Upload
saniya
View
65
Download
0
Tags:
Embed Size (px)
DESCRIPTION
STUN, TURN and ICE. Cary Fitzgerald. Simple Traversal of UDP Through NAT (STUN). RFC 3489 Works with Existing NAT Main Features Allows Client to Discover Presence of NAT Works in Multi-NAT Environments Allows Client to Discover Type of NAT Symmetric Full Cone Restricted Cone - PowerPoint PPT Presentation
Citation preview
1© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
STUN, TURN and ICE
Cary Fitzgerald
2© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
Simple Traversal of UDP Through NAT (STUN)
• RFC 3489• Works with Existing NAT• Main Features
Allows Client to Discover Presence of NAT Works in Multi-NAT EnvironmentsAllows Client to Discover Type of NAT
SymmetricFull ConeRestricted ConePort Restricted Cone
Allows Discovery of Binding LifetimesAllows Clients to Discover if They are in the Same Address RealmStateless Servers
3© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
How Does it Work?• Basic Operation
Client Sends a Request to STUN ServerCan be Discovered Through DNS
STUN Server Copies Source Address into Response
• Additional CapabilitiesServer Signs the ResponseServer Sends Response from Different SocketServer Sends Response to Different Socket
• Client Uses Server to Perform Different Functions
NAT DiscoveryBinding Discovery
Lifetime Discovery
ClientSTUNServer
NAT
NAT
Whats my IP?
1.2.3.4:8877
NAT rewritesSource to 1.2.3.4:8877
10.0.1.1:6554
4© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
Binding Acquisition
• Client sends STUN Request to Server
STUN Server can be ANYWHERE on Public Internet
• STUN Server Response• Client knows Public IP for that
Socket• Client Sends INVITE Using that IP to
Receive Media• Call Flow Proceeds Normally
No Special Proxy Functions
• Media Flows End-To-End
STUN
STUN Request
STUNResponse
1.2.3.4:8866
INVITE1.2.3.4:8866
200 OK
ACK
RTP
5© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
NAT Type Determination +--------+ | Test | | I | +--------+ | | V /\ /\ N / \ Y / \ Y +--------+ UDP <-------/Resp\---------->/ IP \------------>| Test | Blocked \ ? / \Same/ | II | \ / \? / +--------+ \/ \/ | | N | | V V /\ +--------+ Sym. N / \ | Test | UDP <---/Resp\ | II | Firewall \ ? / +--------+ \ / | \/ V |Y /\ /\ | Symmetric N / \ +--------+ N / \ V NAT <--- / IP \<-----| Test |<--- /Resp\ Open \Same/ | I | \ ? / Internet \? / +--------+ \ / \/ \/ | |Y | | | V | Full | Cone V /\ +--------+ / \ Y | Test |------>/Resp\---->Restricted | III | \ ? / +--------+ \ / \/ |N | Port +------>Restricted
6© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
STUN Pros and Cons
• BenefitsNo Changes Required in NATNo Changes Required in ProxyWorks Through Most Residential NATWorks Through NAT Tandem
MIDCOM Can’t Work HereEnd-to-End Media Flows
Low LatencyHigher QoS
Robust STUN ServersWorks for Many Applications
VoIPGamesFile Sharing
• DrawbacksDoesn’t Allow VoIP To Work Through Symmetric NAT
Typical in Large EnterpriseRTCP May Not WorkNeed to Keep Media Flowing to Keep Bindings AliveMay not work if both sides are behind same NAT
7© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
TURN Overview• STUN doesn’t work
through symmetric NATSometimes when clients behind the same NAT
• TURN addresses these cases• Works similar to STUN
Client sends IP/port request to TURN serverTURN server provides one that is a local interfaceTURN server receives media on that IP/port
Forward it to IP/port where TURN request came fromWill get routed back to client
ClientTURNServer
NATNAT
Give me IP
8.7.6.9:3884
NAT rewritesSource to 1.2.3.4:8877
10.0.1.1:6554
RTP to8.7.6.9:3884
RTP to1.2.3.4:8877
8© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
TURN Details
• Media flows through TURN Server
Not the case with STUN serversIncreases voice latencyIncreases probability of packet loss
• TURN provides primitives for allocating and freeing address
• TURN has more extensive security requirements
Allocates resources, STUN does not
• TURN can also provide TCP connectivity
• TURN works with all NAT types
9© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
ICE Problem Statement
• There are Many Documented Solutions for NAT Traversal for SIPSTUNTURNB2BUA with mediaSymmetric RTP
• All of Them Have a Sweet Spot of Operation, but None of Them are Ideal in All Scenarios
Too expensiveToo complex
• ProblemNeed a SINGLE algorithm that can be placed into client devices which will
Work in all scenariosBe a good solution in all scenariosNot require configuration or knowledge of network topology
10© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
Solution: Interactive Connectivity Establishment (ICE)
• Working Item of the mmusic Working Group in IETF
• ICE Is a Methodology for NAT TraversalMakes use of STUN, TURN, RSIP, MIDCOMPrimarily resident within the clients
• ICE Explains How to Use the Other Protocols for NAT Traversal
• ICE PropertiesAlways will find a means for communicating if one physically existsAlways finds the communications path with fewest relaysAlways finds the communication path cheapest for the service providerDoes not require any knowledge of topology, NAT types, or anythingCan guarantee that the phone won’t ring unless audio works when you pick up
11© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
ICE Key Concepts
• A Client Has Many Addresses at Which It Can Receive Media
Local interfacesVPN InterfacesIP Addresses learned from STUNIP Addresses learned from TURN
• Which One(s) Will Work When Talking to a Specific Peer?
