Download Practical Far-End NAT Traversal for VoIP Whitepaper PDF

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
Document related concepts

Technological convergence wikipedia , lookup

Wake-on-LAN wikipedia , lookup

Parallel port wikipedia , lookup

Deep packet inspection wikipedia , lookup

Zero-configuration networking wikipedia , lookup

SIP extensions for the IP Multimedia Subsystem wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Distributed firewall wikipedia , lookup

Transcript 
|
Practical Far-End
NAT Traversal for VoIP
March 2006
WHITE PAPER
|
Practical Far-End NAT Traversal for VoIP
Contents
Introduction. .............................................................................................................................. 3
Packet Admission Policy Problems................................................................................................ 3
Pinhole Timeout Thresholds.................................................................................................... 4
Signaling Asymmetry.............................................................................................................. 4
Client-Side Signaling Asymmetry......................................................................................... 4
Server-Side Signaling Asymmetry......................................................................................... 5
Outbound Calls and 2-Way Media........................................................................................... 5
REGISTER Packet and Inbound Calls......................................................................................... 6
Network and Port Translation Problems........................................................................................ 7
NAT Port Contention and Port Rotation ................................................................................... 8
NAT and Media...................................................................................................................... 9
Common Attempts to Solve the Problems....................................................................................11
Using TCP. ............................................................................................................................11
UPnP....................................................................................................................................11
STUN. ...................................................................................................................................12
TURN. ...................................................................................................................................13
Signaling/Media Proxy Combination........................................................................................14
ICE. ......................................................................................................................................14
Using an External B2BUA/MP......................................................................................................15
Summary. ..................................................................................................................................18
Acronyms. .................................................................................................................................19
About Ditech Networks. .............................................................................................................19
Copyright © 2007 Ditech Networks
Packet Admission Policy Modes........................................................................................... 3
/20
Practical Far-End NAT Traversal for VoIP
Introduction
The goal of far-end NAT traversal is to allow inbound and outbound VoIP calls to succeed in the highest possible
number of cases, even when one or both call parties on the call are behind one or more address-translation-enabled
firewalls. No requirements on the subscriber-premise’s hardware, software, or firewall should be permitted – the
subscriber’s experience should be to simply plug in a properly configured VoIP phone and start making calls. This
paper discusses the issues that must be considered and the solutions required to achieve this goal.
We begin by examining the effects of firewalls in their role as packet admission controlling points, and then look into
the more complicated issues arising from Network Address Translation (NAT) and Port Address Translation (PAT).
Packet Admission Policy Problems
Before discussing the issues of NAT and PAT, administrators must understand that network firewalls create many of
VoIP’s problems with their packet admission policies. This is because firewalls are the gatekeeper of the UDP protocol
which is required by VoIP. By default, firewalls are typically configured to behave in one or more of the following
modes, listed in order of restrictiveness.
Packet Admission Policy Modes
1.Allow all User Datagram Protocol (UDP) datagrams to come in through the firewall (Open).
2.Allow only certain hosts to send UDP inbound.
3.Allow certain hosts to send UDP inbound only from certain ports, and only to certain inside hosts on certain ports.
4.Allow all external hosts to send inbound UDP to any inside host, provided that the same type of traffic has recently
been emitted outbound from any inside host/port. This is called a Full Cone NAT.
5.Allow an external host to send inbound UDP from any port to an inside host, provided that the same type
of traffic has recently been emitted outbound from any inside host/port to that external host. This is called a
Restricted Cone NAT.
6.Allow an external host and only that specific external host to send inbound UDP using the same port pair to an
inside host. This is called a Port-restricted Cone or Symmetric NAT. Note that there is also a further difference
between a Port-restricted Cone and Symmetric NAT which relates to the use of different global-port to local host-port bindings for traffic exchanges between a single internal host to different external hosts.
7.Allow an external host to send inbound UDP to an inside host, provided that the same type of traffic (host/port)
has recently been emitted outbound to a port at the external host that is lower than 1024. This is a more
restrictive variant of Port-restricted Cone or Symmetric NAT.
8.Behave as a proxy server that only allows inbound UDP traffic from special configurations on the clients.
9.Deny all inbound UDP traffic and responses (Closed).
The concept of CPE-less NAT/Firewall traversal rests on the premise that UDP responses from at least one server on
the outside network must be allowed to pass through.
Different vendors use different terminology to describe Modes 4 through 7 in their firewall configurations. The most
common names include Stateful Inspection, Adaptive Security Algorithm, Stateful UDP “Connection” Cache, and
Reflexive UDP Admission.
