SIP traversal NAT SIP Traversal Firewall

Firewall&nat

In fact, the essence of the light-mouth board is equivalent to NAT device. To achieve NAT penetration, there is no problem with the SIP processing of the optical orifice plate.

Firewall is a passive network security defense technology, located at the boundary of the network, executing the access control policy between the two networks, preventing the external network from illegally accessing the internal information resources, or preventing the specific information from being illegally exported from the internal network. In general, the firewall will filter out all the unwanted network traffic (except for the specified open address and port).

NAT technology is divided into basic network Address Translation Technology (NAT) and network address and port conversion technology (Napt,network address and Port Translator), Its main function is to assign a global IP address and port number as its source address and source port number for the packet out of the intranet, and add this mapping relationship to an address/port mapping table. For foreign groupings, the NAT server uses the address/port mapping table to correctly transform the destination IP address and port number of the foreign packet back into the internal IP address and port number used by the internal host, and then forward to the intranet host.

The basic NAT implementation is simple enough to use a reserved IP subnet segment within the subnet, which is invisible to the external domain. Only a few IP addresses in the subnet can correspond to truly global unique IP addresses. If these nodes require access to an external network, then basic NAT is responsible for translating the subnet IP of the node into a globally unique IP and sending it out. (Basic NAT changes the original IP address in the IP packet, but does not change the port in the IP packet).

Another kind of NAT is called NAPT, and from the name we can see that napt not only changes the IP address of the IP datagram that passes through the NAT device, but also changes the TCP/UDP port of the IP datagram. Basic NAT Devices Maybe we don't see much. See figure below

The

has a private network 10.0.0.0,client A is one of the computers, the network's gateway (a NAT device) of the external network IP is 155.99.25.11 (there should be an intranet IP address, such as 10.0.0.10). If a process in client a (this process creates a UDP socket, this socket bound 1234 port) wants to access the 2234 port of the extranet host 18.181.0.31, what happens when the packet passes through NAT.

First NAT will change the source IP address of this packet, instead 155.99.25.11. Nat then creates a session for the transfer (the session is an abstract concept, and if it is TCP, perhaps the session is started by a SYN packet and ended with a fin packet.) And UDP, with this IP port of the first UDP start, the end, maybe a few minutes, maybe a few hours, and assign a port to the session, such as 62000, and then change the packet's source port is 62000. So it was (10.0.0.1:1234->18.181.0.31:2234) that the packet was turned into the internet (155.99.25.11:62000->18.181.0.31:2234). Once Nat has created a session, Nat remembers that port 62000 corresponds to port 1234 of 10.0.0.1, and data sent from 18.181.0.31 to Port 62000 will be automatically forwarded to 10.0.0.1 by Nat. (Note: This is to say that the data sent to port 62000 will be forwarded, the data sent to this port by other IP will be 18.181.0.31 by NAT) so that client A is established with server S1 as a connection. What we said earlier in the session on NAT is what we often say: "A hole in the NAT of the network." This hole can not be played by the outside, only by the host of the Intranet to play. And the hole has a direction. As in the above example, a UDP packet is sent from an internal host (10.0.0.1) to an external IP (18.181.0.31), then a "hole" in the direction of 18.181.0.31 is played on the NAT device in the intranet. Later 18.181.0.31 can through this hole and the intranet 10.0.0.1 contact. (It is stated here that this "hole" on NAT can only be used by these two IPs, other IPs cannot use this hole for communication.) This is the technology called UDP Hole punching.

When there is no activity, the hole will expire. NAT has a certain lifetime for address translation relationships, and after an address translation is not used for a period of time, it will be cleared and a new address translation relationship will be established when the business flow reappears.

