1 Controlling NAT Bindings using STUN draft-wing-behave-nat-control-stun-usage-00 Dan Wing Jonathan Rosenberg.

Slides:

Advertisements

Similar presentations

1 © 2001, Cisco Systems, Inc. All rights reserved. © 2004, Cisco Systems, Inc. All rights reserved. Location Conveyance in SIP draft-ietf-sipping-location-requirements-02.

Advertisements

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.

1 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID NAT Traversal for VoIP Jonathan Rosenberg Cisco Fellow.

RFC 3489bis Jonathan Rosenberg Cisco Systems. Technical Changes Needed Allow STUN over TCP –Driver: draft-ietf-sip-outbound Allow response to omit CHANGED-

CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.

Network Address Translation (NAT) Prof. Sasu Tarkoma.

ICE Jonathan Rosenberg Cisco Systems. Changes Removed abstract protocol concept Relaxed requirements for ICE on servers and gateways – no address gathering.

NAT/Firewall Traversal April NAT revisited – “port-translating NAT”

1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings

STUN Date: Speaker: Hui-Hsiung Chung 1.

Network Address Translation (NAT) Adj. Prof. Sasu Tarkoma.

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

Review of a research paper on Skype

Geographical distribution of Media Relays Part of Global SIP framework Adrian Georgescu Dan Pascu

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

PPSP NAT traversal Lichun Li, Jun Wang, Yu Meng {li.lichun1, draft-li-ppsp-nat-traversal-00.

STUN Tutorial Jonathan Rosenberg Chief Technology Officer.

Doc.: IEEE /0040r0 Submission April 2011 Miika Laaksonen, NokiaSlide 1 Coexistence Discovery Procedures Notice: This document has been prepared.

Enabling SIP to the Enterprise Steve Johnson, Ingate Systems Security: How SIP Improves Telephony.

1 Network Address Translation (NAT) Relates to Lab 7. Module about private networks and NAT.

More about Skype. Overview Any node with a public IP address having sufficient CPU, memory and network bandwidth is a candidate to become a super node.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

A Scalable, Commodity Data Center Network Architecture.

Omniran IEEE 802 Scope of OmniRAN Date: Authors: NameAffiliationPhone Max RiegelNSN

SIP and NAT Dr. Jonathan Rosenberg Cisco Fellow. What is NAT? Network Address Translation (NAT) –Creates address binding between internal private and.

Section 461.  ARP  Ghostbusters  Grew up in Lexington, KY  Enjoy stargazing, cycling, and mushroom hunting  Met Mario once (long time ago)

Microsoft ® Lync™ Server 2010 Edge Server/Remote Access Module 16 Microsoft Corporation.

Polycom Conference Firewall Solutions. 2 The use of Video Conferencing Is Rapidly Growing More and More people are adopting IP conferencing Audio and.

MICE Mobility with ICE draft-wing-mmusic-ice-mobility-02 IETF85 Nov Authors: D.Wing, P. Patil, T. Reddy, P. Martinsen.

Network Address Translation (NAT)

1 | 3GPP2 TSG-X Discussion | December GPP2 X R1 TITLE: TITLE: M2M Deployment Scenarios for 3GPP2SOURCE Mike Dolan, Alcatel-Lucent,

 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.

NAT Traversal Speaker: Chin-Chang Chang Date:

1 Integrating 3G and WLAN Services in NTP SIP-based VoIP Platform Dr. Quincy Wu National Telecommunications Program Office

Page 1 NAT & VPN Lecture 8 Hassan Shuja 05/02/2006.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) speaker ： Wenping Zhang date ：

Application Level Control of Ports in a Service Provider NAT environment Dave Thaler Dan Wing Alain Durand 1.

TURN-Lite: A Lightweight TURN Architecture and Specification (draft-wang-tram-turnlite-01)draft-wang-tram-turnlite-01 Aijun Wang (China Telecom) Bing Liu.

Dynamic Virtual Networks (DVNE) Margaret Wasserman & Paddy Nallur November 11, 2010 IETF Beijing, China.

PPSP NAT traversal Lichun Li, Jun Wang, Wei Chen {li.lichun1, draft-li-ppsp-nat-traversal-02.

1 NAT & RTP Proxy Date: 2009/7/2 Speaker: Ni-Ya Li Advisor: Quincy Wu.

1 Route Optimization for Large Scale Network Mobility Assisted by BGP Feriel Mimoune, Farid Nait-Abdesselam, Tarik Taleb and Kazuo Hashimoto GLOBECOM 2007.

SIPPING IETF 57 Jonathan Rosenberg dynamicsoft.

