SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

Slides:

Advertisements

Similar presentations

The leader in session border control for trusted, first class interactive communications.

Advertisements

SIP, Presence and Instant Messaging

Presence, Security and Privacy. VON The Current Environment Many Faces of Security Authentication Verify someone is who they.

Presence and IM as SIP Services Jonathan Rosenberg Chief Scientist.

Fall IM 2000 Evfolution of Presence Based Networks Evolution of Presence Based Networks Jonathan Rosenberg Chief Scientist.

Fall IM2000 Industry Perspective Presence: The Best Thing that Ever Happened to Voice Jonathan Rosenberg Chief Scientist.

Jonathan Rosenberg Chief Scientist

SIP and Instant Messaging. SIP Summit SIP and Instant Messaging What Does Presence Have to Do With SIP? How to Deliver.

Jonathan Rosenberg Chief Scientist

SIP Servlets. SIP Summit SIP Servlets Problem Statement Want to enable construction of a wide variety of IP telephony.

Fall IM 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.

IM May 24, 2000 Introduction to SIP Jonathan Rosenberg Chief Scientist.

U N L E A S H I N G A S E R V I C E S R E N A I S S A N C E SIP SIP Security Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

VON Europe /19/00 SIP and the Future of VON Protocols SIP and the Future of VON Protocols: Presence and IM Jonathan Rosenberg.

Fall VoN 2000 SIP for IP Communications Jonathan Rosenberg Chief Scientist.

VON Europe SIP Update Jonathan Rosenberg Chief Scientist co-chair, IETF SIP Working Group.

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Intertex Data AB, Sweden VoIP to the Edge: Firewalls - The Missing Link Prepared for:Voice On the Net, Fall 2001 By: Karl Erik Ståhl President Intertex.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.

CS 4700 / CS 5700 Network Fundamentals Lecture 15: NAT (You Better Forward Those Ports) Revised 3/9/2013.

1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings

STUN Date: Speaker: Hui-Hsiung Chung 1.

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

STUN Tutorial Jonathan Rosenberg Chief Technology Officer.

S305 – Network Infrastructure Chapter 5 Network and Transport Layers Part 2.

H. 323 and firewalls: Problem Statement and Solution Framework Author: Melinda Shore, Nokia Presenter: Shannon McCracken.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Session Initiation Protocol (SIP) By: Zhixin Chen.

SIP, NAT, Firewall SIP NAT Firewall How to Traversal NAT/Firewall for SIP.

Intertex Data AB, Sweden Talking NATs & Firewalls Prepared for:Voice On the Net, Spring 2002 By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate.

SIP, Session Initiation Protocol Internet Draft, IETF, RFC 2543.

Circuit & Application Level Gateways CS-431 Dick Steflik.

SIP and NAT Dr. Jonathan Rosenberg Cisco Fellow. What is NAT? Network Address Translation (NAT) –Creates address binding between internal private and.

IT Expo SECURITY Scott Beer Director, Product Support Ingate

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Day15 IP Space/Setup. IP Suite of protocols –TCP –UDP –ICMP –GRE… Gives us many benefits –Routing of packets over internet –Fragmentation/Reassembly of.

Ingate & Dialogic Technical Presentation SIP Trunking Focused.

SIP? NAT? NOT! Traversing the Firewall for SIP Call Completion Steven Johnson President, Ingate Systems Inc.

IP Ports and Protocols used by H.323 Devices Liane Tarouco.

 Introduction  VoIP  P2P Systems  Skype  SIP  Skype - SIP Similarities and Differences  Conclusion.

NAT Traversal Speaker: Chin-Chang Chang Date:

1 NAT Network Address Translation Motivation for NAT To solve the insufficient problem of IP addresses IPv6 –All software and hardware need to be updated.

1 Chapter 6: Proxy Server in Internet and Intranet Designs Designs That Include Proxy Server Essential Proxy Server Design Concepts Data Protection in.

Jaringan Komputer Dasar OSI Transport Layer Aurelio Rahmadian.

Session Initiation Protocol (SIP). What is SIP? An application-layer protocol A control (signaling) protocol.

H.323 An International Telecommunications Union (ITU) standard. Architecture consisting of several protocols oG.711: Encoding and decoding of speech (other.

SIPPING IETF 57 Jonathan Rosenberg dynamicsoft.

1 Firewalls Types of Firewalls Inspection Methods  Static Packet Inspection  Stateful Packet Inspection  NAT  Application Firewalls Firewall Architecture.

Simon Millard Professional Services Manager Aculab – booth 402 The State of SIP.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Voice over IP B 林與絜.

Page 1 Network Addressing CS.457 Network Design And Management.

5 Firewalls in VoIP Selected Topics in Information Security – Bazara Barry.

Unleashing the Power of IP Communications™ Calling Across The Boundaries Mike Burkett, VP Products September 2002.

