NAT Traversal for VoIP

802.16 IP Telephony Lab
NAT Traversal for VoIP
Dr. Quincy Wu
National Chi Nan University
Email: solomon@ipv6.club.tw
1
TAC2000/2000
802.16 IP Telephony Lab
NAT Traversal
Where is NAT
What is NAT
Types of NAT
NAT Problems
NAT Solutions
Program Download
2
TAC2000/2000
802.16 IP Telephony Lab
NTP VoIP Platform
Phone
03-5912312
NCTU PBX
SIP Proxy Server
Softphone
Trunk
Interface
Station
Interface
PSTN Gateway
03-5712121
Station
Interface
WLAN
AP
NCTU
Edge Router
Hsinchu
Phone Phone Phone Phone
31842 31924 59237 59238
PSTN
SIP Phone
SIP Phone SIP Phone 0944003005
0944003003 0944003004
TANet
NCNU PBX
SIP Proxy Server
PSTN Gateway
049-2910960
Trunk
Interface
Station
Interface
Nantou
Station
Interface
Edge Router
NCNU
Phone
049-2912360
Admin Console
SIP Phone
0944002002
SIP Phone
0944002003
3
Phone Phone Phone Phone
4161 4162 4131 4762
TAC2000/2000
802.16 IP Telephony Lab
What is NAT
NAT - Network Address Translation
RFC 3022 - Traditional IP Network Address Translator (Traditional NAT)
RFC 1918 - Address Allocation for Private Internets (BCP 5)
RFC 2993 - Architectural Implications of NAT
RFC 3027 - Protocol Complications with the IP Network Address
Translator
RFC 3235 - Network Address Translator (NAT)-Friendly Application
Design Guidelines
Convert Network Address (and Port) between private and public
realm
Works on IP layer
Transparent for Application
4
TAC2000/2000
802.16 IP Telephony Lab
NAT Schematic
Computer A
IP: 10.0.0.1
Port: 80
IP: 202.123.211.25
Port: 10080
Public
Internet
NAT
Computer B
IP: 10.0.0.2
Port: 80
IP: 202.123.211.25
Port: 20080
Public NIC
Mapping Table
10.0.0.1:80 <-> 10080
10.0.0.2:80 <-> 20080
DHCP Client
PPPoE Client
DHCP Server
Private NIC
5
TAC2000/2000
802.16 IP Telephony Lab
Types of NAT
Full Cone
Restricted Cone
Port Restricted Cone
Symmetric
6
TAC2000/2000
802.16 IP Telephony Lab
Full Cone NAT
Client send a packet to public address A.
NAT allocate a public port (12345) for private port (21) on
the client.
Any incoming packet (from A or B) to public port (12345)
will dispatch to private port (21) on the client.
Client
IP: 10.0.0.1
Port: 21
NAT
IP: 202.123.211.25
Port: 12345
Computer A
IP: 222.111.99.1
Port: 20202
Computer B
IP: 222.111.88.2
Port: 10101
Mapping Table
10.0.0.1:21 <-> 12345
7
TAC2000/2000
802.16 IP Telephony Lab
Restricted Cone NAT (1/2)
Client send a packet to public address A.
NAT allocate a public port (12345) for private port (21) on
the client.
Only incoming packet from A to public port (12345) will
dispatch to private port (21) on the client.
Client
IP: 10.0.0.1
Port: 21
NAT
IP: 202.123.211.25
Port: 12345
Computer A
IP: 222.111.99.1
Port: 20202
Computer B
IP: 222.111.88.2
Port: 10101
Mapping Table
10.0.0.1:21 <-> 12345 (for A)
8
TAC2000/2000
802.16 IP Telephony Lab
Restricted Cone NAT (2/2)
Client send another packet to public address B.
NAT will reuse allocated public port (12345) for private port
(21) on the client.
Incoming packet from B to public port (12345) will now
dispatch to private port (21) on the client.
Client
IP: 10.0.0.1
Port: 21
NAT
IP: 202.123.211.25
Port: 12345
Computer A
IP: 222.111.99.1
Port: 20202
Computer B
IP: 222.111.88.2
Port: 10101
Mapping Table
10.0.0.1:21 <-> 12345 (for A)
10.0.0.1:21 <-> 12345 (for B)
9
TAC2000/2000
802.16 IP Telephony Lab
Port Restricted Cone NAT
Client send a packet to public address A port 20202.
