Analysis of NAT penetration method of SIP

1. There are four Nat models for the SIP protocol.
A) Full cone full cone
B) Restricted cone of restricted cone
C) Restricted cone of port restricted port
D) symmetric ric
A, B, and C are also called asymmetric Nat.

2. If the SIP terminal is behind Nat, problems may occur in its work. The reason is that the path of the sip signaling is different from that of the media stream.

3. Full cone full cone Nat
Any PC on the internet can send data packets to the IP: port pair, while Nat maps the IP: port pair to the Intranet IP Address: port Pair (for private networks ).

4. Nat of the restricted cone of restricted cone
Only the PCs outside the NAT network that have been connected to the PCs in the Intranet can be mapped in. For example, if the IP address of a machine on the Intranet is 10.1.1.1: 123 and you contact PC (A), PC (a) can also contact me through the NAT ing. PC (B) does not work.
10.1.1.1: 123 --- Nat ---> 202.70.65.78: 10000 ------ PC ()
If PC (B) also sends data to 202.70.65.78: 10000, no data is sent to 10.1.1.1: 123.
Note:
If I have also contacted PC (B), PC (B) can also come in.
10.1.1.1: 123 --- Nat ---> 202.70.65.78: 10000 ------ PC (B)
If PC (B) also sends data to 202.70.65.78: 10000, the data is sent to 10.1.1.1: 123.
5. Restricted cone Nat of port restricted port
In addition to the four conditions, it is necessary not only to check the source IP address of PC (a), but also to check whether its port is the same as the previous one.
10.1.1.1: 123 ---> Nat ----> 202.70.65.78: 10000 -----> PC (a) [213.123.324.34: 8000]
This NAT will only receive data from the IP address 213.123.324.34 and the port is 8000, so that it enters 10.1.1.1: 123.
6. symmetric Nat is the simplest Link Description.
10.1.1.1: 1000 ---- Nat -----> 200.123.123.34: 1234 ---- PC ()
10.1.1.1: 1000 ---- Nat -----> 200.123.123.34: 2222 ---- PC (B)
This Nat IP: port pair is different for each external program. Therefore, each external program has its own ing (NAT assigned IP: Port Pair ). The first three types of external programs may share a nat ip: port pair.
7. RTP Problems
In the message body of RTP, there is some information that UA needs to successfully communicate. The message body is called an SDP message.
The problem is that the SIP terminal (UA) may not know anything about Nat. Therefore, IP addresses contained in SDP usually use internal IP addresses, that is, IP addresses known by the SIP terminal. In this way, when the communication peer wants to communicate with the SIP terminal, it will view the IP address in the SDP message, but nothing will be obtained, because the internal IP address is used here.
The following is an example.
Invite SIP: 040600@192.168.20.2: 5060 Sip/2.0.
Record-route: <SIP: 143.248.130.35; ftag = 3a7ceb24a6ac50c4; LR = on>.
Via: SIP/2.0/udp 143.248.130.35; branch = z9hg4bk758e. 976609c7. 0.
Via: SIP/2.0/udp
192.168.20.3; rport = 1024; received = 223.178.140.109; branch = z9hg4bk34efcab2403aa20d.
From: "Iqbal" <SIP: 040618@sip.dom.com>; tag = 3a7ceb24a6ac50c4.
To: <SIP: 040600@sip.dom.com>.
Contact: <SIP: 040618@223.178.140.109: 1024>.
Supported: replaces.
Call-ID: 7f2c327896a5b0e1@192.168.20.3.
CSeq: 8717 invite.
User-Agent: grandstream ht487 1.0.5.18.
Max-forwards: 16.
Allow: Invite, ack, cancel, bye, sort y, refer, options, info, subscribe.
Content-Type: Application/SDP.
Content-Length: 343.
.
V = 0.
O = 040618 8000 1 in ip4 192.168.20.3.
S = SIP call.
C = in ip4 192.168.20.3.
T = 0 0.
M = audio 38660 RTP/AVP 0 8 4 18 2 15 99.
A = sendrecv.
A = rtpmap: 0 PCMU/8000/3.
A = rtpmap: Eight PCMA/8000/3.

