Zeng Li, Wu Ping, Gao Wanlin, Wu wenjuan (Department of Computer Science and Technology, Agricultural University of China, Beijing 100083, China) 2 (School of information, Renmin University of China, Beijing 100872, China)
Abstract what is one of the practical difficulties faced by IP-based speech, Data, video, and other services in the NGN network?
Effectively Penetrate various NAT/FW problems. In this regard, the previous solutions for Session Initialization Protocol sip include algs, stun, T
Urn. This article discusses a new solution for media session signaling penetration through NAT/FW-interactive connection construction
(ICE ). It makes full use of existing protocols to organize the session establishment process in a more effective way.
Increasing any latency is more robust and flexible than a single protocol such as stun. This article introduces the ice Algorithm in detail, and
An example is designed to describe the process of passing through the NAT protocol using the sip signaling protocol. Finally, the advantages of ice are summarized.
And application prospects.
Key words: ice; symmetric Nat; stun; turn; sip
Multimedia session signaling protocol is a protocol used to exchange information between proxies for media stream transmission, such as sip,
RTSP, H.323, and so on. Media streams are completely different from signaling streams, and their network channels are also inconsistent. Due to Protocol
Due to its own design, the media stream cannot directly penetrate the Network Address Translation/firewall (NAT/FW ). Because they generate
The purpose of the storage period is to create a group stream with IP addresses in the information.
Many problems. In addition, these protocols aim to reduce latency by establishing P2P (Peer to Peer) media streams.
There are compatibility problems with Nat in many aspects, which is also difficult to penetrate NAT/FW.
Nat is still the most effective way to solve the current public IP address shortage and network security problems. It mainly has four types
Type: Fully cone NAT (full cone Nat), address restriction cone NAT (address restricted cone na
T), the port is limited to the circular cone NAT (Port restricted cone Nat), and the symmetric NAT (symmetric Nat ). Before
The ing is independent of the destination address. If the source address is the same, the ing is the same, while the symmetric Nat ing is the same.
The source address and target address are associated, so the penetration problem is the most complicated.
Many solutions have been used to solve the NAT penetration problem, such as: Application Layer gateways ),
Middlebox control protocol, stun (Simple Traversal of UDP through NAT), turn
(Traversal Using relay Nat), rsip (realm specific IP), hierarchical Ric RTP, and so on. However, when
These technologies have significant advantages and disadvantages when applied to different network topologies, so that we can only use different access methods
So it fails to solve the problems of all-Nat and efficiency
Many complexity and vulnerability factors are involved. Therefore, we need a comprehensive and flexible method
In this case, the optimal solution is provided for the NAT/FW signaling penetration problem. In fact, ice is a good fit for such requirements.
.
Interactive connectivity establishment method (ICE) is not a new protocol,
It does not need to expand stun, turn, or rsip to apply to various Nat services. Ice is a comprehensive application of the above
Agreement to make it work in the most appropriate circumstances, to make up for the inherent defects arising from the independent use of any of them. For
For sip, ice only needs to define some additional attributes of SDP (Session Description Protocol ).
The multimedia signaling protocol also needs some corresponding mechanisms. This article only discusses the SIP issue.
2.2 multimedia Signaling
The process of media stream penetration through NAT is independent of a specific signaling protocol. Communication occurs on two clients-Session Initiation
And session responder. The initialization message contains the configuration and features that describe the media stream of the session initiator.
Sign, and pass through the signaling regulator (also called Signaling relay), and finally reach the session responder. Assume that the session responder agrees to communicate,
An accept message is generated and fed back to the initial session. The media stream is successfully established. In addition, the signaling protocol
It also supports Parameter Modification of media streams and session termination messages. For sip, the session initiator is
T client), the session responder is UAS (User Agent Server), and the initialization Message corresponds to the invit In the SDP request
E. The acceptance Message corresponds to 200 OK in the SDP response, and the termination Message corresponds to bye.
Objects to be collected by the session initiator include the local transport address and the source transmission address.
(Derived transport address ). The local transmission address is usually bound by a physical (or virtual) interface on the host.
Port. The session initiator will also access the UNSAF (unilateral self-address fixing) service.
Such as stun, turn, or Teredo. For each local transmission address, the user can obtain one from the server.
Group source transmission address.
Obviously, the more physical or virtual connections, the better ice will work. However, to establish peer-to-peer communication, ice usually requires
At least one source address is provided by the Internet-based relay server (for example, turn ).
