SIP and NAT Dr. Jonathan Rosenberg Cisco Fellow. What is NAT? Network Address Translation (NAT) –Creates address binding between internal private and.

Slides:

Advertisements

Similar presentations

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

Advertisements

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Interactive Connectivity Establishment: ICE

VON Europe SIP Update Jonathan Rosenberg Chief Scientist co-chair, IETF SIP Working Group.

1 © 2005 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID NAT Traversal for VoIP Jonathan Rosenberg Cisco Fellow.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.

Running SIP behind NAT Dr. Christian Stredicke, snom technology AG Tokyo, Japan, Oct 22 th 2002.

Lync /11/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks.

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

1 SIP IPv6/IPv4 transition solutions 通訊所鍾國麟. 2 Outline IPV6 transition problem NAT-PT + SIP ALG TZI gateway 3GPP – IMS STUN-Based SIP Proxy.

RFC 3489bis Jonathan Rosenberg Cisco Systems. Technical Changes Needed Allow STUN over TCP –Driver: draft-ietf-sip-outbound Allow response to omit CHANGED-

Tom Behrens Adam Muniz. Overview What is VoIP SIP Sessions H.323 Examples Problems.

CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.

ICE Jonathan Rosenberg Cisco Systems. Changes Removed abstract protocol concept Relaxed requirements for ICE on servers and gateways – no address gathering.

1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings

STUN Date: Speaker: Hui-Hsiung Chung 1.

SIP Traversal over NAT Problems and Solutions Mr. Ting-Yun Chi May 2,2006 (Taiwan,NICI IPv6 R&D Division)

Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved. NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen.

1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University.

Network Address Translation (NAT) Adj. Prof. Sasu Tarkoma.

NAT Traversal Panasonic Communications Co.,Ltd Office Network Company Network SE Team 2008 Feb 25 th.

NAT1 Network Address Translation Dr. Danny Tsang Department of Electronic & Computer Engineering Hong Kong University of Science and Technology.

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

NAT Traversal for P2PSIP Philip Matthews Avaya. Peer X Peer Y Peer W 2. P2PSIP Network Establishing new Peer Protocol connection Peer Protocol messages.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

STUN Tutorial Jonathan Rosenberg Chief Technology Officer.

What we will cover… Home Networking: Network Address Translation (NAT) Mobile Routing.

Session Initiation Protocol (SIP) By: Zhixin Chen.

ICE Jonathan Rosenberg dynamicsoft. Issue 1: Port Restricted Flow This case does not work well with ICE right now Race condition –Works if message 13.

RTSP NAT Traversal Update Magnus Westlund (Ericsson) Thomas Zeng (PVNS, an Alcatel company) IETF-60 MMUSIC WG draft-ietf-mmusic-rtsp-nat-03.txt.

CSc 461/561 CSc 461/561 Multimedia Systems Part C: 2. SIP.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Section 461.  ARP  Ghostbusters  Grew up in Lexington, KY  Enjoy stargazing, cycling, and mushroom hunting  Met Mario once (long time ago)

IT Expo SECURITY Scott Beer Director, Product Support Ingate

Running SIP behind NAT Dr. Christian Stredicke, snom technology AG, Miami, USA, February 2002.

RTP Relay Support in Intelligent Gateway Author: Pieere Pi

Network Layer4-1 NAT: Network Address Translation local network (e.g., home network) /24 rest of.

 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.

NAT Traversal Speaker: Chin-Chang Chang Date:

1 Integrating 3G and WLAN Services in NTP SIP-based VoIP Platform Dr. Quincy Wu National Telecommunications Program Office

1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.

STUN - Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) speaker ： Wenping Zhang date ：

All rights reserved © 1999, Alcatel, Paris. page n° 1 SIP for Xcast SIP for the establishment of xcast-based multiparty.

Running SIP behind NAT Dr. Christian Stredicke, snom technology AG, Miami, USA, February 2002.

Quintum Confidential and Proprietary 1 Quintum Technologies, Inc. Session Border Controller and VoIP Devices Behind Firewalls Tim Thornton, CTO.

Network Layer4-1 Chapter 4: Network Layer r 4. 1 Introduction r 4.2 Virtual circuit and datagram networks r 4.3 What’s inside a router r 4.4 IP: Internet.

Gonzalo Camarillo Advanced Signalling Research Lab 48th IETF MMUSIC WG Gonzalo Camarillo draft-camarillo-sip-sdp-00.txt.

PPSP NAT traversal Lichun Li, Jun Wang, Wei Chen {li.lichun1, draft-li-ppsp-nat-traversal-02.

1 NAT & RTP Proxy Date: 2009/7/2 Speaker: Ni-Ya Li Advisor: Quincy Wu.

Simon Millard Professional Services Manager Aculab – booth 402 The State of SIP.

An analysis of Skype protocol Presented by: Abdul Haleem.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.

Interactive Connectivity Establishment : ICE

March 22th, 2001 MMUSIC WG meeting 50th IETF MMUSIC WG meeting The fid attribute draft-ietf-mmusic-fid-00.txt

TURN Jonathan Rosenberg Cisco Systems. Changes since last version Moved to behave terminology Many things moved into STUN –Basic request/response formation.

1 Media Session Authorization Dan Wing draft-wing-session-auth-00.txt.

Michael G. Williams, Jeremey Barrett 1 Intro to Mobi-D Host based mobility.

draft-ivov-mmusic-trickle-ice E. Rescorla, J. Uberti, E. Ivov

SIPWG Slides for IETF 51 Jonathan Rosenberg dynamicsoft.

jitsi. org advanced real-time communication.

