SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

21
SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for S
  • date post

    21-Dec-2015
  • Category

    Documents

  • view

    258
  • download

    7

Transcript of SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Page 1: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

SIP, NAT, Firewall

SIP

NAT

Firewall

How to Traversal NAT/Firewall for SIP

Page 2: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Outline

• NAT

• SIP Traversal of Firewall

• SIP Traversal of NAT

• Solution

• Summary

• Reference

Page 3: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Types of NAT

NAT

Computer BIP:222.111.88.2Port: 10101

Computer AIP:222.111.99.3Port: 20203

Computer CIP:10.0.0.1Port: 8000

Full ConeFull Cone Restricted Cone

Restricted Cone

IP:202.123.211.123Port: 12345

Port Restricted

Cone

Port Restricted

Cone

Computer BIP:222.111.88.2Port: 10102

Page 4: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Types of NATTypes of NAT

NAT

Computer BIP:222.111.88.2Port: 10101

Computer AIP:222.111.99.3Port: 20203

Computer CIP:10.0.0.1Port: 8000

SymmetricSymmetric

IP:202.123.211.123Port: 12345

IP:202.123.211.123Port: 45678

Page 5: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

SIP Traversal of Firewall

Firewall

Port 5060SIP

RTP

Firewall do not know a certain address and emphermal port

Port ?

SIP

InternalExternal

Page 6: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

SIP Traversal of NAT(1)

• SIP Signaling– Based on TCP

– Based on UDP

Page 7: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

SIP Traversal of NAT(2)

• RTP – Media Stream

Page 8: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Solution

• Firewall Control Proxy (Middlebox Communications (MIDCOM) Protocol )

• Discovery Protocol

• Solution for Symmetric NATs

• Application Layer Gateway

Page 9: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Firewall Control Proxy (Midcom)

• Under this case:– SIP Provider is the IP Network Provider

• Middleboxes– RFC 3303 - Middlebox communication architecture

and framework

• Benefits– Load balancing/Lower Cost/Faster…….

Page 10: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Discovery Protocol

• Universal Plug and Play (UPnP)

• RSIP

• STUN

Page 11: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

UPnP

• Universal Plug and Play (UPnP)

• A client can ask the NAT how it would map a particular IP:Port

• Pushed by Microsoft

• It won’t work in the case of cascading NATs

Page 12: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

RSIP (1)

• To let the internal clients ask an RSIP server, for the specific public resource required by the application

Page 13: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

RSIP (2)

Page 14: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

STUN

• Simple Traversal of UDP Through NATs (STUN RFC3489)

• Kind of NAT Probe but it can also help determine which kind of NAT you are behind

• It won’t work in case of symmetric NATs

Page 15: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

TURN -Solution for Symmetric NATs

• Connection Oriented Media– “Connection-Oriented Media Transport in

SDP, IETF draft”– Add a line a= direction:active

• Traversal Using Relay NAT– The client doesn’t support the tag above– If both endpoints are behind Symmetric

NATs

Page 16: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Traversal Using Relay NAT

Page 17: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Application Layer Gateway

• Special purpose code for particular applications/services

• With a NAT, ALG will examine the application data for occurrences of internal addresses and replace them with routable address

Page 18: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Implementation of ALG

Parse SIP message

Cancel Invite Cancel Ack Register 200 OK 404

Translate

1.Keep Call leg -> To- /From-/Call-ID

2.Record IP addresses and replace them

Calculate Checksum

Send Packet

Page 19: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Challenge of SIP ALG

• ALG cannot handle encrypted SIP messages

• Scalability

• Impracticality : speed of deploying new applications

• Reliability

Page 20: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Summary

• There is no single best solution yet

Page 21: SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Reference

• “VoIP Traversal of NAT and Firewall”, Cisco White Paper

• “NAT Traversal in SIP”, Deltathree, Bruch Sterman, David Schwartz

• “SIP, NAT and Firewalls”, dynamicsoft, Jonathan Rosenberg

• “SIP, NAT and Firewalls”, Fredrik Thernelius