Copyright © 2007 Ditech Networks
/20
Practical Far-End NAT Traversal for VoIP
We will use the term Reflexive UDP Admission to describe firewalls that allow an external host to respond symmetrically within a given period of time. We will also call this temporary admission of responses a pinhole. Most firewalls
support Reflexive UDP Admission by default, but firewall vendors usually do not disclose which type among the
above modes that the default behavior for UDP admission falls into.
Pinhole Timeout Thresholds
Additionally, most firewall vendors do not disclose the length of the inactivity period after which a dynamic pinhole is closed. In our observations, multiple inbound packets are usually accepted for 30 seconds to 10 minutes
after an outbound packet has been sent.
However, some firewalls may arbitrarily close the pinholes, which halts the external entity’s ability to send inbound calls.
Signaling Asymmetry
Signaling asymmetry occurs when a client at an IP and port address declares a different IP address or port in the Via and/or Contact headers that are different from the IP address or port actually used to emit that SIP signal.
For example, consider the scenario where there is an external Session Initiation Protocol (SIP) proxy server (Px) located at 204.31.1.11 listening on UDP port 5060. A SIP client (C1) located at 192.159.1.11 behind a non-NAT
firewall sends a UDP signal from the randomly assigned ephemeral port 12345 to the Px port located at 5060.
The client has the option to choose a port to listen to for responses and future requests. If, in the SIP signaling
packet, the client declares a Via: information and Contact: information of 192.159.1.11:12345 (the same as its actual
address and port), there will be no problems for firewalls configured to behave according to Modes 1 through 4 as
previously mentioned. However, this general rule may be subject to the problems described below.
Client-Side Signaling Asymmetry
Client-side signaling asymmetry occurs when a client declares a different contact port in the Via.
In this scenario, if a client declares a Via: port that is different from the source port used to send out the initial outbound signal (most likely a REGISTER), then firewalls that are configured to be more restrictive than Mode 3 will not allow such response packets to reach the client at the declared port.
For example, if a client (C1) located at 192.159.1.11:12345 sends a REGISTER to the SIP proxy at 204.31.1.11:5060
with a declared Via: 192.159.1.11:5060, then the expectation is for the server to send the response to a port other
than the initial ephemeral port. Figure 1 displays a schematic of a successful client-side signaling asymmetry.
Copyright © 2007 Ditech Networks
Figure 1: : Client-Side Signaling Asymmetry (Successful)
/20
Practical Far-End NAT Traversal for VoIP
If the server responds back to port 5060, it will not pass through the firewall. Figure 2 displays a schematic of an
unsuccessful client-side signaling asymmetry.
Figure 2 : : Client-Side Signaling Asymmetry (Unsuccessful)
Server-Side Signaling Asymmetry
There are several ways a SIP proxy server (Px) can send responses back to the client (C1). Let’s revisit the initial outbound signal from the above example. The client located at IP address 192.159.1.11 and port 12345 now declares in the Via: 192.159.1.11:12345 to the SIP proxy located at 204.3.1.11:5060.
The external server may respond in the following ways:
• Respond using a different IP address: allowed only by Mode 1.
192.159.1.11:12345 <- 204.31.1.12:5060
• Respond using a different source port: allowed only by Modes 1 and 2
192.159.1.11:12345 <- 204.31.1.11:54321
• Respond symmetrically: allowed by Mode 4 and other more lenient modes
192.159.1.11:12345 <- 204.31.1.11:5060
A port-restricted or symmetric firewall (Mode 4) further mandates that Px must signal C1 using a source port of 5060.
Some firewalls feature configurable switches called port triggering or established udp, which allow an administrator
to open multiple pinholes on firewalls as a workaround to the above signaling asymmetry. However, such options are
not practical, as the user who has the phone behind the firewall may not have administrative control over the firewall. Therefore, to assure successful traversal across firewalls that support dynamic UDP admission, it is recommended
that both the inside and outside entities use the same port to send and receive a certain type of traffic.
Outbound Calls and 2-Way Media
A typical outbound SIP call involves a caller signaling a proxy with an INVITE. The proxy then relays the INVITE to the
callee. The Session Description Protocol (SDP) information within the INVITE message tells the callee where to send
the media. When the call is accepted, the callee sends a 200 OK message with SDP information that tells the caller
where to send the media.
Copyright © 2007 Ditech Networks
/20
Practical Far-End NAT Traversal for VoIP
If the outbound caller does not send the first media stream of the call, the caller will only be able to hear media from
the callee if he/she is behind a firewall using Modes 1 through 3. This is because a restricted cone NAT will not allow
a host (the callee) – to whom the caller has not recently sent a packet – to send any UDP inbound across the firewall.
For the call to be successful when the caller is behind a firewall using Modes 1 through 6, both the caller and callee
should send media on the same port as they declare in the SDP that they will be listening for media.
Figure 3 below displays an example of this process.