The SIP-Based System Used in Connection with a Firewall Peter Koski, Jorma Ylinen, Pekka Loula Tampere University of Technology, Pori Pohjoisranta 11 A,

HIP-Based NAT Traversal in P2P-Environments

1Security for Service Providers – Dave Gladwin – Newport Networks – SIP ’04 – 22-Jan-04 Security for Service Providers Protecting Service Infrastructure.

NAT Traversal in HIP Xiang LIU TML/HIIT 1.

Speaker：Wenping Zhang Date：2008/01/23

NAT Traversal for VoIP Dr. Quincy Wu National Chi Nan University

Running SIP behind NAT Dr. Christian Stredicke, snom technology AG

DHCP: Dynamic Host Configuration Protocol

Presentation transcript:

SIP and NAT Dr. Jonathan Rosenberg Cisco Fellow

What is NAT? Network Address Translation (NAT) –Creates address binding between internal private and external public address –Modifies IP Addresses/Ports in Packets –Benefits Avoids network renumbering on change of provider Allows multiplexing of multiple private addresses into a single public address ($$ savings) Maintains privacy of internal addresses Client NATNAT NATNAT S: :8877 D: :80 Binding Table Internal External :6554 -> :8877 S: :6554 D: :80 IP Pkt

Problem: Getting SIP Through NATs NATNAT INVITE m=audio 3456 RTP/AVP 0 c=IN IP RTP to

Solution Space Application Layer Gateways (ALGs) Session Border Controllers (SBC) Simple Traversal of UDP Through NAT (STUN) Traversal Using Relay NAT (TURN) Interactive Connectivity Establishment (ICE)

Application Layer Gateway NATNAT INVITE m=audio 3456 RTP/AVP 0 c=IN IP RTP to INVITE m=audio 1234 RTP/AVP 0 c=IN IP ALG NAT also modifies SIP messages to fix them up!

ALG Benefits and Drawbacks Drawbacks –Doesn’t work when security turned on –Hard to diagnose problems –Requires network upgrade to support new app –Frequent implementation problems (lack of expertise) –Incentives mismatched Benefits –No change to clients or servers

Session Border Controller NATNAT INVITE m=audio 3456 RTP/AVP 0 c=IN IP SBC INVITE m=audio 3225 RTP/AVP 0 c=IN IP RTP to SBC relays RTP back to source

SBC Benefits and Drawbacks Drawbacks –Expensive media relaying –Interferes with some SIP extensions –Breaks more advanced SIP security Benefits –No change to clients or NATs –Works with basic SIP security mechanisms –Easier to diagnose

Simple Traversal of UDP Through NAT (STUN) NATNAT What is my IP address and port please? STUN Server INVITE m=audio 3472 RTP/AVP 0 c=IN IP RTP to Its : 3472

STUN Benefits and Drawbacks Drawbacks –Doesn’t always work Benefits –No change to servers or NATs –Works with all SIP security mechanisms –Can support non-VoIP apps (e.g., games)

Traversal Using Relay NAT (TURN) NATNAT Give me an IP address and port please? TURN Server INVITE m=audio 2376 RTP/AVP 0 c=IN IP RTP to : 2376

TURN Benefits and Drawbacks Drawbacks –Expensive Media Relaying Benefits –No change to servers or NATs –Works with all SIP security mechanisms –Can support non-VoIP apps (e.g., games)

Interactive Connectivity Establishment (ICE) Hybrid of STUN and TURN P2P NAT Traversal Widely Deployed on Internet Popular with Application Providers

ICE Step 1: Allocation Before Making a Call, the Client Gathers Candidates Each candidate is a potential address for receiving media Three different types of candidates – Host Candidates – Server Reflexive Candidates (STUN) – Relayed Candidates (TURN) TURN Host Candidates reside on the agent itself STUN candidates are addresses residing on a NAT NAT TURN candidates reside on a TURN server STUN

ICE Step 2: Create Offer Each candidate is placed into an a=candidate attribute of the offer Each candidate line has IP address and port plus other info needed for ICE c=IN IP t=0 0 m=audio RTP/AVP 0 a=rtpmap:0 PCMU/8000 a=candidate:1 1 UDP typ host a=candidate:2 1 UDP typ srflx raddr rport 8998

ICE Step 3: Send INVITE Caller sends a SIP INVITE as normal No ICE processing by SIP servers SIP Server INVITE

ICE Step 4: Allocation Called party does exactly same processing as caller and obtains its candidates Recommended to not yet ring the phone! TURN NAT STUN

ICE Step 5: Provisional Response Callee sends a provisional response containing its SDP with candidates As with INVITE, no processing by proxies Phone has still not rung yet SIP Proxy 1xx

ICE Step 6: Verification Each agent pairs up its candidates (local) with its peers (remote) to form candidate pairs Each agent sends a STUN-based ping on each pair, starting at highest priority If a response is received the check has succeeded and we know media can flow on that pair! TURN Server NAT TURN Server NAT

ICE Benefits and Drawbacks Drawbacks –Requires client changes –Requires other side to support it Benefits –Always Works –No change to servers or NATs –Works with all SIP security mechanisms –Minimum Media Relaying –Can support non-VoIP apps (e.g., games) –Built-In Anti-DOS –Eliminates Ghost Rings