view the powerpoint tutorial here

Taken from SIP IllustratedSIP Illustrated – Advanced Topics Module

Better Communication

©

Glossary Exit

1 of 252006, sipknowledge

U-r-here

Exit this NAT/ALG

Tutorial/Demo SIP RFCs

Edition 3.0 - Mar/2005 (revised June/2006)

NAT/ALG

Use the hyperlinks to dive deeper

Use the arrow keys below to navigate

Start off your Journey …

Use Q&A links for follow up

Q.

Make sure you run in a…

… slide show mode (F5)




©

Glossary Exit


U-r-here

Exit this NAT/ALG



Preface: The home/office VoIP problem (Sound alert!)

Jeng is sitting at home in front of her PC. She has just installed a new (SIP-based) soft phone (Xten) on the PC. She can’t wait to use it to call her professor at school (on his soft phone) and tell him the good news… She locates the professor’s contact in her address book and clicks on it... You can try it yourself by clicking the red circle below. Looks like this is going to work. Is that so...?

Home Comcast School

DNSA

BProxy192.168.1.101

129.119.110.17

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router

68.87.66.196

IP



©

Glossary Exit


U-r-here

Exit this NAT/ALG



NAT/ALG - Content

Note: Voice Narrations appear in the SIP Illustrated eLearning only in places where extra emphasize or clarifications are needed! This demo has no Voice Narrations.

• Intro …………………………………………………………………………………………………………………………………… 2-5

What NAT is ……………………………………………………………..………………………………………………...

4 Why we need ALG …………………………………………………………………………………………………....... 5 How ALG works ……………………………………………………………………………………………………...... 6-7

• ALG built in the phone – a detailed example ……………………………………………………………………………… 8

Overview ………………………………………………………………………………………………………………….... 9 Step 1 - resolving the host name of the web server …………………………………………………………. 10 Step 2 - receiving the IP address of the web server ………………………………………………………... 11 Step 3 - asking the web server for the NAT address ……………………………………………………….. 12 Step 4 - receiving the “NATTed” IP address of the PC ……………………………………………………. 13 Step 5 - Sending an INVITE req. to the outbound SIP proxy ………………………………………….. 14 Step 6 - Forwarding the INVITE to user B ……………………………………………………………………. 15 Step 7 - Stop (potential) retransmissions at A (100 Trying) ………………….............................. 16 Step 8 - user B’s phone is ringing ………………………………………………………………………………… 17 Step 9 - user A’s phone plays a Ring Back Tone …………………………………………………………….. 18 Step 10 - user B has picked up the phone ……………………………………………………………………… 19 Step 11 - user A’s phone receives an answer indication …………………………………………………… 20 Step 12 - Completing the SIP signaling handshake (ACK) ……………………………………………….. 21 Step 13 - Forwarding the ACK to user B ……………………………………………………………............... 22 Step 14 - Conversation time (first RTP - “Hello”) …………………………….................................... 23

play

stop



©

Glossary Exit


U-r-here

Exit this NAT/ALG



Intro: What NAT is

NAT stands for "Network Address Translator". It is a network layer creature whose job in life is to "hide" hosts on a corporate or home private sub network by granting them on-the-fly "external" IP addresses when they send packets to the external IP world. The motivation behind this trick is to enable private networks reuse expensive and rare IPV4 addresses, which might be in "official" use by hosts on the public Internet or on other private networks. The NAT accomplishes the “hiding” task by mapping the internal IP address of the host (and port) to a public/routable one. In figure 1 below the NAT server maps the private IP address of user-A (10.1.1.1) to a public one, 157.55.0.1. User-B will therefore see incoming IP packets (from A) with the address 157.55.0.1. User-B will send IP packets back to A by using destination address of 157.55.0.1. The NAT server (based on its internal mapping/binding) will translate the IP address 157.55.0.1 back to the original private address, 10.1.1.1, and will then forward the packet to user-A.

Figure 1: A typical NAT server

NAT server

Private IP

Public IP Public IP



©

Glossary Exit


U-r-here

Exit this NAT/ALG



Why we need ALGSeemingly, so far so good… However NAT and private IP domains introduce serious traversal problem for SIP networks. For instance, SIP endpoint, which “hides” in the private domain behind a NAT, would naturally populate the address related fields in a SIP message it generates with private IP address values (e.g. Contact: SIP:[email protected]:5060)! Same for the address fields in the SDP element (e.g. C = IN IP4 10.1.1.1). These values are not routable, meaning both SIP messages and RTP packets sent back to these addresses would not be able to reach these destinations. The figure below illustrates this problematic situation.

INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP 10.1.1.1; branch=z9hG4bK1; <CRLF> Max-Forwards: 70From: BigGuy <sip:User-A@ 10.1.1.1:5060> ; tag=b66ks127ha To: LittleGuy <sip:[email protected]> <CRLF> Call-ID: [email protected]: 1 INVITE <CRLF> Contact: BigGuy <sip:[email protected]:5060>Content-Type: application/sdp <CRLF> Content-Length: 179v= 0 o= User-A 2890844526 2890844526 IN IP4 a.here.edus= A simple SDP Sessionc= IN IP4 10.1.1.1m= audio 49172 RTP/AVP 0 98

Private IP-address:port embedded in the SIP/SDP INVITE request.



©

Glossary Exit


U-r-here

Exit this NAT/ALG



How ALG worksALG (Application Layer Gateway) is one of the offered solutions to that problem. It is a piece of hardware or/and (application layer) software, which works together with the NAT. It replaces the private IP:port addresses in an outgoing SIP/SDP message with public ones. It then instructs the NAT to create public-private mapping accordingly. The incoming SIP and RTP packets will thus carry public IP addresses:ports, which will get mapped-back by the NAT to the original private IP addresses:ports of the SIP endpoint behind it. In the example below the private IP address of user-A, 10.1.1.1, is mapped to 157.55.0.1, and the private ports 5060 (SIP) and 49172 (RTP) are mapped to 2222 and 3333 respectively.

INVITE sip:[email protected] SIP/2.0 Via: SIP/2.0/UDP 157.55.0.1:2222;branch=z9hG4bK1; Max-Forwards: 70From: BigGuy <sip:User-A@ 157.55.0.1 :2222> ; tag=b66ks127ha To: LittleGuy <sip:[email protected]> <CRLF> Call-ID: [email protected]: 1 INVITE <CRLF> Contact: BigGuy <sip:User-A@ 157.55.0.1 :2222>Content-Type: application/sdp <CRLF> Content-Length: 179v= 0 o= User-A 2890844526 2890844526 IN IP4 a.here.edus= A simple SDP Sessionc= IN IP4 157.55.0.1 3333m= audio 49172 RTP/AVP 0 98

The Private IP-address:port, which is embedded in the SIP/SDP INVITE request, gets translated by the ALG to the NAT public ones.



©

Glossary Exit


U-r-here

Exit this NAT/ALG



How ALG works - continue

ALG and NAT therefore can be viewed as two components of the same solution. Normally they would be implemented by two applications sharing the same machine. The SIP signaling must always go through the ALG component. This will ensure it gets the right translation. The RTP media does NOT have to go through the ALG component, but can go directly through the NAT component. The NAT will make sure it correctly redirects/maps incoming RTP packets back to the end point (e.g. user-A in our example). Same for incoming SIP packets.

Figure 4: A typical NAT server + ALG NAT server

ALGSIP

RTPPrivate IP

Public IP



©

Glossary Exit


U-r-here

Exit this NAT/ALG



“brands.xten.net”

ALG Built in the phone – a detailed example

ALG may be also built-in a ‘smart’ SIP phone. The SIP phone in such a case can learn by various means about being located behind a NAT. These means include running the STUN protocol or other proprietary solutions (e.g. obtaining the public IP address of the NAT from a ‘special’ web server). What follows is a detailed example of a SIP call initiated by such a smart phone. The ‘smart’ phone, A, is used by a student (Jeng) from her home to call her Professor, who uses his SIP phone, B, at school. As can be seen below Jeng’s home is connected to the Internet via cable modem. Her home router acts as a NAT (since the IP addresses of the home devices are allocated by it locally). She uses SIP Xten soft phone on her PC (AKA CounterPath). The Call (signaling) goes via SIP proxy, which is located at the school domain.

