Running SIP behind NAT Dr. Christian Stredicke, snom technology AG Paris, France, January 2002.

Slides:

Advertisements

Similar presentations

SIP(Session Initiation Protocol) - SIP Messages

Advertisements

SIP, Presence and Instant Messaging

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

Unleashing the Power of IP Communications Calling Across The Boundaries Mike Burkett, VP Products April 25, 2002.

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Enabling Secure Internet Access with ISA Server

1 IP Telephony (VoIP) CSI4118 Fall Introduction (1) A recent application of Internet technology – Voice over IP (VoIP): Transmission of voice.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

Early Media Authorization Under what conditions should negotiated media flow prior to 200 OK (INVITE)? Richard Ejzak.

Information-Centric Networks09c-1 Week 9 / Paper 3 VoCCN: Voice Over Content-Centric Networks –V. Jacobson, D. K. Smetters, N. H. Briggs, M. F. Plass,

1 TAC2000/ LABORATORY 117 Windows-based SIP UA  Microsoft Windows Messenger  X-Lite  NBEN UA.

DMZ (De-Militarized Zone)

Running SIP behind NAT Dr. Christian Stredicke, snom technology AG Tokyo, Japan, Oct 22 th 2002.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.

NETW-250 Troubleshooting Last Update Copyright Kenneth M. Chipps Ph.D. 1.

July 20, 2000H.323/SIP1 Interworking Between SIP/SDP and H.323 Agenda Compare SIP/H.323 Problems in interworking Possible solutions Conclusion Q/A Kundan.

Voice over IP Fundamentals

Security in VoIP Networks Juan C Pelaez Florida Atlantic University Security in VoIP Networks Juan C Pelaez Florida Atlantic University.

Phone Product Roadmap snom technology AG, November 2004.

1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

Snom 4S Product Overview December V1.0 2 User Web Interface Proxy is controlled via the web interface User Mode –Available to end users –May see.

Session Initiation Protocol (SIP) By: Zhixin Chen.

Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

RTSP NAT Traversal Update Magnus Westlund (Ericsson) Thomas Zeng (PVNS, an Alcatel company) IETF-60 MMUSIC WG draft-ietf-mmusic-rtsp-nat-03.txt.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

SIP, Session Initiation Protocol Internet Draft, IETF, RFC 2543.

Secure Telephony Enabled Middle-box (STEM) Maggie Nguyen Dr. Mark Stamp SJSU - CS 265 Spring 2003 STEM is proposed as a solution to network vulnerabilities,

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

InteroperabilityTechnology LeadershipReasonable Solutions Technical Training VON Europe.

SIP and NAT Dr. Jonathan Rosenberg Cisco Fellow. What is NAT? Network Address Translation (NAT) –Creates address binding between internal private and.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Running SIP behind NAT Dr. Christian Stredicke, snom technology AG, Miami, USA, February 2002.

Running SIP behind NAT Dr. Christian Stredicke, snom technology AG, Voice Over Net, USA, April 2003.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

RTP Relay Support in Intelligent Gateway Author: Pieere Pi

Ingate & Dialogic Technical Presentation SIP Trunking Focused.

Damian Leibaschoff Support Escalation Engineer Microsoft Becky Ochs Program Manager Microsoft.

CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.

NAT Traversal Speaker: Chin-Chang Chang Date:

Web application architecture

Greg Van Dyne December 4, Agenda Introduction Technical Overview Protocols Demonstration Future Trends References.

Running SIP behind NAT Dr. Christian Stredicke, snom technology AG, Miami, USA, February 2002.

Call Control with SIP Brian Elliott, Director of Engineering, NMS.

Session Initiation Protocol (SIP). What is SIP? An application-layer protocol A control (signaling) protocol.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.

SIP:Session Initiation Protocol Che-Yu Kuo Computer & Information Science Department University of Delaware May 11, 2010 CISC 856: TCP/IP and Upper Layer.

Simon Millard Professional Services Manager Aculab – booth 402 The State of SIP.

An analysis of Skype protocol Presented by: Abdul Haleem.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Presented by Rebecca Meinhold But How Does the Internet Work?

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.

Interactive Connectivity Establishment : ICE

The Session Initiation Protocol - SIP

SYSTEM ADMINISTRATION Chapter 10 Public vs. Private Networks.

Johan Delimon 26/04/2016 BE-COM E-COMMUNICATIONS EVENT THE INNER WORKINGS OF SKYPE FOR BUSINESS: NETWORKING.

Firewalls Definition: Device that interconnects two or more networks and manages the network traffic between those interfaces. Maybe used to: Protect a.