NAT will allocate a public port (12345) for private port (21)
on the client.
Only incoming packet from address A and port 20202 to
public port (12345) will dispatch to private port (21) on the
client.
Client
IP: 10.0.0.1
Port: 21
NAT
IP: 202.123.211.25
Port: 12345
Computer A
IP: 222.111.99.1
Port: 20202
Port: 30303
Mapping Table
10.0.0.1:21 <-> 12345 (for A : 20202)
10.0.0.1:21 <-> 12345 (for A : 30303)
10
TAC2000/2000
802.16 IP Telephony Lab
Symmetric NAT
NAT allocate a public port each time the client send a packet to different public
address and port
Only incoming packet from the original mapped public address and port will
dispatch to private port on client
IP: 202.123.211.25
Port: 12345
Client
IP: 10.0.0.1
Port: 21
Computer A
IP: 222.111.99.1
Port: 20202
NAT
IP: 202.123.211.25
Port: 45678
Computer B
IP: 222.111.88.2
Port: 10101
Mapping Table
10.0.0.1:21 <-> 12345 (for A : 20202)
10.0.0.1:21 <-> 45678 ( for B : 10101)
11
TAC2000/2000
802.16 IP Telephony Lab
VoIP Protocol and NAT
NAT convert IP addresses on IP layer
Problem 1:
SIP, H.323, Megaco and MGCP are application
layer protocol but contain IP address/port info in
messages, which is not translated by NAT
Problem 2:
Private client must send a outgoing packet first (to
create a mapping on NAT) to receive incoming
packet
12
TAC2000/2000
802.16 IP Telephony Lab
Lab Environment
UA1: UA behind NAT.
UA2: SIP device outside NAT.
Call Server: SIP-express router 0.8.12.
NAT: Linux Fedora Core 2.
Packet Capturer: Ethereal-0.9.15.
Call Server
NCNU-SIP.ipv6.club.tw
0944021404
NAT
UA1
0944021021
IPv6
only
UA2
Ethereal
13
TAC2000/2000
802.16 IP Telephony Lab
The Problem (1/2)
Due to private address, the Via header and
Contact address in SIP messages sent by UA1
are incorrect.
With incorrect Via header, responses of messages
sent by UA1 cannot be routed back.
With incorrect Contact address in REGISTER
messages, call server cannot inform UA1 the
incoming calls.
UA1 can only act as a calling party.
14
TAC2000/2000
802.16 IP Telephony Lab
Incorrect REGISTER Message
15
TAC2000/2000
802.16 IP Telephony Lab
The Problem (2/2)
When UA1 initiate a call, the connection
information for media establishment in SDP are
also incorrect.
UA2 gets a private peer address, the RTP packets
from UA2 cannot be routed to UA1.
Media can only be sent from UA1 to UA2.
16
TAC2000/2000
802.16 IP Telephony Lab
Incorrect Fields in SDP of INVITE Message
17
TAC2000/2000
802.16 IP Telephony Lab
Solving NAT Traversal Problems
Target:
Discover mapped public IP & port for private IP & port
Use mapped public IP & port in application layer message
Keep this mapping valid
Timing Issue
NAT will automatically allocate a public port for a private address & port
if need.
NAT will release the mapping if the public port is “idle”
No TCP connection on the port
No UDP traffic on the port for a period (45 sec ~ 5 min)
Keep a TCP connection to target
Send UDP packet to target every specified interval
18
TAC2000/2000
802.16 IP Telephony Lab
NAT Solutions
IPv6 (Internet Protocol Version 6)
UPnP (Universal Plug-and-Play)
UPnP Forum - http://www.upnp.org/
VPN (Virtual Private Network)
Proprietary protocol by NAT/Firewall
SIP ALG (Application Level Gateway)
No standard now. Not applicable for existing NATs.
SIP extensions for NAT traversal
RFC 3581 - rport
Works for SIP only, can not help RTP to pass through NAT
STUN (Simple Traversal of UDP Through Network Address Translators)
RFC 3489
Works except symmetric NAT
TURN (Traversal Using Relay NAT)
draft-rosenberg-midcom-turn-08
for symmetric NAT
19
TAC2000/2000
802.16 IP Telephony Lab
UPnP – Universal Plug-and-Play
20
TAC2000/2000
802.16 IP Telephony Lab
NAT Traversal with UPnP
NAT
Public IP
NAT
UPnP Device (IGD)
NAT Device
NAT Device
!