The source transmission address.
After obtaining a set of transport addresses, the session initiator starts the stun server at the local transport address, which means that
The address's stun service will be reachable. Unlike traditional stun, clients do not need to provide
The stun service does not support TLS. The ice user name and password have been exchanged through the signaling protocol.
The client will accept both the stun request package and the media package at each local transmission address. Therefore, the initiator needs to remove stun
Information and Media Stream protocols. It is not difficult to implement this in RTP and RTCP, because RTP and RTCP packages always use 0b10
(V = 2) headers, while stun is 0b00. For the local transmission address of each running stun server, the client must select
The user name and password. The user name must be globally unique. The user name and password will be included in the initialization message.
To the responder. The responder identifies the stun request.
After the stun server is started, the next step is to determine the priority of the Transport Address. The priority indicates that UA receives media from this address.
The priority of a media stream. The value ranges from 0 to 1. The priority is usually determined based on the transmitted media traffic. Low traffic
And IPv6 addresses with the same traffic have a higher priority than IPv4 addresses. Therefore,
The local IPv6 transmission address has the highest priority, followed by the local IPv4 transmission address, followed by stun, rsip, Teredo
The source address, and the local transmission address obtained through the VPN interface.
The initialization message is composed of a series of media streams. Each media stream has a list of default addresses and candidate addresses. Default
The address is usually mapped to the sip signaling message transfer address by the initiate message, and the list of candidate addresses is used to provide some
. For each media stream, the maximum possible connection between any peer is from the public network.
The address provided by the forwarding server (such as turn), which is usually the lowest priority transmission address. The client transfers available data
The address is compiled into a list of candidate addresses (including a default address), and each candidate element is assigned a unique session
. Both the identifier and the above priority are encoded in the ID attribute of the candidate element. Once the initialization information is generated
Can be sent.
After receiving the initialization message, the session responder will perform the following operations at the same time: first, execute 2.3.1
The address collection process described in. These addresses can be pre-collected before the call arrives, so that you do not need to add
Time. After obtaining the source address, the responder will send the stun BIND request, which must contain the username
Attribute and Password attribute. The attribute value is the user name and password obtained from "Alt. The stun BIND request should also include
Contains a message-integrity attribute, which is calculated by the username and password of the candidate element in the initiate message.
. In addition, the stun BIND request should not have the change-request or response-address attribute.
When a client receives an initiate message, it sends a media stream through the default address and port. If St
If the UN Bind Request message causes an error response, check the error code. If it is 401,430,432 or 500, the description
The client should resend the request. If the error codes are 400,431 and 600, the client does not have to retry and directly Press
Timeout.
The responder can decide to accept or reject the communication. If the communication is rejected, the ice process is terminated. If the communication is accepted, the accept message is sent. A
The construction process of the ccept message is similar to that of the initiate message.
There are two possibilities for the acceptance process. If the recipient of the initiate message does not support ice, the accept message will only
Contains the default address information so that the initiator knows that it does not need to perform a connectivity check. However, if the local configuration information
Requires the initiator to send packets to the server for connectivity check, which means that the packets sent directly to the responder will
Discarded by the peer firewall. To solve this problem, the initiator needs to re-allocate a turn source address and then use se
Nd command. Once the send command is accepted, the initiator sends all the media packets to the turn server and forwards them
Responder. If the accept message contains a candidate item, the sender processes the accept message and
Initiate message processing is very similar.
After the initiate or accept message exchange process ends, both parties may continue to collect the transmission address.
Some stun transactions are too long and are not terminated. Another possibility is that the initiate/accept message exchange provides a new
Address.
When using ice to penetrate NAT, the parameters defined by ice must be mapped to the SIP Message format, and the SDP attribute must be simplified.
Single extension-define a new attribute "Alt" in the SDP media block to support ice. It contains a candidate IP address and
Port. The SDP receiver can use this address to replace the addresses in M and C. The media block may have multiple alt attributes,
At this time, each ALT should include non-repeated IP addresses and ports. Syntax attributes are as follows:
Alt-attribute = "Alt" ":" id SP Qvalue SP derived-from SP
Username Sp Password sp
Unicast-address SP port [unicast-address SP port]
; Qvalue From RFC 3261
; Unicast-address, port from RFC 2327
Username = non-WS-string
Password = non-WS-string
Id = token
Derived-from = ":"/ID
Symmetric NAT/FW
The following is a simplified ice-based symmetric Network Address Translation/firewall (NAT/FW)
Go through the instance to further describe the ice workflow.