In this figure, the caller located at 192.159.1.11:16384 sends out an INVITE to the callee with SDP information
informing the callee where to send media. The callee responds by sending a 200 OK with its own SDP information,
after which a call is established between the caller’s port at 16384 and the callee’s port at 8000.
Figure 3 : : Outbound Calls and 2-Way Media
In this example, media is exchanged symmetrically between the caller and callee. This satisfies the packet admission
requirements of the more restrictive firewalls, as long as the firewalls themselves are configured to support Reflexive
UDP Admission.
If, at any time during the call, the caller behind the firewall stops sending media outbound for a sufficient amount of
time, there is no guarantee that the firewall will continue to admit incoming Real Time Protocol (RTP) media streams.
This also applies to Real Time Control Protocol (RTCP) packets. It is likely that the firewall will not admit an inbound
RTCP packet unless an outbound RTCP packet has been emitted from the caller to the callee. If sufficient time has
elapsed before the next RTCP exchange, there is a possibility that the pinhole for incoming RTCP will be closed, and
the external callee sending the RTCP packet may get a message from the firewall that the Internet Control Message
Protocol (ICMP) destination is unreachable.
REGISTER Packet and Inbound Calls
Most SIP deployments are set up in such a way that SIP phones send a REGISTER packet out to a Registrar Proxy
upon startup. The register signal, when authenticated and accepted by the Registrar Proxy, informs the caller where
the callee can be reached for future incoming requests. This coincidentally opens up a pinhole across the firewall for
incoming requests to be delivered to the client.
Copyright © 2007 Ditech Networks
/20
Practical Far-End NAT Traversal for VoIP
As discussed earlier, the firewall may close the pinhole when a period of inactivity has passed. Common measures
taken to keep the firewall pinhole open include the following:
• Configuring the SIP Proxy to send dummy keep-alive packets to the client.
• Configuring the SIP clients to send dummy keep-alive packets to the SIP proxy.
• Configuring the SIP clients to re-register with the SIP proxy approximately every 30 seconds.
Unfortunately, dummy packets may be ineffective in the NAT cases to be discussed later in this paper, and increasing
the frequency of re-registration often carries the penalty of overwhelming the proxy registration database.
Network and Port Translation Problems
Network Address Translation (NAT) adds further complications to SIP. This is because SIP signaling relies on the IP addresses and port numbers contained in the signaling message payload, and this payload can be improperly translated by NAT enabled firewalls.
Figure 4 below displays an example of NAT introduced complications. In this example the inside client (C1) sends a
SIP request packet to an outside SIP proxy (Px) via a NAT (Nx).
Note that in this paper, we limit our discussion of NAT to the most complex (and most common) situation, where the
firewall exhibits dynamic UDP admission and where no static NAT or PAT forwarding is enabled.
Figure 4 : : NAT Complications
If the SIP proxy (Px) were to follow the embedded Via in responding to the original SIP message, the packet would
have been sent to 192.168.1.100, which is unreachable on the Internet.
If the SIP proxy (Px) were to send a response according to the same UDP source address, it is likely that the response
message will reach the client.
Copyright © 2007 Ditech Networks
/20
Practical Far-End NAT Traversal for VoIP
However, here lies the conflict when the packet sent by the client is a REGISTER message. Figure 5 below displays the conflict.
Figure 5 : : REGISTER Message - Conflict
According to the SIP specification, the proxy should enter into its registrar table that client C1 is reachable at
192.168.1.100, port 5060. Obviously, this address will not be reachable. For practical reasons, it should have entered
192.159.1.11:1024 instead, as long as the client signals symmetrically (listens on port 5060). Unfortunately, by doing
this, the proxy deviates from the SIP specification.
NAT Port Contention and Port Rotation
Most NAT firewalls are deployed in Port Address Protocol (PAT) mode by default, where many internal clients share
the same global (external) IP address of the firewall.
Consider the case where two SIP clients (C1 and C2) are located in the internal network and send REGISTER messages to the same SIP proxy (Px) outside. Client C1 is at 192.168.1.100 and client C2 is at 192.168.1.101.
Figure 6 below displays a schematic of this configuration.
Figure 6 : : NAT Port Contention/Rotation
Copyright © 2007 Ditech Networks
/20
Practical Far-End NAT Traversal for VoIP
If the NAT does not translate ports by default, the first client (C1) is likely to get a source port on the global IP address that is identical to the original source port of 5060. If there is a second host on the inside using a source port
of 5060 to talk to the SIP proxy at Px, the firewall will assign it a random ephemeral port (such as 192.159.11:1024).
