Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University.

Published byAlicia Moubray Modified over 9 years ago

Similar presentations

Presentation on theme: "1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University."— Presentation transcript:

1 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University

2 2 References “ SIP, NAT and Firewalls ”, Fredrik Thernelius Baruch Sterman and David Schwartz, “ NAT Traversal in SIP ”, Deltathree “ STUN – Simple Traversal of UDP Through Network Address Translators ”, RFC 3489, IETF “ An Extension to the SIP for Symmetric Response Routing ”, RFC 3581, IETF “ TURN – Traversal Using Relay NAT ”, Internet Draft, IETF

3 3 Outline Introduction Problems of NAT Traversal for VoIP Possible Solutions for VoIP over NAT

4 4 What is NAT? NAT - Network Address Translation Converts Network Address (and Port) between private and public realm Works on IP layer Transparent to Upper-layer Applications

5 Router 39.39.88.9 Packet 8765SP 80DP 54.38.54.4SA 39.39.88.9DA Packet 80SP 8765DP 39.39.88.9SA 54.38.54.4DA 54.38.54.4

6 39.39.88.9 54.38.54.49 DADPSASPDADPSASP 39.39.88.980192.168.5.28765 DADPSASP 39.39.88.980192.168.5.28765 Packet 80SP 8765DP 39.39.88.9SA 192.168.5.2DA 192.168.5.2 Packet 8765SP 80DP 192.168.5.2 SA 39.39.88.9DA Packet 8765SP 80DP 54.38.54.49SA 39.39.88.9DA 54.38.54.49 Packet 80SP 8765DP 39.39.88.9SA 54.38.54.49DA

7 7 Flavors of NAT [1/3] Static NAT Requires the same number of globally IP addresses as that of hosts in the private environment Maps between internal IP addresses and external addresses is set manually This mapping intends to stay for a long period of time

8 8 Flavors of NAT [2/3] Dynamic NAT Collect the public IP addresses into an IP address pool A host connecting to the outside network is allocated an external IP address from the address pool managed by NAT

9 9 Flavors of NAT [3/3] NAPT (Network Address and Port Translation) A special case of Dynamic NAT Use port numbers as the basis for the address translation Most commonly used

10 10 Types of NAT Full Cone Restricted Cone Port Restricted Cone Symmetric

11 11 Full Cone NAT Client sends a packet to public address A. NAT allocates a public port (12345) for private port (21) on the client. Any incoming packet (from A or B) to public port (12345) will dispatch to private port (21) on the client. Client IP: 10.0.0.1 Port: 21 NAT IP: 202.123.211.25 Port: 12345 Mapping Table 10.0.0.1:21 12345 Computer A IP: 222.111.99.1 Port: 20202 Computer B IP: 222.111.88.2 Port: 10101

12 12 Restricted Cone NAT [1/2] Client sends a packet to public address A. NAT allocate a public port (12345) for private port (21) on the client. Only incoming packet from A to public port (12345) will dispatch to private port (21) on the client. Client IP: 10.0.0.1 Port: 21 NAT IP: 202.123.211.25 Port: 12345 Mapping Table 10.0.0.1:21 12345 (for A) Computer A IP: 222.111.99.1 Port: 20202 Computer B IP: 222.111.88.2 Port: 10101

13 13 Restricted Cone NAT [2/2] Client sends another packet to public address B. NAT will reuse allocated public port (12345) for private port (21) on the client. Incoming packet from B to public port (12345) will now dispatch to private port (21) on the client. Client IP: 10.0.0.1 Port: 21 NAT IP: 202.123.211.25 Port: 12345 Mapping Table 10.0.0.1:21 12345 (for A) 10.0.0.1:21 12345 (for B) Computer A IP: 222.111.99.1 Port: 20202 Computer B IP: 222.111.88.2 Port: 10101

14 14 Port Restricted Cone NAT Client sends a packet to public address A at port 20202. NAT will allocate a public port (12345) for private port (21) on the client. Only incoming packet from address A and port 20202 to public port (12345) will dispatch to private port (21) on the client. Client IP: 10.0.0.1 Port: 21 NAT IP: 202.123.211.25 Port: 12345 Mapping Table 10.0.0.1:21 12345 (for A : 20202) 10.0.0.1:21 12345 (for A : 30303) Computer A IP: 222.111.99.1 Port: 20202 Port: 30303