The image of this topic is as follows:
Figure 1 symmetric NAT/FW Network Topology
Assume that both parties are in symmetric NAT/FW, And Now sip Terminal A must communicate with B over VoIP. Where A is located
The internal address of is 10.0.1.9, the external address is 211.35.29.30, the internal address of B is 192.168.1.6, and the external address is
Is 202.205.80.130; the address of the stun/turn server is 218.65.228.110.
First, a initiates a request to collect addresses ,. The initiate message for generating a is as follows:
V = 0
O = dodo 2890844730 2890844731 in ip4 host.example.com
S =
C = in ip4 218.65.228.110
T = 0 0
M = audio8076 RTP/AVP 0
A = alt: 1 1.0: User 9 kksj = 10.0.1.9 1010
A = alt:2 0.8: user1 9 kksk = 211.35.29.30 9988
A = alt: 3 0.4: user2 9 kksl = 218.65.228.110 8076
The priority of the local address is 1.0, the priority of the stun address is 0.8, and the priority of the turn address is 0.4.
When B receives the message, it also collects the address. The process is similar to that of. Then B starts the connectivity check,
We can hardly find that stun requests to 10.0.1.9: 1010 and stun requests to 211.35.29.30: 9988 are unavoidable.
Ground-free failure. Because the former is a reserved address that cannot be routed, and the latter is because
Different binding rules will be assigned for tun/turn requests. When a packet arrives at a's Nat, Nat will find that the Transport Address is 211.3.
5.29.30: 9988 has been mapped to 218.65.228.110: 3478. At this time, the source address of the stun request is not 218.65.22
8.110: 3478, so data packets will be discarded by a's NAT/FW. However, stun to 218.65.228.110: 8076
The request is successful because the turn server uses the original address it collects to send the turn request.
When a receives a response, it also performs a connectivity check ,:
Figure 2: Sequence Chart of A's address collection process
The image of this topic is as follows:
Figure 3: sequence diagram of address collection process of B
The image of this topic is as follows:
Figure 4: connectivity check of B
After the connectivity check is completed, B generates the following response message:
V = 0
O = Vincent 2890844730 289084871 in ip4 host2.example.com
S =
C = in ip4 218.65.228.110
T = 0 0
M = audio8078 RTP/AVP 0
A = alt: 4 1.0: Peer as88jl 192.168.1.6 23766
A = alt: 5 0.8: peer1 as88kl 202.205.80.130 10892
A = alt: 6 0.4: peer2 as88ll 218.65.228.110 8078
A = alt: 7 0.4 3 peer3 as88ml 218.65.228.110 5556
The image of this topic is as follows:
Figure 5: connectivity CHECK OF
As before, the connectivity check results for the private and stun source addresses of B are both failed, and
Turn the source address and the peer-derived address to B (in this example, they all have the same priority of 0.4 ). Same
First, we usually use the peer-derived address, so the media stream sent by A to B will use 218.65.228.110: 555
6 address, and the media stream from B to a will be sent to 218.65.228.110: 8076 address. The above solution is symme Based on ice
A simplified typical instance of the tric nat/FW penetration problem.
Implementing other types of NAT/FW penetration Problems Based on ice is easier than using NAT.
Document [1] [2] [6].
The advantages of the ice method are obvious, which eliminates many vulnerabilities of the existing UNSAF mechanism. For example, the traditional
Stun has several vulnerabilities. One of them is that the client needs to determine the NAT type.
It is not a desirable practice. After applying ice, this discovery process is no longer needed. Another vulnerability lies in Stu.
N, turn, and other mechanisms depend entirely on an additional server. While ice uses the server to allocate a single address
Allow the client to connect directly, so even if any of the stun or trun servers fails, the ice method can still call
The process continues. In addition, the biggest defect of traditional stun is that it cannot ensure that it is positive in all network topologies.
Usually, the most typical problem is using NAT. For a protocol that works in turn or similar forwarding mode
The load on the server is too heavy, and packet loss or delay may easily occur. The ice method provides a load balancing function.
It uses the forwarding service as the service with the lowest priority, thus ensuring the reliability of the Service to the maximum extent.
And flexibility. In addition, the advantage of ice is its support for IPv6. Cisco and other companies are currently designing an ice-based approach.
. Due to its wide range of adaptability and support for future networks, ice is a comprehensive solution.
The solution has broad application prospects.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
