1 nat traversal for voip ai-chun pang graduate institute of networking and multimedia dept. of comp....
TRANSCRIPT
![Page 1: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/1.jpg)
1
NAT Traversal for VoIP
Ai-Chun PangGraduate Institute of Networking and Multimedia
Dept. of Comp. Sci. and Info. Engr.National Taiwan University
![Page 2: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/2.jpg)
2
References
“SIP, NAT and Firewalls”, Fredrik Thernelius
Baruch Sterman and David Schwartz, “NAT Traversal in SIP”, Deltathree
“STUN – Simple Traversal of UDP Through Network Address Translators”, RFC 3489, IETF
“An Extension to the SIP for Symmetric Response Routing”, RFC 3581, IETF
“TURN – Traversal Using Relay NAT”, Internet Draft, IETF
![Page 3: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/3.jpg)
3
Outline
Introduction Problems of NAT Traversal for VoIP Possible Solutions for VoIP over NAT
![Page 4: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/4.jpg)
4
What is NAT? NAT - Network Address Translation Converts Network Address (and Port)
between private and public realm Works on IP layer Transparent to Upper-layer Application
s
![Page 5: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/5.jpg)
RouterRouter
39.39.88.9
Packet
8765SP
80DP
54.38.54.4SA
39.39.88.9DA
Packet
80SP
8765DP
39.39.88.9SA
54.38.54.4DA
54.38.54.4
![Page 6: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/6.jpg)
39.39.88.9
54.38.54.49
DA DP SA SPDA DP SA SP
39.39.88.9
80 192.168.5.2
8765
DA DP SA SP
39.39.88.9
80 192.168.5.2
8765
Packet
80SP
8765DP
39.39.88.9SA
192.168.5.2DA
192.168.5.2
Packet
8765SP
80DP
192.168.5.2SA
39.39.88.9DAPacket
8765SP
80DP
54.38.54.49SA
39.39.88.9DA
54.38.54.49
Packet
80SP
8765DP
39.39.88.9SA
54.38.54.49DA
![Page 7: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/7.jpg)
7
Flavors of NAT [1/3]
Static NAT Requires the same number of globally
IP addresses as that of hosts in the private environment
Maps between internal IP addresses and external addresses is set manually This mapping intends to stay for a long
period of time
![Page 8: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/8.jpg)
8
Flavors of NAT [2/3]
Dynamic NAT
Collect the public IP addresses into an IP address pool
A host connecting to the outside network is allocated an external IP address from the address pool managed by NAT
![Page 9: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/9.jpg)
9
Flavors of NAT [3/3]
NAPT (Network Address and Port Translation)
A special case of Dynamic NAT Use port numbers as the basis for the
address translation Most commonly used
![Page 10: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/10.jpg)
10
Types of NAT
Full Cone Restricted Cone Port Restricted Cone Symmetric
![Page 11: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/11.jpg)
11
Full Cone NAT Client sends a packet to public address A. NAT allocates a public port (12345) for private port
(21) on the client. Any incoming packet (from A or B) to public port
(12345) will dispatch to private port (21) on the client.
ClientIP: 10.0.0.1
Port: 21
NAT
IP: 202.123.211.25Port: 12345
Mapping Table10.0.0.1:21 <-> 12345
Computer AIP: 222.111.99.1
Port: 20202
Computer BIP: 222.111.88.2
Port: 10101
![Page 12: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/12.jpg)
12
Restricted Cone NAT [1/2] Client sends a packet to public address A. NAT allocate a public port (12345) for private port
(21) on the client. Only incoming packet from A to public port (12345)
will dispatch to private port (21) on the client.
ClientIP: 10.0.0.1
Port: 21
NAT
IP: 202.123.211.25Port: 12345
Mapping Table10.0.0.1:21 <-> 12345 (for A)
Computer AIP: 222.111.99.1
Port: 20202
Computer BIP: 222.111.88.2
Port: 10101
![Page 13: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/13.jpg)
13
Restricted Cone NAT [2/2] Client sends another packet to public address B. NAT will reuse allocated public port (12345) for
private port (21) on the client. Incoming packet from B to public port (12345) will
now dispatch to private port (21) on the client.