However, there is a phenomenon similar to musical chairs that is likely to happen. If the first translation slot for
192.168.1.100 ever expires and a packet is sent from C2 at address 192.168.1.101:5060, then C2 will likely get the
translation slot of 192.159.1.1:5060, and C1 will get a new translation slot of 192.159.1.11:1025.
So what happens to incoming calls to C1? If the SIP proxy (Px) “remembers” C1 is at 192.159.1.1:5060 based on the
initial registration, then an incoming INVITE will be sent to the wrong phone and C2 will likely start ringing, or even
reject the call because the INVITE would carry a request URI of 192.168.1.100:5060, and not 192.168.1.101:5060.
NAT and Media
Let’s examine the problem with SDP and media. Consider the case where a caller behind a firewall calls a callee
outside the firewall. In this scenario, the caller is located behind the firewall at 192.159.1.11:16384. Figure 7 below
displays a schematic of this configuration.
Figure 7 : : NAT and Media
Since the callee receives the INVITE from the proxy, the callee will not have any idea what the firewall global IP address of the caller would be, not to mention the correct port to send to. The SDP information contained inside the INVITE message simply cannot be used.
A caller behind a NAT firewall may be able to learn what its translated global IP address is ahead of time. In this
outbound case, the initial INVITE contains the correct IP address. Consider the case where the user behind a NAT
192.159.1.11 already knows ahead of time what the translated address will be, and configures the phone to send
SDP information to contain the global IP (Figure 8 on page 10).
Copyright © 2007 Ditech Networks
/20
Practical Far-End NAT Traversal for VoIP
Figure 8 : :NATandMedia-SecondExample
TheINVITErequeststhecalleetosendmediato192.159.1.11:16384,andthecallerstartslisteningonport16384for
incomingmedia.
NATfirewalls(withtheexceptionofFullConeNATs)disallowthecallee’smediapacketscominginbound.Thisisalso
anissuewithporttranslation.Forexample,whenthecallersendsmediaviaaNATtoacallee,theUDPstatecreated
intheNATmayhaveaportthatdiffersfromtheUDPportusedbythecaller.
TheSDPinformationembeddedintheoutboundINVITEhasaUDPportdeclared.Thisistheportfromwhichthe
callerwillsendmediaifitsendsandreceivesRTPmediasymmetrically.However,unlessthefirewallisguaranteed
nottoperformanyporttranslation,itisunlikelythatanincomingstreamfromthecalleetotheNATport(inour
example,portnumber16384)willbetranslatedandsentinboundtocalleeport16384.
IftheNATtypeismorerestrictivethanaFullCone,thequestionbecomeswhatthecallershouldsendacrossthe
firewalltocreatetheUDPstateentry(orpinhole)onthefirewall,suchthatincomingmediawillreachport16384.
IfthecallerknowsaheadoftimethatthecalleeisnotbehindaNAT,anditsSDPcanbetrusted,thenthecallercan
sendmediaassoonasa200OKisreceived(seeFigure 9onpage11).
Copyright © 2007 Ditech Networks
10/20
Practical Far-End NAT Traversal for VoIP
Figure 9 : : Caller Aware Callee Not Behind NAT
If the external callee were to disregard the caller’s SDP declared in the INVITE, but send media symmetrically to the
caller once it has received a media packet from the caller, then 2-way media should be established. However, we have
not seen a SIP phone in production that is capable of this.
Furthermore, in the case where both caller and callee are behind their respective firewalls, both the caller and callee
will be in limbo, waiting for each other to be the first to send media.
Common Attempts to Solve the Problems
The following section describes the common measures used to achieve CPE-less far-end NAT traversal for SIP. With
the exception of Transmission Control Protocol (TCP) signaling and UPnP, the methods described take advantage of
signaling and media symmetry on almost all newer phones, and Reflexive UDP Admission on most firewalls in their
actual deployed configuration.
Using TCP
Using TCP for signaling and configuring the proxy (where possible) to ignore mismatching Via and Contact headers
caused by NATs to a certain extent can work. However, to ensure that inbound calls can reach clients behind firewalls,
persistent TCP connections must be made with the proxy, which dramatically reduces scalability and creates a significant amount of network overhead. Furthermore, most NAT firewalls have TCP idle timeouts, mandating the use of keep-alive packets across the TCP connection. Note that TCP only addresses signaling, because RTP and RTCP
are still transmitted in UDP.
UPnP
Universal Plug and Play (UPnP) clients try to signal the NAT firewall to pre-allocate numerous UDP ports to allow both
incoming signal and media. In practice, there is often confusion in the allocation of these ports when more than one
client tries to open the same range of UDP ports. Since a large percentage of firewalls are not configured to have
UPnP enabled, one cannot rely on UPnP to work, especially when users may not know whether the firewall they are behind is actually UPnP compatible.