The title header of a SIP Message, similar to the title header of an email. Looking forward, starting from the from line, we can see the first via line. This is the IP address that the SIP terminal thinks, for example, 192.168.20.3. However, the SIP proxy server is smart, and it knows where the message was sent. It adds the rport and the received flag:
Via: SIP/2.0/udp
192.168.20.3; rport = 1024; received = 223.178.140.109; branch = z9hg4bk34efcab2403aa20d.
That is to say, on the SIP proxy server, the public IP address of the message sending SIP terminal is 223.178.140.109: 1024.
In this way, the SIP proxy server can communicate with the SIP terminal because it knows the public IP address of the SIP terminal.
However, the poor old-fashioned RTP is blocked because its header is as follows:
V = 0.
O = 040618 8000 1 in ip4 192.168.20.3.
S = SIP call.
C = in ip4 192.168.20.3.
T = 0 0.
M = audio 38660 RTP/AVP 0 8 4 18 2 15 99.
A = sendrecv.
A = rtpmap: 0 PCMU/8000/3.
A = rtpmap: Eight PCMA/8000/3.
The SIP terminal expects to receive RTP data from Port M = 38660 and IP address c = 192.168.20.3, which is the destination address for the Peer to send RTP data.
This is the reason why the call of a SIP Phone is always audible.
8. The solution tells the SIP terminal not to work so silly, but to find a way to know the port ing that Nat assigns to itself.
And put the public IP Address: port in the SDP message. In this way, the SIP terminal will ask Nat ..... Or ask a server on the public network what is the NAT ing that Nat assigns to itself.
9. This method is to use the UPnP protocol. For more information, see UPnP.
10. Ask a server on the Internet. For example, stun server.
The SIP terminal sends a test data packet to the server on the Internet. Servers on the Internet send back data packets that contain detailed Nat information. With this information, the SIP terminal will know whether it is behind Nat. This method can be used for all the above four Nat methods. For example, if the SIP terminal sends a data packet from 10.1.1.1: 1000, the SDP message contains M = 1000 and c = 10.1.1.1. However, if the SIP terminal detects Nat first, it will know that Nat will allocate a public IP Address: Port 212.134.123.23: 12345. Then, the SIP terminal writes M = 12345, c = 212.134.123.23 directly in the SDP message.
The problem is that the NAT port allocation is dynamic and may change. In this way, after a NAT detection message is sent, the SIP message needs to be sent soon. In addition, the port for sending data from the SIP terminal is the same as the port for receiving data.
Note that the restricted cone (including the restricted cone on the port) is Nat. It does not allow incoming messages unless the SIP terminal sends a packet to it. Therefore, the SIP terminal must first send a packet to the other party. In this way, the data from the other party will be able to enter the NAT (however, there is no need to worry about this operation, there is a way ).
The above method is behind symmetric Nat and cannot work. Because symmetric Nat changes each time when it is assigned to the IP: port outside the SIP terminal (different parties ). That is, the IP: Port obtained by the SIP terminal when detecting Nat is different from the IP: Port allocated when it sends a SIP message. In this way, the voice data from the other party cannot be obtained because the other party cannot obtain the correct IP Address: port.
11. The process described above is actually the process of solving the problem when the stun protocol is used. That is, the SIP terminal sends Nat packet to the stun server.
12. The symmetric NAT solution is to place a server with a transit voice stream on the public network. The intermediate voice stream server is sometimes an Out bound proxy. Note that the server that transfers voice streams may become a bottleneck. As the voice passes through the server of the intermediate voice stream, the path increases and the sound quality degrades. Therefore, symmetric Nat requires the ability of SIP to work.
However, most of the NAT services currently support "virtual server port forwarding" to forward the ports required by the SIP service to the SIP terminal. If "port forwarding of the virtual server" is performed on the NAT device, Nat retains the port needed for the SIP Operation and is dedicated to the SIP terminal, in this way, the SIP terminal is equivalent to working with stun after a full cone Nat. The number of ports required by the SIP terminal is determined in this way. A port is used for sip signaling, such as 5060. The number of RTP ports depends on the number of calls. One call requires two RTP ports. Each added call requires two more ports.
Only a single-channel SIP Phone is supported, and three ports need to be mapped to Nat.
The first three types of NAT can be collectively referred to as asymmetric Nat. Asymmetric Nat, all of which can pass through NAT using the STUN Protocol.
The best solution to Nat problems is to convert symmetric NAT into a fully cone Nat through port forwarding. This solution should be used first. There is no way to map the port and try other methods.