ClientIP: 10.0.0.1
Port: 21
NAT
IP: 202.123.211.25Port: 12345
Mapping Table10.0.0.1:21 <-> 12345 (for A)10.0.0.1:21 <-> 12345 (for B)
Computer AIP: 222.111.99.1
Port: 20202
Computer BIP: 222.111.88.2
Port: 10101
![Page 14: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/14.jpg)
14
Port Restricted Cone NAT Client sends a packet to public address A at port 20202. NAT will allocate a public port (12345) for private port
(21) on the client. Only incoming packet from address A and port 20202
to public port (12345) will dispatch to private port (21) on the client.
ClientIP: 10.0.0.1
Port: 21
NATIP: 202.123.211.25Port: 12345
Mapping Table10.0.0.1:21 <-> 12345 (for A : 20202)10.0.0.1:21 <-> 12345 (for A : 30303)
Computer AIP: 222.111.99.1
Port: 20202Port: 30303
![Page 15: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/15.jpg)
15
Symmetric NAT NAT allocates a public port each time the client sends
a packet to different public address and port Only incoming packet from the original mapped public
address and port will dispatch to private port on client
ClientIP: 10.0.0.1
Port: 21NAT
IP: 202.123.211.25Port: 12345
Mapping Table10.0.0.1:21 <-> 12345 (for A : 20202)10.0.0.1:21 <-> 45678 ( for B : 10101)
Computer AIP: 222.111.99.1
Port: 20202
Computer BIP: 222.111.88.2
Port: 10101IP: 202.123.211.25Port: 45678
![Page 16: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/16.jpg)
16
VoIP Protocol and NAT
NAT converts IP addresses on IP layer Problem 1:
SIP, H.323, Megaco and MGCP are application layer protocol but contain IP address/port info in messages, which is not translated by NAT
Problem 2: Private client must send an outgoing
packet first (to create a mapping on NAT) to receive incoming packets
![Page 17: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/17.jpg)
17
Solving NAT Traversal Problems
Objectives To discover the mapped public IP & port for a private
IP & port To use the mapped public IP & port in application
layer message To keep this mapping valid
Issues NAT will automatically allocate a public port for a private
address & port if needed. NAT will release the mapping if the public port is “idle”
No TCP connection on the port No UDP traffic on the port for a period
Keep a TCP connection to destination Send UDP packets to destination every specified interval
![Page 18: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/18.jpg)
18
NAT Solutions IPv6 (Internet Protocol Version 6) UPnP (Universal Plug-and-Play)
UPnP Forum - http://www.upnp.org/ Proprietary protocol by NAT/Firewall
SIP ALG (Application Level Gateway) SIP extensions for NAT traversal
RFC 3581 Works for SIP only, can not help RTP to pass through NAT
STUN (Simple Traversal of UDP Through Network Address Translators)
RFC 3489 Works except for symmetric NAT
TURN (Traversal Using Relay NAT) draft-rosenberg-midcom-turn-04 for symmetric NAT
![Page 19: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/19.jpg)
19
Two Distinct Cases – NAT Deployment [1/2]
Case I : SIP Provider is the IP Network Provider
![Page 20: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/20.jpg)
20
Two Distinct Cases – NAT Deployment [2/2]
Case II : SIP Provider is NOT IP Network Provider
![Page 21: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/21.jpg)
21
Solution for Case I – ALG [1/2]
Separate Application Layer NAT from IP Layer NAT
SIP
Control
RTP
Proxy Server/ALG
Firewall/NATPacket Filter
Decomposed Firewall/NAT Like MEGACO Decomposition
MG = Packet Filter
MGC = Control Proxy
Advantages
Better scaling
Load balancing
Low cost
![Page 22: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/22.jpg)
22
Solution for Case I – ALG [2/2]
INVITEBIND REQ
BINDING
INVITE
200 OK200 OK
OPEN
ACK
ACK
Pro
xy
Fire
wal
l/NA
T
PC
A control Protocol between application-layer NATs and IP-layer NATs
Main Requirements Binding Request: To give
a private address and obtain a public address
