7/26/2019 SipNATLecture.pdf

1/34

ultimedia Communication in the

ultimedia Communication in the

Internet

nternet

SIP and NAT Traversal

SIP and NAT Traversal

Sven EhlertNext Generation Network Infrastructures

Fraunhofer FOKUS

7/26/2019 SipNATLecture.pdf

2/34

Recap: SIP essa!e

ResponseSIP/2.0 200 OK

Via: SIP"#$%"U&P here$co':(%)%

From: *i!Gu+ ,sip:User-.here$co'/

To: 0ittleGu+ ,sip:User*.there$co'/1ta!2)(a3(

Call-ID: 4#35()%4.here$co'

CSeq: 4 IN6I7E

Subject: 8app+ 9hrist'as

Contact: ittle!u" #$i%:&$er'(t)ere.com*

Content-T"%e: application"sp

Content-en+t): 435

Re;uest

v2%

o2User- #

7/26/2019 SipNATLecture.pdf

3/34

N-7 Introuction

N-7 2 Network -ress 7ranslation Share one IP aress a'on! 'an+ hosts

N-7 solution to 'ap ?etween private an pu?lic aresses

i@7er' solution until IPv)

*enefits

-llows 'ultiple hosts operatin! with one sin!e aress

9onceal internal structure of intranet

Scenarios 9orporate use with insufficient availa?le IP aresses

9orporate use to hie network structure ASecurit+B

Private use &S0 line sharin!

7/26/2019 SipNATLecture.pdf

4/34

N-7 &etails

4=#$4)

7/26/2019 SipNATLecture.pdf

5/34

N-7 9lassification

RF9 #))3: IP N-7 7er'inolo!+ an 9onsierations Full 9one

Restricte 9one

Port Restricte 9one

S+''etric N-7 Generall+ +na'ic 'appin!s for a short ti'e

User 9lient

9ontact7ar!et

9ontactSource

7/26/2019 SipNATLecture.pdf

6/34

Full 9one N-7

-:4=#$4)

7/26/2019 SipNATLecture.pdf

7/34

Full 9one N-7

appin!s well esta?lishe 9onnection fro' pu?lic Internet possi?le if 'appin! known

-:4=#$4)

7/26/2019 SipNATLecture.pdf

8/34

Restricte N-7

appin!s esta?lishe on client re;uest

-:4=#$4)

7/26/2019 SipNATLecture.pdf

9/34

Restricte N-7

appin!s esta?lishe on client re;uest 9onnection fro' pu?lic Internet possi?le onl+ after client re;uest

-:4=#$4)

7/26/2019 SipNATLecture.pdf

10/34

Restricte N-7

appin!s esta?lishe throu!h client connection 9onnection fro' pu?lic Internet onl+ possi?le after client re;uest

Port Restricte N-7

applies also to ifferent ports on sa'e hostC

-:4=#$4)

7/26/2019 SipNATLecture.pdf

11/34

S+''etric N-7

appin!s epen on tar!et IP Ever+ new tar!et esta?lishes a new 'appin!

9onnection fro' pu?lic Internet possi?le onl+ after client re;uest

-:4=#$4)

7/26/2019 SipNATLecture.pdf

12/34

S+''etric N-7

appin!s epen on tar!et IP Ever+ new tar!et esta?lishes a new 'appin!

9onnection fro' pu?lic Internet possi?le onl+ after client re;uest

8i!h securit+ settin!

-:4=#$4)

7/26/2019 SipNATLecture.pdf

13/34

N-7 Su''ar+

N-7: ultiplex 'ultiple private aresses to one pu?licaress

Four ifferent t+pes

Full 9one &est$ Inepenent Inco'in! traffic alwa+s possi?le

Restricte 9one &est$ Inepenent Inco'in! traffic after out!oin!

Port Restricte 9one &est$ Inepenent Inco'in! traffic after out!oin!

S+''etric &est$ &epenent Inco'in! traffic after out!oin!

appin! !enerall+ availa?le onl+ for a short ti'e

Use N-7 keep alive pin!s

7/26/2019 SipNATLecture.pdf

14/34

SIP 7raffic Flow

End Users

Call Server

End Users

IP Router

Signaling Protocol

Media Transport

Si!nalin! an eia traffic 'i!ht pass ifferent hosts

7/26/2019 SipNATLecture.pdf

15/34

SIP 7hrou!h N-7

U-4 N-7 Prox+ U-#

4=#$4)

7/26/2019 SipNATLecture.pdf

16/34

SIP 7hrou!h N-7

U-4 N-7 Prox+

4=#$4)

7/26/2019 SipNATLecture.pdf

17/34

SIP 7hrou!h N-7

U-4 N-7 Prox+

4=#$4)

7/26/2019 SipNATLecture.pdf

18/34

SIP 7hrou!h N-7

U-4 N-7 Prox+

4=#$4)

7/26/2019 SipNATLecture.pdf

19/34

7/26/2019 SipNATLecture.pdf

20/34

SIP N-7 Solutions

essa!es have to ?e altere to reflect present aress Responsi?ilit+ of N-7 or U-D

N-7: -pplication 0a+er Gatewa+

Nees access to the N-7 " firewall

Nees special confi!uration No possi?ilit+ to alter encr+pte traffic e$!$ 70S

9ascain! N-7sD

U-

Nees enhance U-s

Nees 'eans to etect real IP uer+ N-7 e$!$ UPnP

Protocol securit+ flaws

uer+ external Server e$!$ S7UN

9an reco!niHe cascain! N-7

7/26/2019 SipNATLecture.pdf

21/34

N-7 -0G

U-4 N-7-0G Prox+

4=#$4)