15 15 Symmetric NAT NAT allocates a public port each time the client sends a packet to different public address and port Only incoming packet from the original mapped public address and port will dispatch to private port on client Client IP: 10.0.0.1 Port: 21 NAT IP: 202.123.211.25 Port: 12345 Mapping Table 10.0.0.1:21 12345 (for A : 20202) 10.0.0.1:21 45678 ( for B : 10101) Computer A IP: 222.111.99.1 Port: 20202 Computer B IP: 222.111.88.2 Port: 10101 IP: 202.123.211.25 Port: 45678

16 16 VoIP Protocol and NAT NAT converts IP addresses on IP layer Problem 1: SIP, H.323, Megaco and MGCP are application layer protocol but contain IP address/port info in messages, which is not translated by NAT Problem 2: Private client must send an outgoing packet first (to create a mapping on NAT) to receive incoming packets

17 17 Solving NAT Traversal Problems Objectives To discover the mapped public IP & port for a private IP & port To use the mapped public IP & port in application layer message To keep this mapping valid Issues NAT will automatically allocate a public port for a private address & port if needed. NAT will release the mapping if the public port is “ idle ” No TCP connection on the port No UDP traffic on the port for a period Keep a TCP connection to destination Send UDP packets to destination every specified interval

18 18 NAT Solutions IPv6 (Internet Protocol Version 6) UPnP (Universal Plug-and-Play) UPnP Forum - http://www.upnp.org/ Proprietary protocol by NAT/Firewall SIP ALG (Application Level Gateway) SIP extensions for NAT traversal RFC 3581 Works for SIP only, can not help RTP to pass through NAT STUN (Simple Traversal of UDP Through Network Address Translators) RFC 3489 Works except for symmetric NAT TURN (Traversal Using Relay NAT) draft-rosenberg-midcom-turn-04 for symmetric NAT

19 19 Two Distinct Cases – NAT Deployment [1/2] Case I : SIP Provider is the IP Network Provider

20 20 Two Distinct Cases – NAT Deployment [2/2] Case II : SIP Provider is NOT IP Network Provider

21 21 Solution for Case I – ALG [1/2] Separate Application Layer NAT from IP Layer NAT SIP Control RTP Proxy Server/ALG Firewall/NAT Packet Filter Decomposed Firewall/NAT Like MEGACO Decomposition  MG = Packet Filter  MGC = Control Proxy Advantages  Better scaling  Load balancing  Low cost

22 22 Solution for Case I – ALG [2/2] INVITE BIND REQ BINDING INVITE 200 OK OPEN ACK Proxy Firewall/NAT PC A control Protocol between application-layer NATs and IP-layer NATs Main Requirements Binding Request: To give a private address and obtain a public address Binding Release Open Hole (firewall) Close Hole (firewall)

23 23 Proposed Solution for Case II Much harder problem No way to control firewall or NAT Cascading NATs Variable firewall NAT behaviors Proposed Solution Make SIP “ NAT-Friendly ” Minor extensions Address the issues for SIP only, not RTP Accepted by IETF (RFC 3581) Develop a protocol for traversal of UDP through NAT Work for RTP Also support other applications

24 24 SIP Extension to NAT Friendly Client Behavior Include an “ rport ” parameter in the Via header This parameter MUST have no value It serves as a flag The client SHOULD retransmit its INVITE every 20 seconds Due to UDP NAT binding period and to keep the binding fresh

25 25 SIP Extension to NAT Friendly [2/2] Server Behavior Examines the Via header field value of the request If it contains an “ rport ” parameter, A “ received ” parameter An “ rport ” parameter The response MUST be sent to the IP address listed in the “ received ” parameter, and the port in the “ rport ” parameter.