Binding Release Open Hole (firewall) Close Hole (firewall)
![Page 23: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/23.jpg)
23
Proposed Solution for Case II
Much harder problem No way to control firewall or NAT Cascading NATs Variable firewall NAT behaviors
Proposed Solution Make SIP “NAT-Friendly”
Minor extensions Address the issues for SIP only, not RTP Accepted by IETF (RFC 3581)
Develop a protocol for traversal of UDP through NAT Work for RTP Also support other applications
![Page 24: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/24.jpg)
24
SIP Extension to NAT Friendly
Client Behavior
Include an “rport” parameter in the Via header This parameter MUST have no value It serves as a flag
The client SHOULD retransmit its INVITE every 20 seconds
Due to UDP NAT binding period and to keep the binding fresh
![Page 25: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/25.jpg)
25
SIP Extension to NAT Friendly [2/2]
Server Behavior Examines the Via header field value of the request
If it contains an “rport” parameter, A “received” parameter An “rport” parameter
The response MUST be sent to the IP address listed in the “received” parameter, and the port in the “rport” parameter.
![Page 26: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/26.jpg)
26
Example [1/2]
Client A: 10.1.1.1Proxy B: 68.44.10.3NAT C: 68.44.20.1
A issues requestINVITE sip:user@domain SIP/2.0Via: SIP/2.0/UDP 10.1.1.1:4540;rport
AC (mapping port 9988)BINVITE sip:user@domain SIP/2.0Via: SIP/2.0/UDP proxy.domain.comVia: SIP/2.0/UDP 10.1.1.1:4540;received=68.44.20.1;rport=9988;
![Page 27: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/27.jpg)
27
Example [2/2] Server B receives the response
SIP/2.0 200 OKVia: SIP/2.0/UDP proxy.domain.comVia: SIP/2.0/UDP 10.1.1.1:4540;received=68.44.20.1;rport=9988;
B (68.44.10.3:5060) C (68.44.20.1:9988) ASIP/2.0 200 OKVia: SIP/2.0/UDP 10.1.1.1:4540;received=68.44.20.1;rport=9988;
![Page 28: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/28.jpg)
28
UPnP [1/2]
Universal Plug and Play It is being pushed by Microsoft
Windows® Messenger A UPnP-aware client can ask the UPnP-ena
bled NAT how it would map a particular IP:port through UPnP
It will not work in the case of cascading NATs
http://www.upnp.org/
![Page 29: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/29.jpg)
29
UPnP [2/2] A: Private Network
UPnP-aware Internet gateway device The UPnP-enabled NAT allows “A” to be aware of its
external IP B: Public Internet
“B” and “A” can communicate with each other
UPnP-enabled
NAT
PublicInternet
B
PrivateNetwork
A
![Page 30: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/30.jpg)
30
External Query
A server sits listening for packets (NAT probe) When receiving a packet, it returns a message from
the same port to the source containing the IP:port that it sees
IP: 10.0.0.1Port: 8000
NAT
PublicInternet
NAT ProbeIP: 202.123.211.25Port: 12345
![Page 31: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/31.jpg)
31
STUN Simple Traversal of UDP Through NAT RFC 3489 In Working Group IETF MIDCOM Group Simple Protocol Works with existing NATs Main features
Allow Client to Discover Presence of NAT Works in Multi-NAT Environments Allow Client to Discover the Type of NAT Allows Client to Discover the Binding Lifetimes Stateless Servers
![Page 32: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/32.jpg)
32
STUN Server Allow client to discover if it is behind a NAT, what type
of NAT it is, and the public address & port NAT will use. A simple protocol, easy to implement, little load
ClientIP: 10.0.0.1Port: 5060
IP: 202.123.211.25Port: 12345 STUN Server
IP: 222.111.99.1Port: 20202
NAT
Client wants to receive packet at port 5060
Send a query to STUN server from port 5060
STUN Server receives packet from 202.123.211.25 port
12345
STUN Server send a response packet to client. Tell him his public address is
202.123.211.25 port 12345