NAT is commonly categorized as follows:

Full Cone NAT (fully conical type)

Address Restricted Cone NAT (addresses restricted cone type)

Port Restricted Cone NAT (Ports limited cone type)

Symmetric NAT (symmetric) full Cone nat (fully conical NAT)

In a fully conical NAT (full Cone NAT), Nat converts the client address {x:y} to the public address {A:B} and binds it. Any package can be sent to the client host's {x:y} address via address {A:B}. As shown in the figure:

address Restricted Cone NAT (addresses restricted cone type)

The address limit of the tapered NAT (addresses Restricted Cone NAT) converts the client address {x:y} to the public address {A:B} and binds only packets from host {P} to communicate with host {x:y}. As shown in the following illustration:

Port Restricted Cone NAT (Ports limited cone type)

Port-Restricted conic Nat (Port Restricted Cone NAT) converts the client address {x:y} to the public address {A:B} and binds only packages from host {p,q} to communicate with host {x:y}. As shown in the following illustration:

symmetric NAT (symmetric type)

Symmetric NAT (symmetric NAT) converts the client address {x:y} to the public address {A:B} and binds to {x:y}| {a:b}<->{p:q}. Symmetric NAT only accepts incoming packet from {p:q}, forwards it to {x:y}, and each time the client requests a different public address and port, Nat assigns a new port number {c,d}. As shown in the following illustration:

problems with deploying SIP networks

SIP-based voice and video sessions are called Call-in mode (unsolicited incoming calls), the called party can not predict beforehand, so the terminal must always listen to foreign calls, which is contrary to the above-mentioned firewall working principle. SIP voice and video communication protocols dynamically assign other ports to transmit media data such as voice and video, even if a port on the firewall is turned on to specifically receive call signaling. How to provide secure two-way communication for users behind a firewall without compromising network security is an important issue.

At the same time, Nat has a critical influence on the transmission of SIP voice and video communication. First, the SDP for SIP session signaling (Layer 5) contains the address and port information that the terminal prepares to send and receive signaling/media, which is transparent to the NAT server and remains intact after the NAT server. When the SIP terminal in the intranet initiates the call request as the calling outward, only the address information of the SIP signaling after the NAT server (Layer 3) is overwritten, and the address information contained in the session signaling of Layer 5 is sent intact to the called, possibly through multiple SIP proxies, Using this mechanism of the SIP protocol, the calling and being called can complete the media negotiation process, but the media stream fails when it is called to send the media using the caller's private address. In summary, a NAT-oriented solution must guarantee secure bidirectional communication, support for call-in mode, as much as possible to avoid changes to the NAT device or to rely on a particular type of device.

Common solutions for Nat

There are many solutions to solve NAT traversal, commonly used are: ALG (Application level Gateway)

SIP signaling can be identified and the packets can be modified appropriately. ALG can be a separate device that is connected between the extranet and the intranet, or it can be a plug-in built into the firewall. When Fw/nat discovers that the external network call signaling is SIP, it forwards it to the ALG (Application layer Gateway) and establishes the communication connection between the intranet pseudo-address terminal and the external network terminal via ALG.

After NAT conversion, the via,contact,ower/creator,connection information in the extranet SIP packet needs to be changed to NAT extranet IP.

Using ALG requires an upgrade of an existing device. For example, Cisco routers support the configuration of ALG. It is the ALG function that is used for the light-mouth plate.

The attachment is a key problem encountered by the SIP ALG function of the optical orifice plate.

midcom (Middlebox Communications)

Midcom technology is a kind of NAT traversal solution that appears to solve the non-extensibility of ALG and agent technology. Midcom Technology uses a trusted third-party (midcom agent) to control Middlebox (NAT), which is controlled middlebox by the midcom agent to turn media ports on and off. In general, midcom technology is an ideal NAT traversal solution that transfers the intelligence of IP voice and video business recognition from Middlebox to an external midcom agent, and the application protocol is transparent to Middlebox.
In general, the functions of the midcom agent can be integrated in call control servers (such as SIP servers, GK or SoftSwitch devices), while Middlebox functions are integrated in NAT, and the interface between midcom Agent and Middlebox is implemented by midcom protocol. The midcom technology has the advantage of scalability, and new applications only need to extend the midcom agent without causing Midbox to re-escalate. However, the implementation of midcom technology requires an upgrade of the Midcom protocol to both the server and the existing NAT, so the implementation of this scheme inevitably leads to the difficulty of upgrading the existing equipment. At the same time, midcom agreement is still in the stage of improvement, equipment manufacturers provide a limited range of products, so the current midcom mode of practical application is not uncommon. However, as the midcom protocol matures and develops, it is expected to gain more and more application prospects.