26 26 Example [1/2] Client A: 10.1.1.1 Proxy B: 68.44.10.3 NAT C: 68.44.20.1 A issues request INVITE sip:user@domain SIP/2.0 Via: SIP/2.0/UDP 10.1.1.1:4540;rport A  C (mapping port 9988)  B INVITE sip:user@domain SIP/2.0 Via: SIP/2.0/UDP proxy.domain.com Via: SIP/2.0/UDP 10.1.1.1:4540; received=68.44.20.1;rport=9988;

27 27 Example [2/2] Server B receives the response SIP/2.0 200 OK Via: SIP/2.0/UDP proxy.domain.com Via: SIP/2.0/UDP 10.1.1.1:4540;received=68.44.20.1;rport=9988; B (68.44.10.3:5060)  C (68.44.20.1:9988)  A SIP/2.0 200 OK Via: SIP/2.0/UDP 10.1.1.1:4540;received=68.44.20.1;rport=9988;

28 28 UPnP [1/2] Universal Plug and Play It is being pushed by Microsoft Windows ® Messenger A UPnP-aware client can ask the UPnP- enabled NAT how it would map a particular IP:port through UPnP It will not work in the case of cascading NATs http://www.upnp.org/

29 29 UPnP [2/2] A: Private Network UPnP-aware Internet gateway device The UPnP-enabled NAT allows “ A ” to be aware of its external IP B: Public Internet “ B ” and “ A ” can communicate with each other UPnP- enabled NAT Public Internet B Private Network A

30 30 External Query A server sits listening for packets (NAT probe) When receiving a packet, it returns a message from the same port to the source containing the IP:port that it sees IP: 10.0.0.1 Port: 8000 NAT Public Internet NAT Probe IP: 202.123.211.25 Port: 12345

31 31 STUN Simple Traversal of UDP Through NAT RFC 3489 In Working Group IETF MIDCOM Group Simple Protocol Works with existing NATs Main features Allow Client to Discover Presence of NAT Works in Multi-NAT Environments Allow Client to Discover the Type of NAT Allows Client to Discover the Binding Lifetimes Stateless Servers

32 32 STUN Server Allow client to discover if it is behind a NAT, what type of NAT it is, and the public address & port NAT will use. A simple protocol, easy to implement, little load Client IP: 10.0.0.1 Port: 5060 IP: 202.123.211.25 Port: 12345 STUN Server IP: 222.111.99.1 Port: 20202 NAT Client wants to receive packet at port 5060 Send a query to STUN server from port 5060 STUN Server receives packet from 202.123.211.25 port 12345 STUN Server send a response packet to client. Tell him his public address is 202.123.211.25 port 12345

33 Binding Acquisition STUN Server can be ANYWHERE on Public Internet Call Flow Proceeds Normally

34 34 STUN Message [1/3] TLV (type-length-value) Start with a STUN header, followed by a STUN payload (a series of STUN attributes depending on the message type) Format STUN Header STUN Payload (can have none to many blocks)

35 35 STUN Message [2/3] STUN Header STUN Payload (can have none to many blocks) Message Type (16 bits)Message Length (16bits) Transaction ID (128 bits) Message Types 0x0001: Binding Request0x0101: Binding Response 0x0111: Binding Error Response 0x0002: Shared Secret Request0x0102: Shared Secret Response 0x0112: Shared Secret Error Response

36 36 STUN Message [3/3] STUN Header STUN Payload (can have none to many blocks) Attribute Type (16 bits)Attribute Length (16bits) Attribute Value (Variable length) Attribute Types 0x0001: MAPPED-ADDRESS0x0002: RESPONSE-ADDRESS 0x0003: CHANGE-REQUEST0x0004: SOURCE-ADDRESS 0x0005: CHANGED-ADDRESS0x0006: USERNAME 0x0007: PASSWORD0x0008: MESSAGE-INTEGRITY 0x0009: ERROR-CODE0x000a: UNKNOWN-ATTRIBUTES 0x000b: REFLECTED-FROM

37 37 Automatic Detection of NAT Environment [1/2] STUN Client Environment STUN Server IP1 STUN Server IP2 Port1 Port2 Port1 Test I Test II Test IV Test III

38 38 Automatic Detection of NAT Environment [2/2] Test I Test II Test III Test IV Resp? Yes No UDP Blocked Same IP and Port as original? Test II YesNo Open Internet Sym UDP Firewall Yes Full Cone NAT No Yes Same IP and Port as Test I? Symmetric NAT Port Restricted NAT Restricted NAT No Yes No