Copyright © 2007 Ditech Networks
11/20
Practical Far-End NAT Traversal for VoIP
STUN
Some IP phone vendors are implementing Simple Traversal of UDP through NAT (STUN), which is in IETF Draft stage
(RFC 3489). STUN is a protocol that lets the phone query an external server to validate its external IP address/port.
Unfortunately, STUN does not work in the common corporate firewall example of a symmetric NAT.
In this example below (see Figure 10), the caller sends a single STUN query to get its RTP port (abridged for the sake of simplicity), which is translated from 16384 to 1024.
Figure 10 : : STUN Port Translation
When making an outbound call, the caller (C1) sends an INVITE to (C2) using the IP address and port information it
received from the STUN queries (Figure 11).
Figure 11 : : STUN Port Usage
However, when the time comes for the caller to send media to the callee, the NAT assigns a new port allocation. This
may be due to the fact that the firewall chooses a different binding for a different host (STUN server vs. callee), or it is
a different binding due to a different destination port (3478 vs. 8000 in this example).
Copyright © 2007 Ditech Networks
12/20
Practical Far-End NAT Traversal for VoIP
Figure 12 below, displays a schematic of this example. When the callee tries to send media to port 1024 on the
firewall based on the SDP information, it gets blocked.
Figure 12 : : Blocked Media
Furthermore, there is no telling whether the external host will send media symmetrically. Many media servers for
voicemail, IVR, and conference do not send and receive media on the same port. This creates a media asymmetry for which even Port-restricted Cone firewalls will not work.
Newer phones often execute a STUN “test” to notify the user what type of NAT firewall the phone is behind. However, since NAT bindings can change or expire without warning, a STUN-enabled phone behind a NAT firewall
should regularly reconfirm its global address and ports with the STUN servers, and preferably right before it sends a
request signal. Unfortunately, this carries the penalty of adding load to the network.
In rare cases, a Restricted Cone NAT may exhibit the behavior of a Symmetric NAT. These symptoms are observable
when a phone frequently re-registers from different global source ports. This may be due to the inadvertent clearing
of the “translation table” for configuration changes that mandate the restarting of the firewall, crashes, or simply a
failure to follow the translation timeouts based on inactivity.
In general, STUN can work well, but only when the following configuration exists:
• The STUN client is behind a NAT that is less restrictive than a Port-restricted Cone, and
• The signaling proxy signals symmetrically, and
• The endpoint, if located on the external network, emits/receives RTP symmetrically, or the other endpoint is a STUN client.
TURN
A significant supplement to STUN that utilizes an externally-hosted Media Proxy to deal with symmetric NATs is Traversal Using Relay NAT (TURN). The goal of TURN is to enable calls to pass through symmetric NATs.
Copyright © 2007 Ditech Networks
13/20
Practical Far-End NAT Traversal for VoIP
Endpoints could be equipped with the intelligence to negotiate with the TURN server to allocate and send media to a globally-routable media relay. Instead of sending media based on SDP information, it relays media for each call
symmetrically, using the same source port on which it listens for incoming media.
A major criticism of this approach is the amount of bandwidth wastage and latency induced by routing all media to
a central rendezvous location, and subsequently, to the other party. Calls between two neighboring endpoints often
find their media routed out the firewall and back unnecessarily.
Signaling/Media Proxy Combination
TURN requires intelligence built into the endpoints to signal a TURN server. An alternative approach is to have an
external Media Proxy that operates in conjunction with a Registrar/Signaling Proxy that modifies SDP as call signals
pass through.
This approach does not require endpoints to have the intelligence to perform any global address discovery or pre-call
signaling with a TURN server. As long as the endpoints send and receive media symmetrically and the NATs involved
support reflexive UDP admission, there should be no trouble getting calls through.
However, this approach suffers the same drawback as the STUN/TURN combination in terms of bandwidth efficiency
and scalability, and the SIP proxy often performs unnecessary re-routing of media between clients that are not behind
firewalls or NATs.
ICE
Interactive Connectivity Establishment (ICE) is a method that tries to build intelligence into endpoints so that they can perform route discovery, path optimization, and even verify media flow before a call is deemed to be established.
Prior to sending an INVITE, the caller performs a sequence of steps to characterize the firewall that it is behind:
• Obtains addresses of all usable interfaces (local, VPN)
• Checks the results from STUN
• If needed, negotiates a port with the TURN server
Afterwards, the caller sends a list of available IP addresses/ports in the INVITE to the proxy.
As soon as the callee gets the INVITE, it follows a similar set of steps as did the caller. Next, it attempts to send STUN
queries to the caller to see if it is possible to directly send media to any of the IP addresses it presented in the INVITE.
Finally, the callee picks the address of highest preference in the INVITE to which the callee can confidently send media.
