SIP Traversal Nat&firewall Solution

Source: Internet
Author: User

http://blog.csdn.net/noiile/article/details/115436


What are the problems with SIP from private network to public network?

Address translation of the package.

SIP address Translation inside the SIP message.

The RTP address translation in the SDP inside the SIP message.

The existing structure of the network is complex, SIP service providers are not necessarily network providers, it is difficult to ask customers to use only some way of nat&firewall. How to find a SIP application solution that can meet a variety of networks.

Fundamentals of NAT and firewall

First, there are several ways of NAT:

Full Cone: When a host in a private network sends a packet to the public network, its local address and port is {A:b},nat will convert its private address {A:B} to the public address {x:y} and bind. Any package can be sent to the host's {A:B} address via address {x:y}, and Nat will convert the address {x:y} of any incoming package sent to {x:y} to {a:b}.

partial/restricted Cone: When a host in a private network sends a packet to the public network, its local address and fracture is {A:b},nat will convert its private address {A:B} to the public address {x:y} and bind. Any package can be sent to the host's {A:B} address via address {x:y}, but Nat is bound to {a:b}| only for the first package destined for {x:y} {X:y}<->{c:d}, where {c:d} is the source address and port of the package. In other words, only packages from {C:D} can communicate with host {A:B}.

The difference between partial and restricted cone is that the partial binds only the IP address of the incoming packet, and restricted cone binds the incoming packet IP address and port. That is the case described above.

symmetric Cone: When a host in a private network sends a packet to a host on the public network, {A:B}À{C:D}. NAT converts its address {a:b} to {x:y} and binds it to {a:b}| {x:y}<->{c:d}. NAT only accepts incoming packet from {C:D} and forwards it to {A:B}. In other words, if a host inside a private network sends a packet to the outside, it must know the other's public IP and port. But if the other side is also in a private network, it is difficult to know each other's public IP and port.

Thus, symmetric cone conditions are the most stringent, partial/restricted cone second, full cone conditions least stringent.

Here's a look at Firewall's basic strategy:

L Firewall will tell if all the packages are from inside (Inside) or outside (Outside).

L Generally, allow all packets from inside to be sent out.

L General, allow packets from outside to come in, but this connection must be initiated by inside.

L General, prohibit all connections initiated by outside in the package.

In general, Firewall will allow several trusted outside hosts, and they can initiate the establishment of a connection and contract it in.

All NAT and firewall are processed and filtered for the TCP/IP layer, while the address of the SIP application is at the application level. So there must be other ways to solve the problem.

For different NAT types, you can have different solutions.

L UPnP

L External Query

L STUN

L ALG

The top 3 are the SIP Client (including UA and proxy) that acquires its own public address and port before invite by some means or protocol. The SIP client is required to provide additional support and is not suitable for all NAT modes.

ALG (Application Layer Gateway) adapts to all NAT modes and does not require any additional support from the SIP client. It handles and modifies SIP signaling in the application layer to make transparent conversion of addresses.

The following is a detailed description of the solution for ALG in a case.

SIP ALG Solution
ALG modifies the SIP address and port inside the SIP message and the RTP address and port in the SDP message, where the RTP address and port are to be obtained from the RTP proxy request, and the RTP proxy allocates its own idle address and port, and maintains a mapping relationship with the call. The address and port assigned to both sides of the call are bound so that the RTP connection addresses of both sides of the call are RTP proxies, which are brokered by the RTP proxy and sent to the true destination.

Let's say that there are two SIP clients to communicate with, Ada and Bob, who are behind their own NAT servers, respectively:

Of these, two NAT servers are symmetric cone methods.

The signaling process is as follows:

1. Ada initiated the signaling, Invite Bob.

IP Packet IP Address:

from:192.168.1.10:5060

to:128.97.41.56:5060 (SIP ALG)

SIP MSG IP Address:

from:192.168.1.10:5060

to:128.97.41.56:5060

SDP Body IP address for RTP:

192.168.1.10:10024

2. After Nat Server,nat to convert its private address into a public address, and bind, because is the use of symmetric cone way, so also bind the destination IP address.