![Page 33: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/33.jpg)
Binding Acquisition
STUN Server can be ANYWHERE on Public Internet
Call Flow Proceeds Normally
![Page 34: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/34.jpg)
34
STUN Message [1/3]
TLV (type-length-value) Start with a STUN header, followed by a
STUN payload (a series of STUN attributes depending on the message type)
FormatSTUN Header
STUN Payload (can have none to many blocks)
![Page 35: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/35.jpg)
35
STUN Message [2/3]
STUN Header
STUN Payload (can have none to many blocks)
Message Type (16 bits)Message Length (16bits)
Transaction ID (128 bits)
Message Types
0x0001: Binding Request 0x0101: Binding Response0x0111: Binding Error Response
0x0002: Shared Secret Request 0x0102: Shared Secret Response0x0112: Shared Secret Error Response
![Page 36: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/36.jpg)
36
STUN Message [3/3]
STUN Header
STUN Payload (can have none to many blocks)
Attribute Type (16 bits)
Attribute Length (16bits)
Attribute Value (Variable length)
Attribute Types
0x0001: MAPPED-ADDRESS 0x0002: RESPONSE-ADDRESS0x0003: CHANGE-REQUEST 0x0004: SOURCE-ADDRESS0x0005: CHANGED-ADDRESS 0x0006: USERNAME0x0007: PASSWORD 0x0008: MESSAGE-INTEGRITY0x0009: ERROR-CODE 0x000a: UNKNOWN-ATTRIBUTES0x000b: REFLECTED-FROM
![Page 37: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/37.jpg)
37
Automatic Detection of NAT Environment [1/2]
STUN ClientEnvironment
STUNServer
IP1
STUNServer
IP2
Port1
Port2
Port2
Port1
Test ITest IITest IVTest III
![Page 38: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/38.jpg)
38
Automatic Detection of NAT Environment [2/2]
Test I
Test II
Test III
Test IV
Resp?
Resp?
Resp?
Resp?
Yes
No
UDPBlocked
SameIP and Port as original?
Test II
YesNo
OpenInternet
SymUDP
Firewall
Yes
FullConeNAT
No
Yes
SameIP and Port as Test I?
SymmetricNAT
PortRestricted
NAT
RestrictedNAT
No
No
Yes
Yes
No
![Page 39: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/39.jpg)
39
Binding Lifetime Determination
STUN
Clie
nt
NA
T
Bind Req.Bind (Pa, Pp)
Binding Resp.MAPPED-ADDRESS (Pa, Pp)
Start Timer T
If it receives Binding Response on socket X, the binding has not expired.
Socket X
Socket YAnother Binding Request, RESPONSE-ADDRESS is set to (Pa, Pp)
![Page 40: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/40.jpg)
40
Binding Acquisition Procedure
STUN
Clie
nt 1
NA
T
Clie
nt 2
Control Media
SIP Message
RTP
Shared Secret Request and Response
Binding Request and Response (Pa, Pp)
Binding Request and Response (Pa’, Pp’)
RESPONSE-ADDRESS is set to (Pa, Pp)
![Page 41: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/41.jpg)
41
STUN - Pros and Cons Benefits
No changes required in NAT No changes required in Proxy Works through most residential NAT
Drawbacks Doesn’t allow VoIP to work through Sy
mmetric NAT RTCP may not work
![Page 42: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/42.jpg)
42
Is STUN suitable for Symmetric NAT
Absolutely not
Client AIP: 10.0.0.1
Port: 21 NAT
IP: 202.123.211.25Port: 12345
Mapping Table10.0.0.1:21 <-> 12345 (for 222.111.99.1 : 20202)
STUN ServerIP: 222.111.99.1
Port: 20202
Client BIP: 222.111.88.2
Port: 10101
![Page 43: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/43.jpg)
43
Solutions for Symmetric NATs Connection Oriented Media RTP-Relay
![Page 44: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/44.jpg)
44
Connection Oriented Media The endpoint outside the NAT must wait un
til it receives a packet from the client before it can know where to reply
Add a line to the SDP message (coming from the client behind the NAT)a=direction:active
The initiating client will “actively” set up the IP:port to which the endpoint should return RTP The IP:port found in the SDP message should be
ignored
![Page 45: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/45.jpg)
45
Problem?