,
IGD -- Internet Gateway Device
21
TAC2000/2000
802.16 IP Telephony Lab
NAT 22
TAC2000/2000
802.16 IP Telephony Lab
UPnP IGD
UPnP public IP
port mapping
/
port mapping
mapping
23
TAC2000/2000
802.16 IP Telephony Lab
UPnP IGD NAT UPnP Control Message Port Mapping
:
: 192.168.0.14
port 10001 UDP IGD port mapping
24
TAC2000/2000
802.16 IP Telephony Lab
IGD Control Message
POST /upnphost/udhisapi.dll?control
=uuid:c3038e95--ea88/upnphost/udhisapi.dll?control=uuid:c3038e95
ea88-4d5c4d5c-98ff98ff-3ad68f7aaa32+urn:upnp3ad68f7aaa32+urn:upnp-org:serviceId:WANIPConn1
HTTP/1.1
Host: 192.168.0.1:2869
ContentContent-Length: 734
ContentContent-Type: text/xml; charset="utf
charset="utf--8"
SOAPAction:
SOAPAction: "urn:schemas"urn:schemas-upnpupnp-org:service:WANIPConnection:1#AddPortMapping"
<SOAP<SOAP-ENV:Envelope
xmlns:SOAP/soap/envelope/"
xmlns:SOAP-ENV="http://schemas.xmlsoap.org
ENV="http://schemas.xmlsoap.org/soap/envelope/"
SOAPschemas.xmlsoap.org/soap/encoding/">
/soap/encoding/">
SOAP-ENV:encodingStyle="http://
ENV:encodingStyle="http://schemas.xmlsoap.org
<SOAP<SOAP-ENV:Body>
ENV:Body>
<u:AddPortMapping xmlns:u="urn:schemas
xmlns:u="urn:schemas--upnpupnp-org:service:WANIPConnection:1">
<NewRemoteHost></
NewRemoteHost>
>
NewRemoteHost></NewRemoteHost
<NewExternalPort>17769</
NewExternalPort>
>
NewExternalPort>17769</NewExternalPort
<NewProtocol>UDP</
NewProtocol>
>
NewProtocol>UDP</NewProtocol
<NewInternalPort>10001</
NewInternalPort>
>
NewInternalPort>10001</NewInternalPort
<NewInternalClient>192.168.0.146</
NewInternalClient>
>
NewInternalClient>192.168.0.146</NewInternalClient
<NewEnabled>1</
NewEnabled>
>
NewEnabled>1</NewEnabled
<NewPortMappingDescription>s2EAYp
>
NewPortMappingDescription>s2EAYp (192.168.0.146:10001) 17769 UDP</NewPortMappingDescription
UDP</NewPortMappingDescription>
<NewLeaseDuration>0</
>0</NewLeaseDuration
NewLeaseDuration>
>
NewLeaseDuration
</u:AddPortMapping
>
</u:AddPortMapping>
</SOAP</SOAP-ENV:Body>
ENV:Body>
</SOAP</SOAP-ENV:Envelope>
ENV:Envelope>
25
TAC2000/2000
802.16 IP Telephony Lab
Current Defects of UPnP
Aging ! " # $ % &
port mapping
UPnP ' ( ) * +
Multi-level NAT
NAT , - . / 0 1 23 IP 4 5
26
TAC2000/2000
802.16 IP Telephony Lab
Simple Traversal of UDP Through
Network Address Translators
(STUN)
27
TAC2000/2000
802.16 IP Telephony Lab
STUN (RFC 3489)
A mechanism for a socket behind NAT(s) to get its mapped
(IP,port) on Internet.
Check whether UA is behind NAT.
If not true, the STUN mechanism is not applied.
When new socket is created, use this socket to request its
mapped (IP,port) from STUN server.
The response IP is stored in a string buffer.
The response port is saved in a table, using source port as key.
When UA wants to stuff local IP or port in a message, it will
first look up mapped IP or port in the table.
28
TAC2000/2000
802.16 IP Telephony Lab
STUN Server
Allow clients to discover if it is behind a NAT, what type of NAT it is, and
the public address & port NAT will use.
