Upload
avneeshuebermenschbalyan
View
215
Download
0
Embed Size (px)
Citation preview
7/26/2019 SipNATLecture.pdf
1/34
ultimedia Communication in the
ultimedia Communication in the
Internet
nternet
SIP and NAT Traversal
SIP and NAT Traversal
Sven EhlertNext Generation Network Infrastructures
Fraunhofer FOKUS
7/26/2019 SipNATLecture.pdf
2/34
Recap: SIP essa!e
ResponseSIP/2.0 200 OK
Via: SIP"#$%"U&P here$co':(%)%
From: *i!Gu+ ,sip:User-.here$co'/
To: 0ittleGu+ ,sip:User*.there$co'/1ta!2)(a3(
Call-ID: 4#35()%4.here$co'
CSeq: 4 IN6I7E
Subject: 8app+ 9hrist'as
Contact: ittle!u" #$i%:&$er'(t)ere.com*
Content-T"%e: application"sp
Content-en+t): 435
Re;uest
v2%
o2User- #
7/26/2019 SipNATLecture.pdf
3/34
N-7 Introuction
N-7 2 Network -ress 7ranslation Share one IP aress a'on! 'an+ hosts
N-7 solution to 'ap ?etween private an pu?lic aresses
i@7er' solution until IPv)
*enefits
-llows 'ultiple hosts operatin! with one sin!e aress
9onceal internal structure of intranet
Scenarios 9orporate use with insufficient availa?le IP aresses
9orporate use to hie network structure ASecurit+B
Private use &S0 line sharin!
7/26/2019 SipNATLecture.pdf
4/34
N-7 &etails
4=#$4)
7/26/2019 SipNATLecture.pdf
5/34
N-7 9lassification
RF9 #))3: IP N-7 7er'inolo!+ an 9onsierations Full 9one
Restricte 9one
Port Restricte 9one
S+''etric N-7 Generall+ +na'ic 'appin!s for a short ti'e
User 9lient
9ontact7ar!et
9ontactSource
7/26/2019 SipNATLecture.pdf
6/34
Full 9one N-7
-:4=#$4)
7/26/2019 SipNATLecture.pdf
7/34
Full 9one N-7
appin!s well esta?lishe 9onnection fro' pu?lic Internet possi?le if 'appin! known
-:4=#$4)
7/26/2019 SipNATLecture.pdf
8/34
Restricte N-7
appin!s esta?lishe on client re;uest
-:4=#$4)
7/26/2019 SipNATLecture.pdf
9/34
Restricte N-7
appin!s esta?lishe on client re;uest 9onnection fro' pu?lic Internet possi?le onl+ after client re;uest
-:4=#$4)
7/26/2019 SipNATLecture.pdf
10/34
Restricte N-7
appin!s esta?lishe throu!h client connection 9onnection fro' pu?lic Internet onl+ possi?le after client re;uest
Port Restricte N-7
applies also to ifferent ports on sa'e hostC
-:4=#$4)
7/26/2019 SipNATLecture.pdf
11/34
S+''etric N-7
appin!s epen on tar!et IP Ever+ new tar!et esta?lishes a new 'appin!
9onnection fro' pu?lic Internet possi?le onl+ after client re;uest
-:4=#$4)
7/26/2019 SipNATLecture.pdf
12/34
S+''etric N-7
appin!s epen on tar!et IP Ever+ new tar!et esta?lishes a new 'appin!
9onnection fro' pu?lic Internet possi?le onl+ after client re;uest
8i!h securit+ settin!
-:4=#$4)
7/26/2019 SipNATLecture.pdf
13/34
N-7 Su''ar+
N-7: ultiplex 'ultiple private aresses to one pu?licaress
Four ifferent t+pes
Full 9one &est$ Inepenent Inco'in! traffic alwa+s possi?le
Restricte 9one &est$ Inepenent Inco'in! traffic after out!oin!
Port Restricte 9one &est$ Inepenent Inco'in! traffic after out!oin!
S+''etric &est$ &epenent Inco'in! traffic after out!oin!