NO WAY TO KNOW AHEAD OF TIME
• ICE Says: Try Each of ThemEach side uses a “connectivity check” to see if It can reach a specific address provided by the peerThese checks are done using a peer to peer STUN configuration
• Choose The Highest Priority Address That Works
12© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
Caller Callee
NAT NAT
TURN/STUN
TURN/STUN
Proxy Proxy
X:Y
13© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
Caller Callee
NAT NAT
TURN/STUN
TURN/STUN
Proxy Proxy
Caller gets STUNAnd TURN addressesFrom serverSTUN: A:BTURN: C:D
X:Y
14© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
Caller Callee
NAT NAT
TURN/STUN
TURN/STUN
Proxy Proxy
INVITE
O=IN IP4 CM=audio D RTP/AVP 0A=candidate: UDP A:BA=candidate: UDP C:DA=candidate: UDP X:Y
STUN: A:BTURN: C:DLocal: X:Y
15© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
Caller Callee
NAT NAT
TURN/STUN
TURN/STUN
Proxy Proxy
Callee gets STUNAnd TURN addressesFrom serverSTUN: E:FTURN: G:H
U:V
STUN: A:BTURN: C:DLocal: X:Y
16© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
Caller Callee
NAT NAT
TURN/STUN
TURN/STUN
Proxy Proxy
200 OK
O=IN IP4 GM=audio H RTP/AVP 0A=candidate: UDP E:FA=candidate: UDP G:HA=candidate: UDP U:V
STUN: E:FTURN: G:HLocal: U:V
STUN: A:BTURN: C:DLocal: X:Y
17© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
Caller Callee
NAT NAT
TURN/STUN
TURN/STUN
Proxy Proxy
STUN: E:FTURN: G:HLocal: U:V
STUN: A:BTURN: C:DLocal: X:Y
Media starts flowingimmediately to the c/mvalue of the peer
U:V
C:D
X:Y
G:H
18© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
Caller Callee
NAT NAT
TURN/STUN
TURN/STUN
Proxy Proxy
STUN: E:FTURN: G:HLocal: U:V
STUN: A:BTURN: C:DLocal: X:Y Connectivity checks
Ensue from callee to callerSTUN and TURN ones workSame in reverse (not shown)
U:V
C:D
X:Y
A:B
X:Y
19© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
Caller Callee
NAT NAT
TURN/STUN
TURN/STUN
Proxy Proxy
INVITE
O=IN IP4 AM=audio B RTP/AVP 0A=candidate: UDP A:BA=candidate: UDP C:DA=candidate: UDP X:Y
STUN: A:BTURN: C:DLocal: X:Y
20© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
Caller Callee
NAT NAT
TURN/STUN
TURN/STUN
Proxy Proxy
200 OK
O=IN IP4 EM=audio F RTP/AVP 0A=candidate: UDP E:FA=candidate: UDP G:HA=candidate: UDP U:V
STUN: E:FTURN: G:HLocal: U:V
STUN: A:BTURN: C:DLocal: X:Y
21© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID
Caller Callee
NAT NAT
TURN/STUN
TURN/STUN
Proxy Proxy
STUN: E:FTURN: G:HLocal: U:V
STUN: A:BTURN: C:DLocal: X:Y
Media starts flowing to the c/mvalue of the peer
U:VX:Y
A:B E:F
22© 2005 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialSession NumberPresentation_ID