Web server

Home Comcast School

DNSA

BProxy192.168.1.101

129.119.110.17

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router

68.87.66.196 64.69.76.10

Xten.comdomain

IP

http://www.ietf.org/rfc/rfc3489.txt



©

Glossary Exit


U-r-here

Exit this NAT/ALG



“brands.xten.net”

ALG Built in the phone – a detailed example - overview

The example includes the following steps:

Steps 1–4 - NAT discoverySteps 5–13 - Call setup (INVITE transaction utilizing the NAT info obtained in steps 1-4)Step 14 - Conversation (over RTP)

Next is a detailed breakdown of each step.

Web server

Home Comcast School

DNSA

BProxy192.168.1.101

129.119.110.17

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router

68.87.66.196 64.69.76.10

Xten.comdomain

IP



©

Glossary Exit


U-r-here

Exit this NAT/ALG



step 1 - resolving the host name of the web server

Step 1: SIP phone, A, is configured with the Host name of HTTP (web) server in the Internet (brands.xten.net). It received via DHCP the IP address of the DNS server (along with its own IP address). It sends the DNS server a query for resolving the Host name of the web server to an IP address. (Note: The IP packet below was captured by a sniffer sitting on the LAN of the DNS server. That’s why the source IP address is the IP address of the NAT)

=> Click HERE to play the animation (and look below…) <=

Home Comcast School

DNSA

BProxy192.168.1.101

129.119.110.17

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router

MAC IP: Src add: 24.15.254.243 Dst add: 68.87.66.196

UDP: Src port: 1026 Dst port: 53

DNS: (brands.xten.net; IP address = ?)

68.87.66.196 “brands.xten.net” 64.69.76.10

Web server

Xten.comdomain

IP



©

Glossary Exit


U-r-here

Exit this NAT/ALG



step 2 - receiving the IP address of the web server

Step 2: The DNS server responds with the IP address of the web server. (Note: The DNS server saw source address of 24.15.254.243. i.e. the IP address of the home NAT. Thus it sends its response there. It does not know neither care that the source of the query sits behind a NAT. The NAT forwards the IP packet, which encapsulates the DNS response back to the PC, based on the mapping it created between the PC IP address (192.168.1.101) and the IP address of the DNS server (68.87.66.196)) => Click HERE to play the animation (and look below…) <=

Home Comcast School

DNSA

BProxy192.168.1.101

129.119.110.17

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router


UDP: Src port: 53 Dst port: 1026

DNS: (IP address is: 64.69.76.10)

68.87.66.196 “brands.xten.net” 64.69.76.10

Web server

Xten.comdomain

IP



©

Glossary Exit


U-r-here

Exit this NAT/ALG



step 3 - asking the web server for the NAT address

Step 3: The SIP client, A, establishes a TCP connection with the web server and sends over it an HTTP GET request. (Note: This is a non-standard trick used by Xten to implement the STUN idea.)


Home Comcast School

DNSA

BProxy192.168.1.101

129.119.110.17

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router


TCP: Src port: 1082 Dst port: 80

HTTP: GET (“My NATTed IP address”)

68.87.66.196 “brands.xten.net” 64.69.76.10

Web server

Xten.comdomain

IP

http://www.ietf.org/rfc/rfc3489.txt



©

Glossary Exit


U-r-here

Exit this NAT/ALG



step 4 - receiving the “NATTed” IP address of the PC

Step 4: The web server responds with the IP address of the NAT. (Note: next the PC will use this information to set up correctly the address related fields in the SIP INVITE and its SDP payload (and by doing so it practically implements ALG functionality!))


Home Comcast School

DNSA

BProxy192.168.1.101

129.119.110.17

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router


TCP: Src port: 80 Dst port: 1082

DNS: (NAT IP address is: 24.15.154.243)

68.87.66.196 “brands.xten.net” 64.69.76.10

Web server

Xten.comdomain

IP



©

Glossary Exit


U-r-here

Exit this NAT/ALG



step 5 – Sending an INVITE req. to the outbound SIP proxy

Step 5: The Xten SIP client sends an INVITE request destined to the SIP proxy (Note: The PC Xten client is configured with the IP address of the SIP proxy (located at school). Every outgoing SIP request will be sent therefore to the proxy on/to the well known port)


Home Comcast School

DNSA

BProxy192.168.1.101

129.119.110.17

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router


UDP: Src port: 5060 Dst port: 5060 SIP: INVITE (user B)

68.87.66.196 “brands.xten.net” 64.69.76.10

Web server

Xten.comdomain

IP

SIP: Request-URI: sip:[email protected]; Via: SIP/2.0/UDP 24.15.254.243:5060Contact:<sip:[email protected]:5060>;SDP: c= IN IP4 24.15.254.243; media port=8000



©

Glossary Exit


U-r-here

Exit this NAT/ALG



Proxy129.119.110.17

step 6 – Forwarding the INVITE to user B (Sound alert!)