The use of midcom requires upgrading existing equipment. STUN (Simple Traversalof UDP Through Network)

IETF RFC 3489 defines how to determine the public address and port assigned by NAT and does not need to transform an existing NAT.

Main Features:

?? Enables the client to discover the existence and type of NAT;

?? Enables the client to discover the binding life cycle of NAT;

?? Can work in multi-NAT series environment;

?? Very simple protocol, easy to implement, low load;

?? The stun server can be located anywhere on the public network.

Scope of application:

?? Not applicable to symmetric NAT;

?? Applicable for non-symmetric Nat;

?? It is not applicable if both sides are located in the same NAT.

More detailed Protocol reference

SBC (Session Border Controller)

SBC is a VoIP access layer device, which realizes the nat/firewall penetrating function by controlling the session at the boundary of the network, and also can carry out bandwidth limit, session management, traffic statistics and so on. Second, SBC can also be regarded as a proxy server to support VoIP, can identify the fifth and seventh level of the message, and can also process more than the fifth layer of the many session signaling protocol, modify the address of the packet header, so as to achieve the SBC internal and external network address transformation.

The penetration process of SBC follows a certain communication model, in which the session can be decomposed into several channels. At the channel level, through the establishment, maintenance and deletion of channels to ensure the availability of the channel, at the session level, the different channels to connect and release operations, can achieve the entire session through the process. The SBC is located at the boundary of two networks, and its architecture typically consists of two main function modules: Signaling proxy and media proxy. Where signaling proxy is responsible for processing SIP session signaling, and media proxy is responsible for controlling the stream, signaling proxy and media proxy use a specific protocol and interface (such as the Megaco protocol) to exchange information, as shown below

Basic structure of SBC signaling Proxy

Signaling Proxy is a high-performance b2bua (back-to-back User Agent) that is responsible for the processing of all bidirectional SIP session signaling that passes through this node. In B2bua, one of them acts as a UAS (user agent Server) to receive and process a session request from a calling terminal, while the other acts as a UAC (user agent Client) to make a session request. Unlike a proxy server, B2bua must maintain the state of individual sessions and participate in the signaling interactions that are established by the session.

In order to ensure SIP session signaling through the SBC, you can modify the name of the domain server corresponding to the call server (calls Server) entry, the IP address of the SBC as the IP address of the calling server to the terminal for DNS queries, the terminal will send to the call server signaling directly to the SBC. These changes are transparent to the end user, but the SBC can get all the call information and be able to participate in the call setup process to implement the control. Second, signaling proxy must also modify the address information in the SIP session signaling with respect to signaling and media.

(1) SIP user Registration Message processing, signaling proxy after intercepting the SIP user registration message, it will overwrite the Via and contact domains in the SIP header with its own IP address and port number, and then to the call server (SIP registration server). This allows the current location of the SIP user to be bound to the SBC, and when the SIP user is called, the signaling is sent first to the SBC. Also, because the NAT server clears the UDP invalid table entry in the Address/port mapping table in a relatively short interval, when the terminal uses UDP to transmit the SIP signaling, the terminal behind the NAT server must periodically (about 10 seconds) send a registration message to the external calling server, To keep the address/port mapping entries in the NAT server corresponding to that terminal valid.

(2) SIP message rewriting, in order to ensure that signaling proxy is always located on the signaling path, signaling proxy must use the local address and port number to overwrite the Via and contact domains in the SIP message. When an end user using an internal address sends a signaling to the calling server, the IP packet after Firewall/nat will use the source address and source port assigned by the NAT server. The signaling proxy that receives this signaling establishes a mapping relationship locally, with the address and port number assigned to the terminal by the NAT server, and the address and port number assigned to this session by the signaling proxy. Thus, when the reverse signaling arrives at signaling proxy, signaling proxy sends the signaling to the terminal via the correct address and port number on the Firewall/nat.