appin! !enerall+ availa?le onl+ for a short ti'e
Use N-7 keep alive pin!s
7/26/2019 SipNATLecture.pdf
14/34
SIP 7raffic Flow
End Users
Call Server
End Users
IP Router
Signaling Protocol
Media Transport
Si!nalin! an eia traffic 'i!ht pass ifferent hosts
7/26/2019 SipNATLecture.pdf
15/34
SIP 7hrou!h N-7
U-4 N-7 Prox+ U-#
4=#$4)
7/26/2019 SipNATLecture.pdf
16/34
SIP 7hrou!h N-7
U-4 N-7 Prox+
4=#$4)
7/26/2019 SipNATLecture.pdf
17/34
SIP 7hrou!h N-7
U-4 N-7 Prox+
4=#$4)
7/26/2019 SipNATLecture.pdf
18/34
SIP 7hrou!h N-7
U-4 N-7 Prox+
4=#$4)
7/26/2019 SipNATLecture.pdf
19/34
7/26/2019 SipNATLecture.pdf
20/34
SIP N-7 Solutions
essa!es have to ?e altere to reflect present aress Responsi?ilit+ of N-7 or U-D
N-7: -pplication 0a+er Gatewa+
Nees access to the N-7 " firewall
Nees special confi!uration No possi?ilit+ to alter encr+pte traffic e$!$ 70S
9ascain! N-7sD
U-
Nees enhance U-s
Nees 'eans to etect real IP uer+ N-7 e$!$ UPnP
Protocol securit+ flaws
uer+ external Server e$!$ S7UN
9an reco!niHe cascain! N-7
7/26/2019 SipNATLecture.pdf
21/34
N-7 -0G
U-4 N-7-0G Prox+
4=#$4)
7/26/2019 SipNATLecture.pdf
22/34
S7UN
Si'ple 7raversal of U&P 7hrou!h N-7s RF9 35
7/26/2019 SipNATLecture.pdf
23/34
SIP with S7UN
U-4 N-7 Prox+
4=#$4)
7/26/2019 SipNATLecture.pdf
24/34
S7UN N-7 &etection
9lient can etect the t+pe of N-7 it is place ?ehin 5 si'ple S7UN tests
9lientUnknown N-7
Pri'ar+ S7UNPort x
Port +Seconar+ S7UNPort xPort +
S7UN 7 t 4
7/26/2019 SipNATLecture.pdf
25/34
S7UN 7est 4
9lient can etect the t+pe of N-7 it is place ?ehin
No return: U&P ?locke$ Stop Return: 9heck returne IP aress " port
Returne aress " port 'atch local aress " port: no N-7eplo+e
9lientUnknown N-7
Pri'ar+ S7UNPort x
Port +Seconar+ S7UNPort xPort +
S7UN 7 t #
7/26/2019 SipNATLecture.pdf
26/34
S7UN 7est #
9lient can etect the t+pe of N-7 it is place ?ehin
-ress " port 'atche fro' test 4 Ano N-7B No return: s+''etric U&P firewall
Return: unrestricte access
-ress " port i not 'atch fro' test 4 AN-7 eplo+eB
Return: Full 9one N-7 otherwise new test
9lientUnknown N-7
Pri'ar+ S7UNPort x
Port +Seconar+ S7UNPort xPort +
S7UN 7 t 3
7/26/2019 SipNATLecture.pdf
27/34
S7UN 7est 3
9lient can etect the t+pe of N-7 it is place ?ehin
Returne -ress " port iffer fro' test 4 S+''etric N-7$ Stop
Returne -ress " port sa'e as test 4
APortB Restricte N-7
9lientUnknown N-7
Pri'ar+ S7UNPort x
Port +Seconar+ S7UNPort xPort +
S7UN 7 t 5
7/26/2019 SipNATLecture.pdf
28/34
S7UN 7est 5
9lient can etect the t+pe of N-7 it is place ?ehin
No return: Port Restricte N-7 Return: Restricte N-7
9lientUnknown N-7
Pri'ar+ S7UNPort x
Port +Seconar+ S7UNPort xPort +
N-7 R7P
7/26/2019 SipNATLecture.pdf
29/34
N-7 an R7P
&ifferent t+pes of N-7 nee to sen traffic ?efore the+ canreceive traffic
APortB Restricte N-7 s+''etric N-7
N-7e client has to initiate R7P strea'
S+''etric N-7 client cannot etect its pu?lic aress with aN-7 pro?e
9onnection Oriente eia for S+''etric N-7
7ar!et has to wait until initiator starts R7P strea'
Return R7P to the sa'e aress " port
Nees client support A'oifie S&P fielsB
R7P Prox+ " Rela+ for ou?le s+''etric N-7
Inter'eiate R7P connection ?etween two U-s
0ocate in pu?lic Internet
R7P Rela+
7/26/2019 SipNATLecture.pdf
30/34
R7P Rela+
&elta7hree
4B U- sens IN6I7E to prox+
#B Prox+ contacts Rela+ to setup R7P session
3B Rela+ assi!ns Port an forwars it to prox+
5B Prox+ 'oifies S&P an forwars this to estination
R7P Rela+
7/26/2019 SipNATLecture.pdf
31/34
R7P Rela+
&elta7hree
(B OK fro' estination with its own S&P
)B Prox+ elivers S&P infor'ation to rela+ Aor instructs to setupa new session if estination is also ?ehin s+''etric N-7B
>B Rela+ infor's prox+ of new port
7/26/2019 SipNATLecture.pdf
32/34
R7P Rela+
&elta7hree
=B R7P traffic to R7P rela+
4%BRela+ notes first inco'in! packet for further use
44B&estination sens R7P
4#BR7P traffic is sent to aress capture in 4%B
N-7 Su''ar+
7/26/2019 SipNATLecture.pdf
33/34
N-7 Su''ar+
SIP an N-7 are not 'eant for each otherC
N-7 wonJt isappear in the short ter'
IPv) still not eplo+e +et
Even then N-7 for securit+
No stanariHe N-7 esta?lishe R7P rela+ ?ein! stanariHe: 7raversal Usin! Rela+ N-7 A7URNB
S7UN 7URN @/ Interactive 9onnectivit+ Esta?lish'ent AI9EB
orkaroun for SIP exist ?ut itJs no perfect solution
Si!nalin! infor'ation has to ?e patche
eia infor'ation has to ?e patche
eia traffic nees to ?e rela+e
References
7/26/2019 SipNATLecture.pdf
34/34
References
P$ Lchler: MSIP -rchitecture with N-7 Sie'ens +Sip$ch7echnical Report #%%5
$ Rosen?er! 9$ 8uite'a R$ ah+ MS7UN Si'ple7raversal of U&P throu!h N-7s RF9 35 IE7F ork in Pro!ress
#%%) P$ Srisuresh $ 8olre!e: MIP Network -ress 7ranslator
AN-7B 7er'inolo!+ an 9onsierations RF9 #))3 4===