This approach is compatible with most known firewalls that support UDP. In addition to working with all types of
NATs that support reflexive UDP admission, it also works with the very restrictive firewalls that are deliberately configured to only allow internal hosts to converse using UDP with one or two hosts on the outside. However, for ICE to work properly, both caller and callee must support ICE, and there should readily be a STUN and TURN server
available. For this reason, it should be deployed only in a homogeneous, controlled environment. Furthermore, it is likely that the call setup will be delayed because of the steps involved in media path discovery by both the caller
and callee.
Finally, with the end points advertising their own internal IP addresses, ICE may not meet the topology hiding requirements of security-focused environments.
Copyright © 2007 Ditech Networks
14/20
Practical Far-End NAT Traversal for VoIP
Using an External B2BUA/MP
The approaches discussed thus far in this paper can only solve selected problems some of the time. Furthermore, they often require additional intelligence on the endpoints, which may not always be available.
Fortunately, an approach has been discovered that works in virtually all situations that does not require any additional
customer-premise equipment, software, or firewall configuration. The result of applying this approach is that VoIP
signaling and media streams can be made to traverse an arbitrary number of (possibly nested) NAT, PAT, and firewall
devices, using any standards-compliant endpoint. This approach has the added benefit that in almost all cases, no additional media workload or latency is introduced, since the media still travel directly from caller to callee, and vice versa.
This approach involves the use of a Session Border Controller (SBC) that contains a SIP Back-to-Back User Agent with
an embedded Media Proxy (B2BUA/MP). The B2BUA/MP is located in the service provider’s network, from where it
can see and reach the global IP addresses and port numbers of all call participants. The endpoints in a call are set
up to either register through the B2BUA/MP, or to use it as their outbound proxy (as per IETF RFC 3261). The job
of the B2BUA/MP is to accept call signaling and media streams from endpoints located behind NAT devices, and to
“sanitize” those streams so that they can be sent further out onto the global Internet. It is not necessary for both
endpoints to be behind the same B2BUA/MP. Indeed, one endpoint can be behind one and the other endpoint
behind another, or one endpoint can be behind one while the other uses some other means to deal with its own NAT
problems. One of the major advantages of this approach is that it does not require any special device or configuration
to be present at both ends of a call.
The following example (Figure 13 below) shows how a B2BUA, configured as the outbound proxy of the client, can
function as a far-end NAT traversal device.
Figure 13 : : B2BUA as a NAT Traversal Device
The registrar proxy now has the user location information of C1 at the B2BUA. When properly implemented, the
B2BUA does not have to keep a statically provisioned database of users, nor does the proxy need to be statically
configured with user locations pointing at the B2BUA.
Copyright © 2007 Ditech Networks
15/20
Practical Far-End NAT Traversal for VoIP
To ensure that user C1 is always reachable in case of inbound calls, the B2BUA uses various types of SIP signals to
encourage the client C1 to regularly send SIP traffic to the B2BUA. This flow of SIP signals at regular intervals helps
maintain the pinhole at the firewall. In case of an unexpected pinhole closure or change in UDP state brought about by firewall anomalies, this “heartbeat” traffic serves to inform the B2BUA of the client’s new global location.
To prevent the proxy from being overwhelmed by this heartbeat traffic, the signals are not passed to the proxy unnecessarily. As an additional measure to deal with clients that do not obey the request by the B2BUA to send outbound messages, the B2BUA initiates SIP messages to clients periodically to verify their respective locations. When properly implemented, all the signals mentioned above should be generic SIP signals that should not cause any problems to any SIP endpoints.
The B2BUA always uses the same port to communicate with the client, which makes it compatible with symmetric
NATs. Unlike UPnP, where the client opens multiple ports across the firewall for multiple external hosts, there is no
requirement for the client to open additional pinholes across the firewall.
When a call is initiated, the B2BUA modifies the signals, informing both the caller and callee to send their media to pre-allocated ports on a Media Proxy, often configured to run on the same machine as the B2BUA. At regular
intervals, the B2BUA uses standards-compliant SIP signals to verify that both caller and callee are still on the call.
In the most challenging scenario, both caller and callee are each behind their own symmetric NATs. Since the Media
Proxy is engaged at the start of the call, both parties receive media from each other, provided that each side has sent
at least one RTP packet. If no further action is taken to optimize the call, the behavior of the B2BUA is similar to the
Signaling/Media Proxy combination mentioned earlier in this document, having the same drawbacks of media latency
and bandwidth wastage.