(3) To modify the SDP, the SDP portion of the SIP message should be rewritten in order for media proxy to be added to the medium path. The SDP includes the address and port information that the terminal prepares to send and receive media. When the terminal is behind Firewall/nat, this information will fail to send the media stream to the end of the communication if it is delivered intact to the communicating peer. Signaling proxy will allocate the local address and port number through media proxy, and overwrite the information with local address and port number to guarantee the establishment of bidirectional media stream.

Signaling proxy modifies only specific domains in a particular SIP signaling message, and other messages and domains remain intact. Media Proxy

Media Proxy accepts the control of signaling proxy, which is the conversion point of rtp/rtcp Media stream between two sessions. Because all media streams go through media Proxy, they should have the ability to control media flow, manage service quality, get billing information and dynamic network address/port conversion.

The entire process through SBC signaling and media streaming is shown in Figure 2. When the calling User agent (UA) initiates the call, ①,signaling Proxy requests the media proxy to allocate the local NAT address and port (the call server side) ② after receiving the invite message, and uses the address and port number returned by media proxy ③, The SDP that is carried in the signaling message is rewritten and then sent to the call server ④, which is eventually served by the calling server ⑤. When the reverse signaling arrives at signaling proxy, ⑥⑦,signaling proxy will again request the media proxy to allocate the local NAT address and port (called the user side) ⑧, and use the returned address and port number ⑨ overwrite the SDP that is carried in the reverse signaling. And then sent to the caller's user agent ⑩.

The signaling flow and media flow process through SBC

After such signaling is processed, both the caller and the caller will send the media to the specified address and port on the media proxy, and media proxy can then determine the calling/being called in its firewall/after the NAT by reading the source address and source port of the stream. The global address and port used on the NAT, which in turn sends the traffic-peer media stream to that address/port. Because the mapping of this global address/port already exists on the Firewall/nat, Firewall/nat will send this media stream to the internal terminal, and the two-way media connection is established successfully. Therefore, SBC provides secure two-way communication for users after Firewall/nat without compromising the security of the network.

(1) Dynamic network address/Port conversion (NAPT), Media Proxy has the NAPT function not only can solve the carrier network or user network IPV4 address shortage problem, but also hides the operator network and user network topology information, enhanced the denial of service (denial of Service), it also guarantees the confidentiality of the operator's network topology.

(2) to generate billing information, media Proxy is a must-have for the stream, so the duration of the session, the type of the session (voice, video, etc.) and bidirectional data traffic monitoring and statistics is the appropriate location to produce CDR (Charge Detail Records).

(3) QoS mapping between networks, the TOS domain (Type of service)/ds domain (differentiated service) in the IP header indicates the QoS (quality of service) level that the grouping should receive. To ensure end-to-end quality of service, QoS mapping must be done at the edge of both networks. When the IP packet of the session is passed Media Proxy, the tos/ds tag made by the source network is carried, and Media proxy can change these tags according to the pre-configured mapping rules and then feed into the destination network so that the QoS of the session will be consistent within the network of different operators. , which guarantees its end-to-end QoS.

(4) IPv4 to IPV6 protocol conversion, when at the edge of two heterogeneous networks (Ipv4/ipv6), Media Proxy can also provide these two kinds of IP protocol conversion. Media Proxy is an ideal device for deploying IPV4/IPV6 protocol conversions because of its special location. rport mechanism

The IP address is obtained with the received parameter in the VIA header. In order to obtain the port information, it is also referenced in this way, that is, in the Via header with the Rport property to indicate the port information.

When there is a NAT between the client and the server, the request may create (or refresh) a binding in Nat, in order for the client to receive response information, the binding must persist during the transaction process. Most NAT bindings have a timeout of more than 1 minutes, which exceeds the duration of the non-invite transaction, and thus the response to a request for a non-invite transaction can only exist when the binding exists. There is no such thing as invite affairs.

