SIP Traversal over NAT Problems and Solutions

1
SIP Traversal over NAT Problems and Solutions

• Mr. Ting-Yun Chi
• May 2,2006(Taiwan,NICI IPv6 RD Division)

2
Outline

• Before we start
• NAT
• SIP Traversal over NAT
• NAT Check

3
Before we start.

• You have learned VoIP
• You will try to use VoIP but only write the
  paper.
• Dont forget the final solution.

4
Face the music

• VoIP cant work in most of the IPv4 networks.
• Most of the real network work with NAT

5
NAT(RFC2663)IP Network Address Translator (NAT)
Terminology and Considerations

• Traditional NAT
• Basic NAT
• NAPT
• Bi-directional NAT
• Twice NAT
• Multi-Home NAT

6
Bi-directional NAT

• With a Bi-directional NAT, sessions can be
  initiated from hosts in the public network as
  well as the private network. Private network
  addresses are bound to globally unique addresses,
  statically or dynamically as connections are
  established in either direction. The name space
  (i.e., their Fully Qualified Domain Names)
  between hosts in private and external networks is
  assumed to be end-to-end unique.

7
Twice NAT

• Twice NAT is a variation of NAT in that both the
  source and destination addresses are modified by
  NAT as a datagram crosses address realms.

8
Multi-Home NAT

• Multiple NAT boxes or multiple links on the same
  NAT box, sharing the same NAT configuration can
  provide fail-safe backup for each other.

9
Basic NAT Variations (RFC 3489)STUN - Simple
Traversal of User Datagram Protocol (UDP) Through
Network Address Translators (NATs)

• Full Cone NAT
• Restricted Cone
• Port Restricted Cone
• Symmetric

10
Full Cone

• A full cone NAT is one where all requests from
  the same internal IP address and port are mapped
  to the same external IP address and port.
  Furthermore, any external host can send a packet
  to the internal host, by sending a packet to the
  mapped external address.

11
Restricted Cone

• A restricted cone NAT is one where all requests
  from the same internal IP address and port are
  mapped to the same external IP address and port.
  Unlike a full cone NAT, an external host (with IP
  address X) can send a packet to the internal host
  only if the internal host had previously sent a
  packet to IP address X.

12
Port Restricted Cone

• A port restricted cone NAT is like a restricted
  cone NAT, but the restriction includes port
  numbers. Specifically, an external host can send
  a packet, with source IP address X and source
  port P, to the internal host only if the internal
  host had previously sent a packet to IP address X
  and port P.

13
Symmetric

• A symmetric NAT is one where all requests from
  the same internal IP address and port, to a
  specific destination IP address and port, are
  mapped to the same external IP address and port.
  If the same host sends a packet with the same
  source address and port, but to a different
  destination, a different mapping is used.
  Furthermore, only the external host that receives
  a packet can send a UDP packet back to the
  internal host

14
APP will get problem with NAT

• From RFC2663.2993.RFC3022.RFC3027.RFC3225.RFC3489.
  P2P draft..
• Non-port Data flow will be blocked
• Packet will be Changed
• Forward cause the lower performance
• Data flow will be blocked(directional)

15
Non-port Data flow will be blocked

• It will not happen in VoIP

16
Packet will be Changed

• Cant pass IPsec(ESP)

17
Forward case the lower performance

• Its easy to see..

18
Data flow will be blocked (directional)

• App need multi-session.
• Use IP payload info for connection
• P2P

19
SIP Traversal over NAT

• Hole Punching
• DNS_ALG
• SIP_ALG/RTP Relay Server
• STUN
• TURN
• Tunnel
• UPnP
• MIDCOM
• RFC1335A Two-Tier Address

20
Hole Punching

• Its simple .
• Its just a tool.

21
DNS_ALG

• Use DQDN
• Cooperate with NAT-BOX to provide Bi-directional .

22
How DNS_ALG work?
23
SIP_ALG/RTP Relay Server

• SIP_ALG
• RTP Relay

24
SIP_ALG
25
RTP Relay
26
STUN

• Agent Hole Punching
• Cant work with Symmetric

27
(No Transcript)
28
Cant work with Symmetric

• http//www.linuxsky.net/html/200512/1781.html

29
TURN

• Use Relay TURN server
• It Can work with Symmetric

30
(No Transcript)
31
Tunnel

• Use third party Tunnel or VPN..

32
UPnP

• MS MS

33
MIDCOM(RFC 3304)Middlebox Communications
(midcom) Protocol Requirements

• http//www.ietf.org/html.charters/midcom-charter.h
  tml

34
RFC1335A Two-Tier Address

• forget this solution

35
NAT Check

• Check Your Network Address Translator for
  Compatibility with Peer-to-Peer Protocols
• http//midcom-p2p.sourceforge.net/

36
Final Solution

• IPv6