{192.168.1.10:5060}| {128.96.41.1:5678}<->{128.97.41.56:5060}

IP Packet IP Address:

from:128.96.41.1:5678

to:128.97.41.56:5060 (SIP ALG)

SIP MSG IP Address:

from:192.168.1.10:5060

to:128.97.41.56:5060

SDP Body IP address for RTP:

192.168.1.10:10024

3. SIP ALG accepts the invite and finds that its packet has a different IP address and SIP IP address, so it is determined to be NAT, so it modifies its associated SIP IP address.

and check whether its body contains SDP information, if it is, and there is a RTP address, SIP ALG will go to RTP proxy request a public network RTP address to replace the original RTP address.

IP Packet IP Address:

from:128.97.41.56:5060

to:128.96.63.25:5566

SIP MSG IP Address:

from:128.96.41.1:5678

to:128.96.63.25:5566 (address of the next hop)

SDP Body IP address for RTP:

128.97.44.5:3000

4. Because Bob constantly sends a registration package to SIP ALG, its NAT server always retains such a binding for it, {10.0.0.12:5060}| {128.96.63.25:5566}<->{128.97.41.56:5060}. Therefore, the Invite,bob sent by SIP ALG can be received.

Bob returns a $ OK containing the SDP information.

IP Packet IP Address:

from:10.0.0.12:5060

to:128.97.41.56:5060

SIP MSG IP Address:

from:10.0.0.12:5060

to:128.97.41.56:5060 (address of the next hop)

SDP Body IP address for RTP:

10.0.0.12:10002

5. NAT server modifies the IP address of its package. Sent to sip ALG.

6. SIP ALG accepts that the IP address of the packet and the SIP IP address are different, it is determined that it is a NAT, so it will be related to the SIP IP address modification.

and check whether its body contains SDP information, if it is, and there is a RTP address, SIP ALG will go to RTP proxy request a public network RTP address to replace the original RTP address.

IP Packet IP Address:

from:128.96.63.25:5566

to:128.96.41.1:5678

SIP MSG IP Address:

from:128.96.63.25:5566

to:128.96.41.1:5678 (address of the next hop)

SDP Body IP address for RTP:

128.97.44.5:3002

7. At this point, the RTP proxy maintains a connection binding for this session

{128.97.44.5:3000|128.97.44.5:3002}

8. ADA receives a $ OK, which it considers the RTP address of the other party to be 128.97.44.5:3002. will establish a connection with it.

And Bob thinks the other's RTP address is 128.97.44.5:3000. will establish a connection with it.

9. When the 3002 port of the RTP proxy receives the packet, it can obtain the ADA's RTP public IP from the package address.

When the 3000 port of the RTP proxy receives the packet, it can get Bob's RTP public IP from the package address.

Thus, the RTP proxy forwards the packet received by Port 3002 to Bob's RTP public IP.

Similarly, the RTP proxy forwards the packets received on port 3000 to the ADA's RTP public IP.

In this way, a connection to a call is successfully established. deployment of SIP ALG

Because in any case, all RTP packets need to be RTP Proxy, so all MS has the ability to modify the SDP, and only sip ALG needs to have the ability to modify the SIP message. Let the user configure their own proxy is what, to avoid the public network SIP client also through SIP ALG, resulting in unnecessary consumption. Supplement

If SIP ALG discovers that the address of the invite packet is consistent with the SIP address, it will not modify the package, which it considers to be from the public network, or that the SIP client has the ability to traverse NAT. But it modifies the IP address of its SDP. ISSUE:

1. If the SDP describes simplex work, the RTP connection cannot be established because the RTP proxy always has no way of knowing the RTP public IP of the Silent party.

2. Each time the RTP connection is established, the RTP packet of one party may lose several, until RTP proxy learns the other party's RTP public IP.

3. Whether any RTP packets should be forced to pass the RTP Proxy, whether they are from the public network, can be directly connected. I think so, because the calling party does not know the network environment of the called Party.

4. If multiple RTP proxies are balanced, how can we ensure that the proxy that assigns the IP to the calling party is the same as the proxy that assigns the IP to the called party? (They must be the same proxy)

Can add a header, such as RTP proxy, this header only SIP ALG know.

5. If the SIP message is encrypted, the IP address of its SIP cannot be modified.

Reference

"SIP, NAT, and Firewalls", Fredrik Thernelius, May 2000

"Cisco-voip traversal of NAT and Firewall", Cisco Systems, Inc.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.