1) If the endpoint does not support the a=direction:active tag
2) If both endpoints are behind Symmetric NATs
![Page 46: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/46.jpg)
46
RTP-Relay
For either of the cases considered in the previous slide, one solution is to have an RTP Relay in the middle of the RTP flow between endpoints.
The RTP Relay acts as the second endpoint to each of the actual endpoints that are attempting to communicate with each other.
![Page 47: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/47.jpg)
47
Example
1
2 3 6
8
9
12
7
4
5
10
11UA
NAT Proxy
RTP Relay
Voice Gateway
NAT
The following is a typical call flow that might be instantiated between a User Agent behind a symmetric NAT and a voice gateway on the open Internet.
![Page 48: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/48.jpg)
48
TURN
Traversal Using Relay NAT draft-rosenberg-midcom-turn-
06.txt
TURN
ClientNAT
TURN
Server
Public InternetPrivate NET
![Page 49: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/49.jpg)
Obtaining a One Time Password
TURN
ClientNAT
TURN
Server
1.Client generates and sends Shared Secret Request (with no attribute)
2.TURN Server reject it with a Shared Secret
Error Response (code=401,contain
NONCE and REALM)
3.Client generate a new Shared Secret Request (contain NONCE 、 REALM 、 USERNAME)
4.TURN Server generate a Shared Secret Response (contain USERNAME and PASSWORD)
![Page 50: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/50.jpg)
Allocating a Binding
1.Client generates and sends Initial Allocate Request (contain BANDWIDTH 、 LIFETIME 、 USERNAME 、 MESSAGE_IN
TEGRITY )
TURNClient NAT
TURNServer
2.TURN Server generates and sends Allocate Response (contain MAPPED_ADDRESS 、 LIFETIME 、 BANDWIDTH 、
MESSAGE_INTEGRITY)
![Page 51: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/51.jpg)
Refreshing a Binding
TURNClient NAT
TURNServer
1.Client generates and sends Subsequent Allocate Request (contain LIFETIME 、 USERNAME 、 MESSAGE_IN
TEGRITY )
2.TURN Server generates and sends Allocate Response (contain MAPPED_ADDRESS 、LIFETIME 、 MESSAGE_INTEGRITY 、 MA
GIC_COOKIE)
![Page 52: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/52.jpg)
Sending Data
PeerTURNClient
NATTURNServer
1.TURN Client generates and sends Send Request (contain DESTINATION_ADDRESS 、 D
ATA)
2.TURN Server set default destination address to DESTINATION_ADDRESS, and
add this address to the list of permission. Then TURN Server relay the data to Peer.
3.TURN Server generates and sends Send Response to
TURN Client.
![Page 53: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/53.jpg)
Receiving Packet
PeerTURNServer
NATTURNClient
1.Peer sends packet to the mapped address of TURN Client.
2.TURN Server check whether the source IP address and port are
listed amongst the set of permission for the binding or not.
3.TURN Server check whether the source IP address and port
are equal to the default destination address or not.
4.TURN Server generates Data Indication message to relay the
packet to TURN Client.
![Page 54: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/54.jpg)
Tearing Down a Binding
TURNClient NAT
TURNServer
1.Client generates and sends Subsequent Allocate Request
(contain LIFETIME=0)
2.TURN Server will tearing down the binding.
![Page 55: 1 NAT Traversal for VoIP Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University](https://reader034.vdocuments.us/reader034/viewer/2022042603/56649cba5503460f9498181b/html5/thumbnails/55.jpg)
55
TURN – Pros and Cons
Pros No change required in NAT. Work through firewall and all kinds
of NAT. Cons
Long latency Heavy load for TURN server