Very Simple Protocol, Easy to implement, Little load
Client want receive
packet at port 5060
Send a query to STUN
server from port 5060
Client
IP: 10.0.0.1
Port: 5060
STUN Server receive packet from
202.123.211.25 port 12345
NAT
IP: 202.123.211.25
Port: 12345
STUN Server
IP: 222.111.99.1
Port: 20202
STUN Server send a response packet to
client. Tell him his public address is
202.123.211.25 port 12345
29
TAC2000/2000
802.16 IP Telephony Lab
Use STUN for SIP Registration
Use port 5060 to send a packet to STUN Server
Receive public address & port mapped to client:5060 from STUN Server
Fill the SIP register message with client’s public address & port, send to
proxy server
Client
IP: 10.0.0.1
Port: 5060
NAT
IP: 202.123.211.25
Port: 12345
REGISTER sip:222.111.33.1 SIP/2.0
Via: SIP/2.0/UDP 202.123.211.25:12345
From: Wang <sip:Wang@140.128.10.129:5060>
To: Wang <sip:Wang@140.128.10.129:5060>
…
Contact: Wang <sip:Wang@202.123.211.25:12345>
…
30
STUN Server
IP: 222.111.99.1
Port: 20202
Proxy Server
IP: 140.128.10.129
Port: 5060
TAC2000/2000
802.16 IP Telephony Lab
Corrected SIP Message
31
TAC2000/2000
802.16 IP Telephony Lab
Use STUN for RTP
Send two STUN queries from RTP port (9000 & 9002) to
STUN Server
Use replied public address & port in SDP
Client
IP: 10.0.0.1
RTP Port: 9000
RTP Port: 9002
NAT
IP: 140.113.131.72
Port: 56539
Port: 56541
Proxy Server
IP: 222.111.33.1
Port: 5060
INVITE …
…
Content-Type: application/sdp
UA
RTP Port: 9000
RTP Port: 9002
STUN Server
IP: 222.111.99.1
Port: 3478
32
TAC2000/2000
802.16 IP Telephony Lab
Corrected SDP
33
TAC2000/2000
802.16 IP Telephony Lab
Download
STUN Client
A diagnosis tool which utilizes STUN mechanism to find out the type of
NAT.
Download at http://voip.ipv6.club.tw/Download/
Usage:
stun-client STUN.ipv6.club.tw
stun-client –t STUN.ipv6.club.tw
stun-client –p 5060 STUN.ipv6.club.tw
Note: Be sure to close any running SIP UA before you run the STUN
client. (why?)
Many commercial SIP UAs support STUN
X-Lite (softphone)
Snom (hardphone)
34
TAC2000/2000
802.16 IP Telephony Lab
Running STUN Client on a PC
in Private LAN
35
TAC2000/2000
802.16 IP Telephony Lab
stun-client STUN.ipv6.club.tw
36
TAC2000/2000
802.16 IP Telephony Lab
stun-client –t STUN.ipv6.club.tw
37
TAC2000/2000
802.16 IP Telephony Lab
Clients Behind Symmetric NAT
Provide a Call Server with RTP relay for non-upgradeable IP
phone or Softphone
The loading for this server would be terribly heavy
Private Address
Domain
Symmetric
NAT
Public Address
Domain
Call Server with
RTP Relay
NAT port
12345
IP Phone B
RTP
PSTN GW
Mapping Table
192.168.10.1:5060 <-> 10120 (for Call Server : 5060)
192.168.10.1:9000 <-> 12345 (for Call Server : 9000)
38
TAC2000/2000
802.16 IP Telephony Lab
Signaling Flow
IP Phone
NAT
INVITE
GW
Relay
INVITE
INVITE
OK
OK
OK
RTP
RTP
39
TAC2000/2000
802.16 IP Telephony Lab
Relay -> PSTN GW
40
TAC2000/2000
802.16 IP Telephony Lab
IP Phone B <- Relay
41
TAC2000/2000
802.16 IP Telephony Lab
Summary
STUN is a good solution for non-symmetric NAT
Suitable for small-scale solution
Client-side
Enterprise-server
Compatible with most NATs
STUN server is easy to implement and low-cost
Call Server w/ RTP Relay may be needed, if the users cannot
make sure whether they are behind a symmetric NAT
Capacity is limited
Centralized server is expensive
That’s why Skype distributed the loading to individual users
UPnP is a promising solution, but its nature is competing with
IPv6.
Peer-to-Peer vs. Gateway/Device model
42
TAC2000/2000
Download PDF
Similar pages