Step 6: The SIP proxy (looks up user B in its registry table and based on that) forwards the INVITE to endpoint B (Note: The school IP network is in the public domain (129.119.x.x))


Home Comcast School

DNSA

B192.168.1.101

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router


UDP: Src port: 1039 Dst port: 5060 SIP: INVITE (user B)

68.87.66.196 “brands.xten.net” 64.69.76.10

Web server

Xten.comdomain

SIP: Request-URI: sip:[email protected]; Via: SIP/2.0/UDP 129.119.110.17:5060; Via: SIP/2.0/UDP 24.15.254.243:5060; Record Route: <sip:129.119.110.17:5060> Contact:<sip:[email protected]:5060>;SDP: c= IN IP4 24.15.254.243; media port=8000

IP



©

Glossary Exit


U-r-here

Exit this NAT/ALG



Proxy129.119.110.17

step 7 – Stop (potential) retransmissions at A (100 Trying)

Step 7: The SIP proxy sends ‘100 Trying’ back to A, (so A can now advance its state machine to the next state and halts potential retransmissions of the INVITE)


Home Comcast School

DNSA

B192.168.1.101

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router


UDP: Src port: 1039 Dst port: 5060 SIP: 100 Trying

68.87.66.196 “brands.xten.net” 64.69.76.10

Web server

Xten.comdomain

SIP: SIP/2.0 100 TryingVia: SIP/2.0/UDP 24.15.254.243:5060

IP



©

Glossary Exit


U-r-here

Exit this NAT/ALG



Proxy129.119.110.17

step 8 – Letting user A know that user B’s phone is ringing

Step 8: B sends ‘180 Ringing’ back (to indicate that is has alerted the user) to the proxy (based on the top most Via header)


Home Comcast School

DNSA

B192.168.1.101

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router


UDP: Src port: 5060 Dst port: 5060 SIP: 180 Ringing

68.87.66.196 “brands.xten.net” 64.69.76.10

Web server

Xten.comdomain

SIP: SIP/2.0 180 Ringing; Via: SIP/2.0/UDP 129.119.110.17:5060;Via: SIP/2.0/UDP 24.15.254.243:5060; Record-Route: <sip:129.119.110.17:5060>; Contact:<sip:[email protected]>

IP



©

Glossary Exit


U-r-here

Exit this NAT/ALG



Proxy129.119.110.17

step 9 - user A’s phone plays a Ring Back Tone (Sound alert!)

Step 9: The SIP proxy forwards the ‘180 Ringing’ back to A, (so based on that A knows it can play now a Ring Back Tone (RBT) to the user) Note: The NAT doesn’t touch the UDP header.


Home Comcast School

DNSA

B192.168.1.101

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router


UDP: Src port: 1039 Dst port: 5060 SIP: 180 Ringing

68.87.66.196 “brands.xten.net” 64.69.76.10

Web server

Xten.comdomain

SIP: SIP/2.0 180 Ringing; Via: SIP/2.0/UDP 24.15.254.243:5060; Record-Route: <sip:129.119.110.17:5060>; Contact:<sip:[email protected]>

IP



©

Glossary Exit


U-r-here

Exit this NAT/ALG



Proxy129.119.110.17

step 10 - user B has picked up the phone

Step 10: B sends ‘200 OK’ back (to indicate that the user has picked up the phone) to the proxy (based on the top most Via header)


Home Comcast School

DNSA

B192.168.1.101

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router


UDP: Src port: 5060 Dst port: 5060 SIP: 200 OK

68.87.66.196 “brands.xten.net” 64.69.76.10

Web server

Xten.comdomain

SIP: SIP/2.0 200 OK; Via: SIP/2.0/UDP 129.119.110.17:5060Via: SIP/2.0/UDP 24.15.254.243:5060; Record-Route: <sip:129.119.110.17:5060>; Contact:<sip:[email protected]>; SDP: c= IN IP4 129.119.110.19; media port =8386

IP



©

Glossary Exit


U-r-here

Exit this NAT/ALG



Proxy129.119.110.17

step 11 - user A’s phone receives an answer indication

Step 9: The SIP proxy forwards the ‘200 OK’ back to A, (so based on that A knows it can display/sound an answer indication to the user) Note: The NAT doesn’t touch the UDP header.


