Sip nat/FW

Sip nat/FW

Default font9pt10pt11pt12pt13pt14pt15pt16pt17pt18pt20pt25pt30pt35pt40pt45pt50pt

Basic Principles of NAT and Firewall
First, there are several Nat methods:

Full Cone: when a private network host sends a packet to the public network, its local address and port are {A: B}, Nat will set its private address {: b} convert to public address {X: y} and bind it. Any package can be sent to the host's {A: B} address through the address {X: y}. Nat will send any package to {X: the incoming package address {X: y} of y} is converted to {A: B }.

Partial/restricted Cone: when a host in the private network sends a packet to the public network, the local address and fracture of the packet are {A: B}, Nat will set its private address {: b} convert to public address {X: y} and bind it. Any package can be sent to the host's {A: B} address through the address {X: y}. However, Nat is only sent to the {X: Y: the y} package is bound to {A: B} | {X: y} <-> {C: d}, where {C: d} is the source address and port of the package. That is to say, only packets from {C: d} can communicate with the host {A: B.

The difference between partial and restricted cone is that partial only binds the IP address of incoming packet, and restricted cone binds the IP address and port of incoming packet. That is, the situation described above.

Symmetric Cone: when a private network host sends a package to a public network host, {A: B }à {C: d }. Nat will convert its address {A: B} to {X: y} and bind it to {A: B} | {X: y} <-> {C: d }. Nat only accepts incoming packet from {C: d} and transfers it to {A: B }. That is to say, if a host in the private network needs to send a packet to the outside, it must know the public IP address and port of the other host. However, if the other party is in a private network, it is difficult to know the other party's public IP address and port.

Therefore, the condition Ric cone is the strictest, partial/restricted cone is the second, and full cone is the strictest.

Next, let's take a look at firewall's basic policies:

L firewall checks whether all packages come from the inside or outside ).

L generally, all packages from inside are allowed to be sent out.

L generally, packets from outside are allowed to be sent in, but the connection must be initiated by inside.

L generally, all packets initiated by outside are prohibited from being sent in.

L generally, firewall allows several trusted outside hosts to initiate a connection and send packets in.

All Nat and firewall processes and filters the TCP/IP layer and the IP address of the SIP application is at the application layer. Therefore, we must use other methods to solve this problem.

Different solutions are available for different NAT types.

L UPnP

L external Query

L stun

L ALG

Among them, the first three are obtained by the SIP client (including UA and proxy) by some means or protocol before the invite. The SIP client is required to provide additional support and is not applicable to all Nat methods.

The ALG (Application Layer Gateway) is applicable to all Nat methods and does not require any additional support from the SIP client. It processes and modifies the sip signaling at the application layer to achieve transparent address translation.

The following describes the Alg solution in detail for a case.

SIP Alg solution
ALG modifies the SIP address and port in the SIP Message and the RTP address and port in the SDP message. The RTP address and port must be obtained from the RTP proxy request, RTP proxy allocates its own idle address and port and maintains a ing relationship with this call. And bind the addresses and ports assigned to both parties. In this way, the RTP connection addresses of both parties are both RTP proxy, which is forwarded to the real destination through RTP proxy.
Assume that there are two sip clients for communication, Ada and Bob, respectively located behind their own Nat Server:

The two Nat servers are deployed in the symmetric cone mode.

The signaling process is as follows:

1. ADA initiates a signaling, invite Bob.

IP packet IP Address:

From: 192.168.1.10: 5060

T 128.97.41.56: 5060 (sip alg)

Sip msg ip Address:

From: 192.168.1.10: 5060

T 128.97.41.56: 5060

SDP body IP address for RTP:

192.168.1.ten: 10024

2. After the NAT server, the NAT server converts its private address to a public address and binds it. Because the NAT server adopts the hierarchical cone mode, the destination IP address is also bound.

{192.168.1.10: 5060} | {128.96.41.1: 5678} <-> {128.97.41.56: 5060}

IP packet IP Address:

From: 128.96.41.1: 5678

T 128.97.41.56: 5060 (sip alg)

Sip msg ip Address:

From: 192.168.1.10: 5060

T 128.97.41.56: 5060

SDP body IP address for RTP:

192.168.1.ten: 10024

3. When the sip alg receives the invite and finds that the IP address of the packet is different from the IP address of the SIP, it determines that the packet is Nat, and then modifies the corresponding sip IP address.

Check whether the body contains SDP information. If yes, and there is an RTP address, the sip alg will request a public RTP address from the RTP proxy to replace the original RTP address.

IP packet IP Address:

From: 128.97.41.56: 5060

T 128.96.63.25: 5566

Sip msg ip Address:

From: 128.96.41.1: 5678

T 128.96.63.25: 5566 (Next Hop address)

SDP body IP address for RTP:

128.97.44.5: 3000

4. because Bob keeps sending registration packets to the SIP Alg, its Nat server keeps such binding for it, {10.0.0.12: 5060} | {128.96.63.25: 5566} <-> {128.97.41.56: 5060 }. Therefore, Bob can receive the invite sent by the SIP alg.

Bob returns 200 OK, including SDP information.

IP packet IP Address:

From: 10.0.0.12: 5060

T 128.97.41.56: 5060

Sip msg ip Address:

From: 10.0.0.12: 5060

T 128.97.41.56: 5060 (Next Hop address)

SDP body IP address for RTP:

10.0.0.12: 10002

5. The Nat server modifies the IP address of the package. Sent to the SIP alg.

6. When the sip alg receives the 200 OK message and finds that the IP address of the packet is different from that of the SIP IP address, it determines that the packet is Nat, and then modifies the corresponding sip IP address.

Check whether the body contains SDP information. If yes, and there is an RTP address, the sip alg will request a public RTP address from the RTP proxy to replace the original RTP address.

IP packet IP Address:

From: 128.96.63.25: 5566

T 128.96.41.1: 5678

Sip msg ip Address:

From: 128.96.63.25: 5566

T 128.96.41.1: 5678 (Next Hop address)

SDP body IP address for RTP:

128.97.44.5: 3002

7. At this time, RTP proxy maintains such a connection binding for this session

{128.97.44.5: 3000 | 128.97.44.5: 3002}

8. When Ada receives the 200 OK message, it determines that the RTP address of the other party is 128.97.44.5: 3002. Establish a connection with it.

Bob thinks that the RTP address of the other party is 128.97.44.5: 3000. Establish a connection with it.

9. When the RTP proxy port 3002 receives the packet, it can obtain the public IP address of the ada rtp from the packet address.

When port 3000 of RTP proxy receives the packet, it can obtain Bob's RTP public IP address from the packet address.

Therefore, RTP proxy forwards the packets received by port 3002 to Bob's RTP public IP address.

Similarly, RTP proxy forwards packets received from port 3000 to the public rtp ip address of Ada.

In this way, a call connection is successfully established.

Deployment of SIP ALG
In any case, all RTP packets must pass through the RTP proxy, so all MS must have the ability to modify SDP, and only the sip alg must have the ability to modify the SIP message. Let users configure what their proxies are, so as to avoid unnecessary consumption because the public network SIP client also passes through the SIP alg.