Unless one party on the call is behind a symmetric NAT with frequent port translation changes, it is possible to re-direct the media during the middle of a call, where the caller sends the media to the correct port on the firewall
that hides the callee, and vice versa. It is also possible for the B2BUA to use standards-compliant SIP signals to characterize the type of NAT firewall in front of each party on the call. This is done by inspecting the characteristics
of the media flow after each of those NAT-characterized signals has been sent. This technique is called Media Path
Optimization (MPO). Figure 14 on page 17 displays a schematic of the process for the B2BUA/MP.
Copyright © 2007 Ditech Networks
16/20
Practical Far-End NAT Traversal for VoIP
Figure 14 : : B2BUA/MP Process
Figure 14 displays the following steps in the B2BUA/MP process:
1. Assuming callee C2 has registered, caller C1 sends an INVITE.
2. The SIP proxy server (Px) locates C2 at the B2BUA.
3. The B2BUA sends an INVITE to C2’s firewall. Note that the signaling process that establishes the call has been omitted here.
4. The initial media flow has both the caller and callee sending media to the media proxy.
5. The B2BUA now starts NAT characterization of the firewalls on both sides.
6. The B2BUA sends signals to both endpoints, telling them to send the media to specific ports on the other party’s firewall.
7.The B2BUA successfully removes itself from the media path, but it still maintains control of call signaling.
The key differentiator of a port-translating symmetric NAT from other NAT types is that a different global-to-local
port-mapping is used if the same internal host sends a packet with the same source address and port, but to a different destination host or destination port. By observing the changes in media behavior with every SIP signal sent to each party on the call, the Media Proxy can determine whether a client is behind a port-translating symmetric
NAT. If either party is behind such a NAT, the Media Proxy must continue to proxy the media for the call. Fortunately,
the percentage of symmetric NATs deployed remains relatively small, especially in Small Office/Home Office (SOHO) environments. Aside from NAT characterization, SIP signals generated by the B2BUA media path optimization sequence also help to determine whether both clients on the call are tolerant of media redirection.
Copyright © 2007 Ditech Networks
17/20
Practical Far-End NAT Traversal for VoIP
Since NAT characterization is performed after the call has been set up and media is being received by both parties,
extreme care must be taken to avoid loss of media during the procedure. The Media Proxy should not disengage itself
until a certain time has elapsed after media path optimization has completed, and both clients are sending media to
the other party’s respective global address and port. If the Media Proxy ever detects an undesirable behavior on the
part of the client or firewall, SIP signals should be generated by the B2BUA to inform the clients to revert back to the
original media path.
Additionally, there are other issues to be considered when media path optimization is executed. The B2BUA cannot
simply attempt to globally optimize all calls. Some user agents do not react properly to media redirecting and will not
send media to the redirected destination.
There is also the issue of whether to have the parties who are apparently behind the same NAPT address send
media to the respective ports on the NAT global address, or whether they should send media locally to each other.
A significant percentage of NATs will not relay “hairpin media” using their global IP addresses. That is, two hosts on
the internal side of the NAT may not talk to each other by using the global IP address of the NAT. On the other hand,
redirecting the RTP flow to each party’s local address may not work well in the case where there is one party behind
a second level of cascaded NAT calling a party located in a different cascading level. Such cases mandate disabling
media path optimization for certain global addresses, or using slave media rendezvous points strategically located to minimize bandwidth wastage.
In addition to resolving the NAT traversal issues, an SBC with a B2BUA can provide other benefits that are often critical to the VoIP network, such as:
• Topology hiding
• Protecting service from DOS attacks
• Enforcing QoS policies
• Ensuring end-to-end interoperability
• Billing
• Per-session troubleshooting
• Lawful intercept
Summary
Most providers of IP telephony services believe that the experience of a user should mirror the ease of use and ubiquitous availability of the Public Switched Telephone Network (PSTN). Indeed, in many cases, the economics of
providing service require that things “simply work” so that customer support expenses are kept to a minimum. Given
the complexity of today’s NAT and firewall protected networks – both in residential and enterprise environments
– this kind of ubiquitous reliability for VoIP can only be successfully provided with some help from a NAT traversal
system. Again, driven mostly by economics, such a system must not require any special hardware or software on the
users’ premises, and must not require either the service provider or the user to have any special knowledge of the
topology of the network (or how its NAT and firewall components are to be configured). The goal of a NAT traversal
system for real-world deployment must therefore be to solve users’ NAT and firewall problems remotely, and from the service provider’s network.
Copyright © 2007 Ditech Networks
18/20
Practical Far-End NAT Traversal for VoIP
Many solutions involving remotely-located NAT helper appliances such as STUN, TURN, ICE, and UPnP have been proposed, but each can reasonably be deployed only in a subset of situations that is too small to be of practical use for a
ubiquitous service. On the other hand, the Back-to-Back User Agent approach with its embedded Media Proxy works
in virtually all situations, and meets the goal of not requiring any special and/or complex user premise installation.
