateIP addresses inside
© 2003 Intertex Data AB 17
Suggested Solutions
Dynamically controlled Firewall/NATs Midcom: By Firewall Control Proxy [Dynamicsoft…]uPnP: By the client (Windows) [Microsoft]SIP aware Firewall/NATs (SIP Proxy + Registrar)[Intertex (SOHO), Ingate (enterprise), …]SIP aware Firewall/NATs (SIP ALG)[Cisco,… TLS not possible]Making SIP NAT friendly - Drafts in progress: • draft-ietf-sipping-nat-scenarios-00.txt• draft-ietf-midcom-stun-02.txt• draft-ietf-sip-nat-02.txt• draft-ietf-sip-symmetric-response-00.txt
© 2003 Intertex Data AB 18
Adding SIP Support to a Firewall
Important components:Firewall & NAT
Dynamic Firewall Engine
SIPProxy
SIP Proxy Server, controlling the firewall
UserLocation
SIP Registrar, user location information
FirewallControl
Protocol Communication between
SIP Proxy and firewall
Firewall/NAT problems!
Firewall/NAT SIP transparency!
Office or home LAN
IP PhoneIP Phone
IP Phone
IP Phone
SIPServer PSTN
SIP/PSTNGateway
Operator network with NAT
Internet
NATFirewall
NAT
Enterprise LAN
DSLCableMTU
DMZinGateSIParator
SIP Enabling the Private Networks
inGateFirewall
IP Phone IP Phone
IP Phone
SELECT
SET ALT CFG E T 1
A I
R
U S B
E T 2
W A N
T X D
R X D
ADR CFG DHP RST LQ
TX RX
SC IX66
IAP
IX66
Home User
USASweden
InternetJust Another Internet Service…
IX66
IAP
Home LAN
Enterprise LAN
XP
inGateFirewall
SOHO LAN
IX66
XP
Helsinki PSTNSIP/PSTNGateway
DNSSRV
DMZinGateSIParator
XP
Ingate Linköping LAN
IX66
Intertex Stockholm LAN
Sweden
21
IP Communications Using IP NetworksIP Communications Using IP Networks
• Intranet IP VPN with IP communications• Domestic and global IP communications• PBX and PSTN – E.164 resolution
Customer Customer PremisesPremises
PBX PSTN Phone
ManagedServices
Router
Vmail OSS
SIP Phone
WorldComPSTN
DialingPlans
Network GWY
Conf
PSTN Phone
IM
IN
EnterpriseGateway
SIP Routing
Firewall
SIP Server
IP VPN
Global IP Comm
Intranet IP Comm
…other…
Many call routing options:• Private/Public IP address• DNS and DNS SRV records• SIP aware NAT/PAT servers
Henry Sinnreich 4/10/2002
WorldComPublic
IP Network
22
IP Communications Using IP NetworksIP Communications Using IP Networks
PBX PSTN Phone
ManagedServices
Router
Vmail OSS
SIP Phone
WorldComPSTN
DialingPlans
Network GWY
Conf
PSTN Phone
IM
IN
EnterpriseGateway
SIP Routing
Firewall
SIP Server
IP VPN
Global IP Comm
Intranet IP Comm
…other…
Integration with existing phones
SIP Capable FirewallIngate and IntertexFirst through SIT
Customer Customer PremisesPremises
No IP PBX Needed!
Enhanced Functionality
Enterprise LAN
WorldComPublic
IP Network
© 2003 Intertex Data AB 23
Product Examples – Ingate Systems AB
A Complete Firewall An add-on to an Existing Firewall
DMZ
Existing Firewall
Firewall & NAT/PAT SIP Proxy SIP Registrar
Enterprise Products
Firewall 1400 SIParator 40
© 2003 Intertex Data AB 24
Product Examples – Intertex Data AB
IX66 Internet Gate with or withoutADSL modem built-in
OEM as: Telia SurfinBird Gate PowerBit SafeGateReview at: www.adslguide.org.uk/hardware/reviews/2002/q1/intertex_ix66-edflc.asp
SOHO Products
© 2003 Intertex Data AB 25
The Intertex IX66 Internet Gate
A closer look
Firewall & NAT/PAT Router SIP Proxy and Registrar DHCP Server and Client WEB Server for configuration Smart Card Reader for security applications Optional 802.11b Wireless Lan SIP Appliance Control, LAC via expansion port
SELECT
SET ALT CFG E T 1
A I
R
U S B
E T 2
W A N
T X D
R X D
ADR CFG DHP RST LQ
TX RX
SC
Optional ADSLand Splitter Built-in
© 2003 Intertex Data AB 26
SIP-capable firewalls!
Ingate Systems ABwww.ingate.comBox 10013, Slakthusplan 4 SE-121 26 Stockholm, SwedenVD Olle [email protected] Tel +46 8 6007750
Intertex Data ABwww.intertex.seRissneleden 45 SE-174 44 Sundbyberg, SwedenVD Karl Erik Stå[email protected] Tel +46 8 6282828