SIP, NAT, Firewall

1
SIP, NAT, Firewall
How to Traversal NAT/Firewall for SIP
NAT
SIP
Firewall
2
Outline

• NAT
• SIP Traversal of Firewall
• SIP Traversal of NAT
• Solution
• Summary
• Reference

3
Types of NAT
Port Restricted Cone
Full Cone
Restricted Cone
Computer A IP222.111.99.3 Port 20203
NAT
IP202.123.211.123 Port 12345
Computer B IP222.111.88.2 Port 10101
Computer C IP10.0.0.1 Port 8000
Computer B IP222.111.88.2 Port 10102
4
Types of NAT
Types of NAT
Symmetric
Computer A IP222.111.99.3 Port 20203
IP202.123.211.123 Port 45678
NAT
IP202.123.211.123 Port 12345
Computer B IP222.111.88.2 Port 10101
Computer C IP10.0.0.1 Port 8000
5
SIP Traversal of Firewall
Internal
External
Port 5060
SIP
SIP
Port ?
RTP
Firewall
Firewall do not know a certain address and
emphermal port
6
SIP Traversal of NAT(1)

• SIP Signaling
• Based on TCP
• Based on UDP

7
SIP Traversal of NAT(2)

• RTP Media Stream

8
Solution

• Firewall Control Proxy (Middlebox Communications
  (MIDCOM) Protocol )
• Discovery Protocol
• Solution for Symmetric NATs
• Application Layer Gateway

9
Firewall Control Proxy (Midcom)

• Under this case
• SIP Provider is the IP Network Provider
• Middleboxes
• RFC 3303 - Middlebox communication architecture
  and framework
• Benefits
• Load balancing/Lower Cost/Faster.

10
Discovery Protocol

• Universal Plug and Play (UPnP)
• RSIP
• STUN

11
UPnP

• Universal Plug and Play (UPnP)
• A client can ask the NAT how it would map a
  particular IPPort
• Pushed by Microsoft
• It wont work in the case of cascading NATs

12
RSIP (1)

• To let the internal clients ask an RSIP server,
  for the specific public resource required by the
  application

13
RSIP (2)
14
STUN

• Simple Traversal of UDP Through NATs (STUN
  RFC3489)
• Kind of NAT Probe but it can also help determine
  which kind of NAT you are behind
• It wont work in case of symmetric NATs

15
TURN -Solution for Symmetric NATs

• Connection Oriented Media
• Connection-Oriented Media Transport in SDP, IETF
  draft
• Add a line a directionactive
• Traversal Using Relay NAT
• The client doesnt support the tag above
• If both endpoints are behind Symmetric NATs

16
Traversal Using Relay NAT
17
Application Layer Gateway

• Special purpose code for particular
  applications/services
• With a NAT, ALG will examine the application data
  for occurrences of internal addresses and replace
  them with routable address

18
Implementation of ALG
Parse SIP message
Cancel
Invite
Cancel
Ack
Register
200 OK
404
1.Keep Call leg -gt To- /From-/Call-ID 2.Record
IP addresses and replace them
Translate
Calculate Checksum
Send Packet
19
Challenge of SIP ALG

• ALG cannot handle encrypted SIP messages
• Scalability
• Impracticality speed of deploying new
  applications
• Reliability

20
Summary

• There is no single best solution yet

21
Reference

• VoIP Traversal of NAT and Firewall, Cisco White
  Paper
• NAT Traversal in SIP, Deltathree, Bruch
  Sterman, David Schwartz
• SIP, NAT and Firewalls, dynamicsoft, Jonathan
  Rosenberg
• SIP, NAT and Firewalls, Fredrik Thernelius