Acronyms
B2BUA/MP Back-to-Back User Agent and Media Proxy
ICE
Interactive Connectivity Establishment
ICMP
Internet Control Message Protocol
IP
Internet Protocol
NAT
Network Address Translation PAT
Port Address Translation
PSTN
Public Switched Telephone Network
RTCP
Real Time Control Protocol
RTP Real Time Protocol
SDP
Session Description Protocol
SIP Session Initiation Protocol
TCP
Transmission Control Protocol
UDP
User Datagram Protocol
VOIP
Voice over IP
About Ditech Networks
Ditech Networks is a global telecommunications equipment supplier for communications networks. Ditech Networks’
voice processing products serve the needs of mobile and wire-line operators for circuit- and packet-based networks.
Ditech products include high-capacity voice enhancement and echo canceller solutions that utilize advanced software
and digital signal processor (DSP) technology. This combination of software and hardware allows Ditech Networks to
deliver Voice Quality Assurance (VQA™) technology, a robust and cost-effective solution for voice enhancement that
includes both noise reduction and echo cancellation to provide improved sound quality on calls made over wireless
networks. Ditech Networks’ VoIP products combine VQA technology with packet voice processing and security capabilities to enable carriers to deploy end-to-end VoIP services across network security boundaries without requiring network re-architecting. Ditech (Nasdaq: DITC) is headquartered in Mountain View, California, USA.
Copyright © 2007 Ditech Networks
19/20
Practical Far-End NAT Traversal for VoIP
Corporate Headquarters
US Sales – West
Brazil Sales Office
Middle East/Africa Sales Office
Ditech Networks
825 East Middlefield Rd.
Mountain View, CA 94043
USA
1-800-234-0884 (Toll Free)
1-650-623-1300 (Direct)
1-650-564-9599 (Fax)
[email protected]
Ditech Networks
Alameda Araguaia, 933
Alphaville
Barueri, SP 06455-000
Brazil
+55 (11) 4208-6266 (Main)
+55 (21) 3521-5543 (Sales)
[email protected]
[email protected]
Ditech Networks
21 El-Fawakeh St., 3rd Floor
Dokki, Giza 12311
Egypt
+20 2 336-5100 (Phone)
+20 2 761-8964 (Fax)
[email protected]
US Sales Office – East and Central
Ditech Networks
8360 Greensboro Dr.
McLean, VA 22102
USA
1-800-234-0884 (Toll Free)
1-650-623-1300 (Direct)
1-650-564-9599 (Fax)
[email protected]
China Sales Office
Ditech Networks
Unit 3010, No. 500
Xiangyang South Road
Xuhui District
Shanghai 200031
PRC
+86 (21) 5456 0305 (Phone)
[email protected]
Spain Sales Office
Ditech Networks
Torres Quevedo, 1 – (P.T.M.)
28760 Tres Cantos – Madrid
Spain
+34 (91) 803 74 44 (Main)
+34 (91) 829 26 90 (Sales)
[email protected]
[email protected]
Canada Sales Office
Ditech Networks
2275 Lakeshore Blvd West, Suite 500
Toronto, ON M8V 3Y3
Canada
1-416-255-7776 (Phone)
[email protected]
Mexico Sales Office
Ditech Networks
Torcuato Tasso 245-6o. Piso
Col. Polanco
México, D.F. C.P. 11570
México
+52 (55) 5254-5422 (Main)
+52 (55) 5350-8679 (Sales)
[email protected]
South-East Asia Sales Office
Ditech Networks
Lippo Plaza 3rd Floor
Jl. Jend. Sudirman Kav. 25
Jakarta 12920
Indonesia
+62 (21) 5291 3780 (Phone)
+62 (21) 522 1977 (Fax)
[email protected]
South Asia Sales Office
Ditech Networks
No. 8/11, Sarvapriya Vihar
New Delhi – 110016
India
+91 9810372555 (Phone)
[email protected]
Copyright © 2007 Ditech Networks. All rights reserved. VQA is a trademark of Ditech Networks. All other brands are the property of their respective owners.
Specifications may change without notice. This document was last revised 02/07.
20/20
Related documents
Network Address Translation (NAT)
Network Address Translation (NAT)
Nona*s Homemade * Marketing Project * C Block Marketing Class
Nona*s Homemade * Marketing Project * C Block Marketing Class
Network Address Translation (NAT)
Network Address Translation (NAT)
Interpreters and Compilers
Interpreters and Compilers
percussion WHAT IS INVOLVED IN NAT 5 MUSIC?
percussion WHAT IS INVOLVED IN NAT 5 MUSIC?
Review Questions
Review Questions
Network Address Translation
Network Address Translation
Firewall Configuration
Firewall Configuration