In order to maintain this binding, the client should re-send invite requests around 20s, which needs to happen after receiving a temporary response.

Of course just said about 1 minutes of the time-out is not certain, sometimes longer than this, at this time, the mechanism can slow down, otherwise, you can send a little faster. These questions can be referred to RFC3489.

If it is a server that supports the rport mechanism, it needs to check whether the Via header contains a rport parameter that does not have a value in the received request. If so, it needs to take the value of rport in the response, which is similar to received's handling.

In order to traverse a symmetric NAT, the response needs to be sent to the same IP address and port. When the server listens for requests on a multiport or interface request, it must remember where the request was sent. For a stable proxy, in the duration of a transmission, it is no problem to remember these things. But for the unstable proxy, it does not store the request and the state information in the response, in order to meet the requirements of this specification, it needs to encrypt the address and port information into the VIA header field, when the response information arrives, it can extract the encrypted information and put it into the response.

The rport mechanism requires the terminal to support this mechanism, so the application situation is relatively limited. Instance

Below is an instance of sending register information, which contains the Rport parameter with no value in the VIA header of the request information, as follows:

REGISTER sip:124.40.120.188:5060 sip/2.0

VIA:SIP/2.0/UDP 124.42.4.203:15500;branch=z9hg4bk-d8754z-1049ed261d2e643d-1---D8754z-;rport

Max-forwards:70

Contact: <sip:19988888888@192.168.2.65:12344;rinstance=7cd1c532e92fdb0e>;expires=0
To: "19988888888" <sip:19988888888@124.40.120.188:5060>
From: "19988888888" <sip:19988888888@124.40.120.188:5060>;tag=203ba359
Call-id:yzc4n2iwmzy5owu4mtdkmzy0nwy4owu3njmznmjim2u.
Cseq:1 REGISTER
Allow:invite, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, Subscribe,info
User-agent:eyebeam Release 1105a Stamp 56793
content-length:0

The server that is sent to supports the rport mechanism, which, when it sees the rport in the request, brings the NAT's public address (124.42.4.203) and port information (15500), respectively, to the client as received and Rport attributes by parsing the UDP packet information:

sip/2.0 OK

VIA:SIP/2.0/UDP 124.42.4.203:15500;branch=z9hg4bk-d8754z-1049ed261d2e643d-1---d8754z-;rport=15500;

received=124.42.4.203
From: "19988888888" <sip:19988888888@124.40.120.188:5060>;tag=203ba359
To: "19988888888" <sip:19988888888@124.40.120.188:5060>;tag=0005-058-7d6dc90516ae2e21
Call-id:yzc4n2iwmzy5owu4mtdkmzy0nwy4owu3njmznmjim2u.
Cseq:4 REGISTER
Allow:invite,ack,options,bye,cancel,register,info,update,prack,refer,subscribe,

Notify,message
Contact: <sip:124.40.120.188:5060>
content-length:0

After receiving the response information, the client knows the public address and port used, and in the register information which is periodically re-sent, the contact is transformed into 124.42.4.203:15500, for example, the new register information becomes:

register sip:124.40.120.188:5060 sip/2.0
Via: sip/2.0/udp 124.42.4.203:15500;branch= Z9hg4bk-d8754z-1049ed261d2e643d-1---d8754z-;rport
max-forwards: 70
Contact: <sip : 19988888888@124.42.4.203: 15500;rinstance=7cd1c532e92fdb0e>;expires=0
To:  "19988888888" < Sip:19988888888@124.40.120.188:5060>
from:  "19988888888" <sip:19988888888@124.40.120.188:5060> ; tag=203ba359
Call-id: yzc4n2iwmzy5owu4mtdkmzy0nwy4owu3njmznmjim2u.
Cseq: 2 register
Allow: invite, ack, cancel, options, bye, refer,  notify, message, subscribe, info
user-agent: eyebeam release 1105a  stamp 56793
Content-length: 0