Home Comcast School

DNSA

B192.168.1.101

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router


UDP: Src port: 1039 Dst port: 5060 SIP: 200 OK

68.87.66.196 “brands.xten.net” 64.69.76.10

Web server

Xten.comdomain

SIP: SIP/2.0 200 OK; Via: SIP/2.0/UDP 24.15.254.243:5060; Record-Route: <sip:129.119.110.17:5060>; Contact:<sip:[email protected]>; SDP: c= IN IP4 129.119.110.19; media port =8386

IP



©

Glossary Exit


U-r-here

Exit this NAT/ALG



step 12 - Completing the SIP signaling handshake (ACK)

Step 12: The Xten SIP client sends an ACK request destined to the SIP proxy (Note: The proxy has Record Routed itself, so now by definition every request got to go via it regardless of the initial configuration)


Home Comcast School

DNSA

BProxy192.168.1.101

129.119.110.17

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router


UDP: Src port: 5060 Dst port: 5060 SIP: ACK (user B)

68.87.66.196 “brands.xten.net” 64.69.76.10

Web server

Xten.comdomain

IP

SIP: Request-URI: sip:[email protected]; Via: SIP/2.0/UDP 24.15.254.243:5060Contact:<sip:[email protected]:5060>;Route: sip:129.119.110.17, sip:[email protected]



©

Glossary Exit


U-r-here

Exit this NAT/ALG



Proxy129.119.110.17

step 13 – Forwarding the ACK to user B

Step 13: The SIP proxy forwards the ACK to endpoint B (Note: this can be done either based on the Route header or based on registry table lookup)


Home Comcast School

DNSA

B192.168.1.101

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router


UDP: Src port: 1039 Dst port: 5060 SIP: ACK (user B)

68.87.66.196 “brands.xten.net” 64.69.76.10

Web server

Xten.comdomain

SIP: Request-URI: sip:[email protected]; Via: SIP/2.0/UDP 129.119.110.17:5060; Via: SIP/2.0/UDP 24.15.254.243:5060; Route: <sip:[email protected]> Contact:<sip:[email protected]:5060>;

IP



©

Glossary Exit


U-r-here

Exit this NAT/ALG



step 14 - Conversation time (first RTP - “Hello”) (Sound alert!)

Step 14: User B says “hello”. SIP client B encapsulates the bits, which represent the user’s voice in G.711 over RTP, and sends it directly to A (i.e. the proxy is not in the media loop) (Note: check out the port numbers below. Compare them with the ones, which were advertised in the SDP payloads!)


Home Comcast School

DNSA

BProxy192.168.1.101

129.119.110.17

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router


UDP: Src port: 8386 Dst port: 8000 RTP: “Hello”

68.87.66.196 “brands.xten.net” 64.69.76.10

Web server

Xten.comdomain

IP



©

Glossary Exit


U-r-here

Exit this NAT/ALG



Post mortem – a surprise!

Taking the approach of “do not confuse me with the facts…” we cheated a little bit…In our Lab experiment the first RTP packet was really sent by B right after step 12. i.e. before receiving the ACK. Commercial SIP clients have a tendency of doing that. The idea is to reduce call setup time. This phenomena is known as “early media”. The draw back is the possibility of running into an embarrassing case when the ‘200 OK’ gets lost, and client A has no way yet to send media back (nor RTCP receiver reports) to B (as the SDP is part of the ‘200 OK’). However in general things seem to work.

DNSA

BProxy192.168.1.101

129.119.110.17

129.119.110.19

192.168.1.1/24.15.254.243NAT/

Router

68.87.66.196 “brands.xten.net” 64.69.76.10

Web server

Xten.comdomain

IP

“Please, do not confuse me with the facts…”



©

Glossary Exit


U-r-here

Exit this NAT/ALG



Help/about

Next Page

Prev Page

Last Page

First Page

HELP (In case you haven’t noticed how you got here… :-))

Last Page Viewed

Edition: 3.0 ; By: sipknowledge.Web: www.sipknowledge.comMail: [email protected]

return to last page viewed

view the powerpoint tutorial here

Documents