39 39 Binding Lifetime Determination STUN Client NAT Bind Req. Bind (Pa, Pp) Binding Resp. MAPPED-ADDRESS (Pa, Pp) Start Timer T If it receives Binding Response on socket X, the binding has not expired. Socket X Socket Y Another Binding Request, RESPONSE-ADDRESS is set to (Pa, Pp)

40 40 Binding Acquisition Procedure STUN Client 1 NAT Client 2 ControlMedia SIP Message RTP Shared Secret Request and Response Binding Request and Response (Pa, Pp) Binding Request and Response (Pa’, Pp’) RESPONSE- ADDRESS is set to (Pa, Pp)

41 41 STUN - Pros and Cons Benefits No changes required in NAT No changes required in Proxy Works through most residential NAT Drawbacks Doesn ’ t allow VoIP to work through Symmetric NAT RTCP may not work

42 42 Is STUN suitable for Symmetric NAT Absolutely not Client A IP: 10.0.0.1 Port: 21 NAT IP: 202.123.211.25 Port: 12345 Mapping Table 10.0.0.1:21 12345 (for 222.111.99.1 : 20202) STUN Server IP: 222.111.99.1 Port: 20202 Client B IP: 222.111.88.2 Port: 10101

43 43 Solutions for Symmetric NATs Connection Oriented Media RTP-Relay

44 44 Connection Oriented Media The endpoint outside the NAT must wait until it receives a packet from the client before it can know where to reply Add a line to the SDP message (coming from the client behind the NAT) a=direction:active The initiating client will “ actively ” set up the IP:port to which the endpoint should return RTP The IP:port found in the SDP message should be ignored

45 45 Problem? 1) If the endpoint does not support the a=direction:active tag 2) If both endpoints are behind Symmetric NATs

46 46 RTP-Relay For either of the cases considered in the previous slide, one solution is to have an RTP Relay in the middle of the RTP flow between endpoints. The RTP Relay acts as the second endpoint to each of the actual endpoints that are attempting to communicate with each other.

47 47 Example 1 236 8 9 12 7 4 5 10 11 UA NAT Proxy RTP Relay Voice Gateway NAT The following is a typical call flow that might be instantiated between a User Agent behind a symmetric NAT and a voice gateway on the open Internet.

48 48 TURN Traversal Using Relay NAT draft-rosenberg-midcom-turn-06.txt TURN Client NAT TURN Server Public InternetPrivate NET

49 Obtaining a One Time Password TURN Client NAT TURN Server 1.Client generates and sends Shared Secret Request (with no attribute) 2.TURN Server reject it with a Shared Secret Error Response (code=401,contain NONCE and REALM) 3.Client generate a new Shared Secret Request (contain NONCE 、 REALM 、 USERNAME) 4.TURN Server generate a Shared Secret Response (contain USERNAME and PASSWORD)

50 Allocating a Binding 1.Client generates and sends Initial Allocate Request (contain BANDWIDTH 、 LIFETIME 、 USERNAME 、 MESSAGE_INTEGRITY ) TURN Client NAT TURN Server 2.TURN Server generates and sends Allocate Response (contain MAPPED_ADDRESS 、 LIFETIME 、 BANDWIDTH 、 MESSAGE_INTEGRITY)

51 Refreshing a Binding TURN Client NAT TURN Server 1.Client generates and sends Subsequent Allocate Request (contain LIFETIME 、 USERNAME 、 MESSAGE_INTEGRITY ) 2.TURN Server generates and sends Allocate Response (contain MAPPED_ADDRESS 、 LIFETIME 、 MESSAGE_INTEGRITY 、 MAGIC_COOKIE)

52 Sending Data Peer TURN Client NAT TURN Server 1.TURN Client generates and sends Send Request (contain DESTINATION_ADDRESS 、 DATA) 2.TURN Server set default destination address to DESTINATION_ADDRESS, and add this address to the list of permission. Then TURN Server relay the data to Peer. 3.TURN Server generates and sends Send Response to TURN Client.