Firewalls, Network Address Translators(NATs), and H.323

Session Initiation Protocol (SIP)

NET323 D: Network Protocols

NET323 D: Network Protocols

NAT Traversal for VoIP Dr. Quincy Wu National Chi Nan University

Running SIP behind NAT Dr. Christian Stredicke, snom technology AG

SIP Basics Workshop Dennis Baron July 20, 2005.

Ingate & Dialogic Technical Presentation

Presentation transcript:

Running SIP behind NAT Dr. Christian Stredicke, snom technology AG Paris, France, January 2002

V1.0 2 Overview Problem Description STUN: Using Legacy Equipment TURN: Fixing Remaining Problems UPnP: Remote Control for Routers Application Layer Gateways Remaining Problems & Solutions6

V1.0 3 Which information does a client has to set up for port forwarding in NAT equipment? Router needs information where to send packets in private network –Map port to private address and port –By default packets will be rejected or sent to DMZ Router needs hint for security checking –Accept packets from any destination –Accept packets only from associated host –Accept packets only from associated host and port Router Client

V1.0 4 How did other applications solve the problem? HTTP, telnet, … –Using TCP DNS, others –Digging holes: Set up association when client sends out packet from unmapped port for seconds –Security policy hardwired by vendor –Some offer a DNS proxy (application layer gateway) ftp –Does not work! –Inexperienced users use http instead –Some routers offer applications layer gateway Heterogeneous environment –Every vendor does it in a different way –Digging holes is common denominator

V1.0 5 snom STUN uses the digging hole trick to set up port associations Initialization procedure checks environment –Goal: Check if STUN is needed –Type of NAT does actually not really matter because user is not interested in failure reason SIP port kept alive by sending packets every s RTP ports are allocated dynamically when starting a call –Otherwise keep-alive traffic would be double –RTCP port can not be allocated because next port allocation is unlikely –Long ringing and putting caller on hold is problematic (no port refresh during this time)

V1.0 6 In cases when NAT is symmetrical, TURN could be a solution Router Client STUN/TURN Server Allocate Request/Response 2. Activate Request/Response 3. SIP/Media

V1.0 7 TURN works in symmetrical NAT environment, but has too many problems Scalability –TURN server becomes media server –Every call generates about 50 packets per second Delay –Sending packets over media server increases transport delay significantly –E.g. local call in Tokyo when TURN server is in Frankfurt TURN specification –Needs rework (activation message not defined)

V1.0 8 UPnP is the right approach Generic protocol to allocate ports on router –Works with SIP, can be used with other applications as well –Can be integrated with firewalls –Not too hard to implement Microsoft Messenger uses UPnP –De facto standard –Virtually all DSL router vendors offer UPnP now Problem: Old Equipment –Use STUN –Maybe use TURN, even if call duration is terrible –Instruct customers to set up ports manually

V1.0 9 With the increasing availability of UPnP, most home customers can be addressed UPnP STUN UPnP STUN Software Updates New Equipment

V Application layer gateways (ALG) solve the problem in the business area Business customers have different requirements than home users –Many phones –Want to run proxies, media servers, application servers behind their firewall –These applications probably will not have UPnP or STUN Therefore, firewalls will probably include SIP-aware ALG Sample SIP NAT ALG available from snom

V Calling phones in the same network requires ancillary information 1a) Phone A sends to public address of B 1b) Router will not forward packet, call will fail 2) A knows B is in the same NAT and sends packet to private address instead

V Ancillary information must be placed in contact URI and in SDP INVITE SIP/2.0 Via: SIP/2.0/UDP :5060;branch=z9hG4bK-6rms4e9tmtsz Max-Forwards: 70 From: ;tag=16z5zw9lqt To: Call-ID: CSeq: 1 INVITE Contact: Content-Type: application/sdp Content-Length: 311 v=0 o=root IN IP s=SIP Call c=IN IP t=0 0 m=audio RTP/AVP a=rtpmap:0 pcmu/8000 a=rtpmap:101 telephone-event/8000 a=fmtp: a=x-private: : :10004

V NAT2NAT3 NAT1 Multi-tier NAT requires a list of private addresses A has three identities: : : :5678 B has three identities: : : :5679 STUN Phone APhone B When using STUN, a STUN server is required between the layers

V How should a phone boot up? Try UPnP Use UPnP Try to Register Use STUNUse Given Identity UPnP available No response (5 seconds) or not available No problem: either public address, ALG or total private environment Registrar complains about private address This step can be done even without STUN, as the registrar returns the response quick

© 2002 snom technology Aktiengesellschaft Written by: Dr. Christian Stredicke Version: 1.0 The author has made his best effort to prepare this document. The content is based upon latest information whenever possible. The author makes no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this document. For more information, mail Pascalstr. 10E, Berlin, Germany.