7/26/2019 SipNATLecture.pdf

22/34

S7UN

Si'ple 7raversal of U&P 7hrou!h N-7s RF9 35

7/26/2019 SipNATLecture.pdf

23/34

SIP with S7UN

U-4 N-7 Prox+

4=#$4)

7/26/2019 SipNATLecture.pdf

24/34

S7UN N-7 &etection

9lient can etect the t+pe of N-7 it is place ?ehin 5 si'ple S7UN tests

9lientUnknown N-7

Pri'ar+ S7UNPort x

Port +Seconar+ S7UNPort xPort +

S7UN 7 t 4

7/26/2019 SipNATLecture.pdf

25/34

S7UN 7est 4

9lient can etect the t+pe of N-7 it is place ?ehin

No return: U&P ?locke$ Stop Return: 9heck returne IP aress " port

Returne aress " port 'atch local aress " port: no N-7eplo+e

9lientUnknown N-7

Pri'ar+ S7UNPort x

Port +Seconar+ S7UNPort xPort +

S7UN 7 t #

7/26/2019 SipNATLecture.pdf

26/34

S7UN 7est #

9lient can etect the t+pe of N-7 it is place ?ehin

-ress " port 'atche fro' test 4 Ano N-7B No return: s+''etric U&P firewall

Return: unrestricte access

-ress " port i not 'atch fro' test 4 AN-7 eplo+eB

Return: Full 9one N-7 otherwise new test

9lientUnknown N-7

Pri'ar+ S7UNPort x

Port +Seconar+ S7UNPort xPort +

S7UN 7 t 3

7/26/2019 SipNATLecture.pdf

27/34

S7UN 7est 3

9lient can etect the t+pe of N-7 it is place ?ehin

Returne -ress " port iffer fro' test 4 S+''etric N-7$ Stop

Returne -ress " port sa'e as test 4

APortB Restricte N-7

9lientUnknown N-7

Pri'ar+ S7UNPort x

Port +Seconar+ S7UNPort xPort +

S7UN 7 t 5

7/26/2019 SipNATLecture.pdf

28/34

S7UN 7est 5

9lient can etect the t+pe of N-7 it is place ?ehin

No return: Port Restricte N-7 Return: Restricte N-7

9lientUnknown N-7

Pri'ar+ S7UNPort x

Port +Seconar+ S7UNPort xPort +

N-7 R7P

7/26/2019 SipNATLecture.pdf

29/34

N-7 an R7P

&ifferent t+pes of N-7 nee to sen traffic ?efore the+ canreceive traffic

APortB Restricte N-7 s+''etric N-7

N-7e client has to initiate R7P strea'

S+''etric N-7 client cannot etect its pu?lic aress with aN-7 pro?e

9onnection Oriente eia for S+''etric N-7

7ar!et has to wait until initiator starts R7P strea'

Return R7P to the sa'e aress " port

Nees client support A'oifie S&P fielsB

R7P Prox+ " Rela+ for ou?le s+''etric N-7

Inter'eiate R7P connection ?etween two U-s

0ocate in pu?lic Internet

R7P Rela+

7/26/2019 SipNATLecture.pdf

30/34

R7P Rela+

&elta7hree

4B U- sens IN6I7E to prox+

#B Prox+ contacts Rela+ to setup R7P session

3B Rela+ assi!ns Port an forwars it to prox+

5B Prox+ 'oifies S&P an forwars this to estination

R7P Rela+

7/26/2019 SipNATLecture.pdf

31/34

R7P Rela+

&elta7hree

(B OK fro' estination with its own S&P

)B Prox+ elivers S&P infor'ation to rela+ Aor instructs to setupa new session if estination is also ?ehin s+''etric N-7B

>B Rela+ infor's prox+ of new port

7/26/2019 SipNATLecture.pdf

32/34

R7P Rela+

&elta7hree

=B R7P traffic to R7P rela+

4%BRela+ notes first inco'in! packet for further use

44B&estination sens R7P

4#BR7P traffic is sent to aress capture in 4%B

N-7 Su''ar+

7/26/2019 SipNATLecture.pdf

33/34

N-7 Su''ar+

SIP an N-7 are not 'eant for each otherC

N-7 wonJt isappear in the short ter'

IPv) still not eplo+e +et

Even then N-7 for securit+

No stanariHe N-7 esta?lishe R7P rela+ ?ein! stanariHe: 7raversal Usin! Rela+ N-7 A7URNB

S7UN 7URN @/ Interactive 9onnectivit+ Esta?lish'ent AI9EB

orkaroun for SIP exist ?ut itJs no perfect solution

Si!nalin! infor'ation has to ?e patche

eia infor'ation has to ?e patche

eia traffic nees to ?e rela+e

References

7/26/2019 SipNATLecture.pdf

34/34

References

P$ Lchler: MSIP -rchitecture with N-7 Sie'ens +Sip$ch7echnical Report #%%5

$ Rosen?er! 9$ 8uite'a R$ ah+ MS7UN Si'ple7raversal of U&P throu!h N-7s RF9 35 IE7F ork in Pro!ress

#%%) P$ Srisuresh $ 8olre!e: MIP Network -ress 7ranslator

AN-7B 7er'inolo!+ an 9onsierations RF9 #))3 4===