53 Receiving Packet Peer TURN Server NAT TURN Client 1.Peer sends packet to the mapped address of TURN Client. 2.TURN Server check whether the source IP address and port are listed amongst the set of permission for the binding or not. 3.TURN Server check whether the source IP address and port are equal to the default destination address or not. 4.TURN Server generates Data Indication message to relay the packet to TURN Client.

54 Tearing Down a Binding TURN Client NAT TURN Server 1.Client generates and sends Subsequent Allocate Request (contain LIFETIME=0) 2.TURN Server will tearing down the binding.

55 55 TURN – Pros and Cons Pros No change required in NAT. Work through firewall and all kinds of NAT. Cons Long latency Heavy load for TURN server

Download ppt "1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University."

Similar presentations

SIP, Firewalls and NATs Oh My!. www.dynamicsoft.com SIP Summit 2001 5.01.01 SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.

SIP, Firewalls and NATs Oh My!. SIP Summit SIP, Firewalls and NATs, Oh My! Getting SIP Through Firewalls Firewalls Typically.
www.dynamicsoft.com Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.

Fall VoN 2000 SIP Servers SIP Servers: A Buyers Guide Jonathan Rosenberg Chief Scientist.
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Firewalls and Network Address Translation (NAT) Chapter 7.

Firewalls and Network Address Translation (NAT) Chapter 7.
Running SIP behind NAT Dr. Christian Stredicke, snom technology AG Tokyo, Japan, Oct 22 th 2002.

Running SIP behind NAT Dr. Christian Stredicke, snom technology AG Tokyo, Japan, Oct 22 th 2002.
NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.

NAT, firewalls and IPv6 Christian Huitema Architect, Windows Networking Microsoft Corporation.
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.

©2012 ClearOne Communications. Confidential and proprietary. COLLABORATE ® Video Conferencing Networking Basics.
P2P and NAT How to traverse NAT Davide Carboni © 2005-2006.

P2P and NAT How to traverse NAT Davide Carboni ©
Network Address Translation (NAT) 12.10.2009 Prof. Sasu Tarkoma.

Network Address Translation (NAT) Prof. Sasu Tarkoma.
NAT/Firewall Traversal April 2009. NAT revisited – “port-translating NAT”

NAT/Firewall Traversal April NAT revisited – “port-translating NAT”
1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings

1 © 2004 Cisco Systems, Inc. All rights reserved. Making NATs work for Online Gaming and VoIP Dr. Cullen Jennings
STUN Date: 2011-05-25 Speaker: Hui-Hsiung Chung 1.

STUN Date: Speaker: Hui-Hsiung Chung 1.
SIP Traversal over NAT Problems and Solutions Mr. Ting-Yun Chi May 2,2006 (Taiwan,NICI IPv6 R&D Division)

SIP Traversal over NAT Problems and Solutions Mr. Ting-Yun Chi May 2,2006 (Taiwan,NICI IPv6 R&D Division)
Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved. NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen.

Copyright 2005 – 2009 © by Elliot Eichen. All rights reserved. NAT (NAPT/PAT), STUN, and ICE `Structure of ice II, viewed along the hexagonal c-axis. Hydrogen.
Network Address Translation (NAT) 8.10.2007 Adj. Prof. Sasu Tarkoma.

Network Address Translation (NAT) Adj. Prof. Sasu Tarkoma.
NAT1 Network Address Translation Dr. Danny Tsang Department of Electronic & Computer Engineering Hong Kong University of Science and Technology.

NAT1 Network Address Translation Dr. Danny Tsang Department of Electronic & Computer Engineering Hong Kong University of Science and Technology.
January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.

January 23-26, 2007 Ft. Lauderdale, Florida An introduction to SIP Simon Millard Professional Services Manager Aculab.
1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.

1 © 2005 Cisco Systems, Inc. All rights reserved. Cisco Confidential Session Number Presentation_ID STUN, TURN and ICE Cary Fitzgerald.
STUN Tutorial Jonathan Rosenberg Chief Technology Officer.

STUN Tutorial Jonathan Rosenberg Chief Technology Officer.

Similar presentations

Ads by Google