Making SIP NAT Friendly Jonathan Rosenberg dynamicsoft.

SIPWG Slides for IETF 51 Jonathan Rosenberg dynamicsoft.

CS 3700 Networks and Distributed Systems

Firewalls, Network Address Translators(NATs), and H.323

IP Telephony (VoIP).

Chapter 5 Network and Transport Layers

* Essential Network Security Book Slides.

I. Basic Network Concepts

CS 3700 Networks and Distributed Systems

網際網路電話系統期中考重點整理.

Ingate & Dialogic Technical Presentation

Presentation transcript:

SIP, Firewalls and NATs Oh My!

SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically Statically Configured to Let Traffic in/out of Specific Ports/Addresses SIP Itself Can Easily Be Let in/out Static port 5060 opened But SIP Signals Media Sessions, Usually RTP RTP Difficult to Isolate Uses dynamic UDP ports Not its own protocol No way to statelessly identify Therefore, Media Sessions Will Not Flow Through SIP-unaware Firewall Application Layer Gateway (ALG) function required

SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through NATs Network Address Translation (NAT) Creates address binding between internal private and external public address Modifies IP Addresses/Ports in Packets Benefits Avoids network renumbering on change of provider Allows multiplexing of multiple private addresses into a single public address ($$ savings) Maintains privacy of internal addresses Problems Bindings for media sessions need to be explicitly created IP addresses and ports written in SIP packets will be wrong SDP From field To field Contact Record-route Via ALG function required

SIP Summit SIP, Firewalls and NATs, Oh My! Two Distinct Cases Case I: SIP Provider is the IP Network Provider Enterprises which deploy SIP Carriers Case II: SIP Provider is NOT IP Network Provider Residential NATs Users within enterprises Cable companies with NAT Airport lounges Hotels Internet cafes FW/NAT Proxy Users FW/NAT Proxy Users IP Provider SIP Provider IP Provider SIP Provider

SIP Summit SIP, Firewalls and NATs, Oh My! Proposed Solution for Case I Separate Application Layer NAT/Firewall from IP Layer NAT/Firewall Like megaco decomposition MG = packet filter MGC = Firewall Control Proxy Same benefits Better scaling Faster Lower Cost Expertise problem solved Deployment paths for new apps Load balancing IETF standard: MIDCOM Actual deployments today! SIP Control RTP Firewall Control Proxy (FCP) Firewall/NAT Packet Filter Decomposed Firewall/NAT

SIP Summit SIP, Firewalls and NATs, Oh My! What about Case II? Much harder problem! No way to control firewall or NAT Huge installed based of SIP unaware devices Variable firewall and NAT behaviors Proposed Solution: Make SIP NAT Friendly Can work through existing NATs! NATs a bigger problem for case II than firewalls Handle firewalls separately Send it all through TLS over port 443 Define well-known RTP ports + symmetric RTP = existing firewalls can be configured with static rules to support VoIP

SIP Summit SIP, Firewalls and NATs, Oh My! Basic Approach Find ways to ignore IP addresses in SIP/SDP wherever possible Get the information from the transport connections themselves Find ways to make a peer to peer application look like client server One side initiates Can send data back and forth Dont rely on DNS, since many clients wont have domain names

SIP Summit SIP, Firewalls and NATs, Oh My! Specific Problems to Address Response from proxy to caller SIP Via header used for sending response Sent to port in Via header Will be wrong! Must figure out how to ignore ANSWER: TCP Proxy to called party Proxy forwards request to IP address and port in registration These will be wrong No address binding for them RTP Addresses in SDP are used, these are wrong No bindings for them 1 2 3

SIP Summit SIP, Firewalls and NATs, Oh My! Contact Cookie Special contact value which tells registrar register my contact using the IP address and port where the register came from Register comes from persistent TCP connection to server Causes calls to be routed to UAS through NAT! Want to be explicit Call forward service Contact cookie Special URL TCP Connection then REGISTER

SIP Summit SIP, Firewalls and NATs, Oh My! Symmetric RTP Today, RTP is unidirectional Two RTP sessions, one in each direction Means both sides provide IP addresses – BAD Big Idea: What if one side connects to the other by sending RTP packet Recipient sends RTP packets back to source IP of received RTP packet Just like TCP operation, but over UDP Conceptually, this is Symmetric RTP Means only one side needs to provide IP address – just like client/server Can use RTP translators in SIP network when both are behind NAT Caller IP A Callee IP B NAT Private Network A->B Source = A B->A A A binding established Sends to A RTP pkt

SIP Summit SIP, Firewalls and NATs, Oh My! Benefits of this Approach Requires relatively small change to clients Solves many other problems at the same time SIP Java applets can now be written SOCKS now works Multihomed host configuration problems disappear Just the end-to-end argument Applications need to adapt to the network conditions provided to them Can design optimal, simplest approach Status Presented to IETF in March Good support, moving forward

Information Resource Jonathan Rosenberg