1 STUN Changes draft-ietf-behave-rfc3489bis-03 Jonathan Rosenberg Dan Wing Cisco Systems.

Simon Millard Professional Services Manager Aculab – booth 402 The State of SIP.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

1 IETF 72 SIP WG meeting SIP Identity issues John Elwell et alia.

Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.

Protocol Requirements draft-bryan-p2psip-requirements-00.txt D. Bryan/SIPeerior-editor S. Baset/Columbia University M. Matuszewski/Nokia H. Sinnreich/Adobe.

Interactive Connectivity Establishment : ICE

TURN Jonathan Rosenberg Cisco Systems. Changes since last version Moved to behave terminology Many things moved into STUN –Basic request/response formation.

1 Media Session Authorization Dan Wing draft-wing-session-auth-00.txt.

GRUU Jonathan Rosenberg Cisco Systems. Changes in -06 Editorial as a result of RFC-ED early copy experiment.

IETF70, Vancouver, December 2007draft-wing-sip-identity-media-011 SIP Identity using Media Path draft-wing-sip-identity-media-01 Dan Wing,

Inter-domain Routing Outline Border Gateway Protocol.

GRUU Jonathan Rosenberg Cisco Systems. Main Changes Up front discussion of URI properties Opaque URI parameter for constructing GRUU Procedure for EP.

Omniran IEEE 802 Scope of OmniRAN Date: Authors: NameAffiliationPhone Max RiegelNSN

jitsi. org advanced real-time communication.

Mobile IP THE 12 TH MEETING. Mobile IP  Incorporation of mobile users in the network.  Cellular system (e.g., GSM) started with mobility in mind. 

HIP-Based NAT Traversal in P2P-Environments

NAT (Network Address Translation)

Network Address Translation (NAT)

Examining Session Policy Topologies

In-network Support for VoIP and Multimedia Applications

Network Address Translation (NAT)

Network Address Translation (NAT)

Presentation transcript:

1 Controlling NAT Bindings using STUN draft-wing-behave-nat-control-stun-usage-00 Dan Wing Jonathan Rosenberg

2 IPR Notice Cisco has claimed IPR on this technique

3 Motivation: SIP Outbound Constant STUN traffic on the proxy –CPU and I/O load –Traffic on the network (bad for wireless) –Mobile power consumption Even worse with SBCs of course –REGISTER instead of STUN UAC Proxy stun

4 Motivation: ICE and Multilayer NAT ICE/STUN can’t discover server reflexive candidates on intermediate NATs Optimal path may not be found as a consequence NAT STUN UA AUA B NAT Best that ICE can do Optimal

5 Big Idea Embed STUN servers in NAT to enable STUN to control the NAT Severely limit the scope of controls to deal with security issues Discover these embedded STUN servers by bootstrapping off of STUN servers on public addresses –Embedded in SIP proxies –On the public Internet

6 Procedure

7 Learn IP address of outer-most NAT NAT STUN Server Endpoint B STUN function in SIP proxy or ICE peer

8 Communicate to NAT’s embedded STUN Server Adjust binding with REFRESH-INTERVAL –Can ONLY adjust binding matching the one for the STUN request itself Response has same MAPPED-ADDRESS Response also has MAPPED-INTERNAL-ADDRESS (address “A”) Endpoint NAT STUN Server Binding table B A

9 Nested NATs: step 1 MAPPED-INTERNAL-ADDRESS points to address “B” Endpoint NAT STUN Server Binding table NAT STUN Server Binding table STUN Server B A C

10 Nested NATs: step 2 MAPPED-INTERNAL-ADDRESS points to address “A” Matches Endpoint’s address: we’re done Endpoint NAT STUN Server Binding table NAT STUN Server Binding table STUN Server B A C

11 Properties and Limitations

12 Properties Preserves STUN’s ability to work well with nested NATs –Superior to UPnP and NAT-PMP Control NAT binding duration of all NATs along path –Completely eliminates keepalives Limited functionality deals with security issues Automatically learns NAT path topology –Allows ICE to better optimize media path

13 Incremental Deployability This is a major issue for NAT control technologies STUN control is not necessary for baseline NAT traversal –That is provided by ICE, sip-outbound Deployment of ICE and SIP-outbound puts STUN in clients and network elements This gives incentives to add it to NAT, since once its there you can use it to optimize the network performance

14 Limitations Address-Dependent Mapping NAT on path –“Symmetric NAT” Address-Dependent Filtering –Discussion: Is this really a problem? Overlapping NAT’ed address space prematurely breaks the ‘done’ procedure EndpointNAT “A”NAT “B” x STUN Server

15 Questions draft-wing-behave-nat-control-stun-usage-00