NAT Traversal for VoIP

NAT Traversal for VoIPJonathan RosenbergCisco Fellow# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID1 2005, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrWhat is NAT?Network Address Translation (NAT)Creates address binding between internal private and external public addressModifies IP Addresses/Ports in PacketsBenefitsAvoids network renumbering on change of providerAllows multiplexing of multiple private addresses into a single public address ($$ savings)Maintains privacy of internal addressesClientNATNATS: 1.2.3.4:8877D: 67.22.3.1:80Binding Table

Internal External10.0.1.1:6554 -> 1.2.3.4:8877S: 10.0.1.1:6554D: 67.22.3.1:80IP PktIP Pkt# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID2 2005, Cisco Systems, Inc. All rights reserved.Presentation_ID.scrWhy is this bad for SIP?Client will generate SIP INVITE and 200 OK responses with private addresses In the SDP as the target for receipt of media In the Contact of a REGISTER as the target for incoming INVITEIn the Via of a request as the target for the responseRecipient will not be able to send packets to this private address Media is discarded Incoming calls are not delivered Responses are not receivedClientNATINVITE

Send media to10.0.1.1:8228# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDWhy is this bad for SIP?Client will generate SIP INVITE and 200 OK responses with private addresses In the SDP as the target for receipt of media In the Contact of a REGISTER as the target for incoming INVITEIn the Via of a request as the target for the responseRecipient will not be able to send packets to this private address Media is discarded Incoming calls are not delivered Responses are not receivedClientNATINVITE

Send media to10.0.1.1:8228Hardest problem,solved by ICESolved by SIPOutboundSolved by rport(RFC 3581)# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDSolution SpaceApplication Layer Gateways (ALGs)Session Border Controllers (SBC)Simple Traversal of UDP Through NAT (STUN)Traversal Using Relay NAT (TURN)Universal Plug N Play (UPnP)Interactive Connectivity Establishment (ICE)# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDALG: The obvious solution?The NAT rewrites source IP of SIP packet, but not contentsWhy not have NAT rewrite the contents of the SIP packet also (Application Layer Gateway (ALG))?Numerous big problems Requires SIP security mechanisms to be disabled Hard to diagnose problems Requires network upgrade in all NAT Frequent implementation problems Incentives mismatched Anathema to the concept of the InternetClientNATINVITE

Send media to1.2.3.4:6290INVITE

Send media to10.0.1.1:8228S: 10.0.1.1:6554D: 67.22.3.1:80S: 1.2.3.4:8877D: 67.22.3.1:80Binding Table

Internal External10.0.1.1:6554 -> 1.2.3.4:887710.0.1.1:8228 -> 1.2.3.4:6290# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDSession Border Controllers (SBC)Close cousin of the ALGClient pointed to SBC as its outbound proxySBC forwards requests to actual SIP proxyWhen receiving an INVITE from client, SBC rewrites SDP to point to itself

SIPProxyINVITESBCINVITE

Send media to10.0.1.1:8228INVITE

Send media to1.2.3.4:800NAT# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDSession Border Controllers (SBC)When 200 OK is received by SBC, it rewrites SDP to point to itself again Different port than used in offer

SIPProxy200 OKSBC200 OK

Send media to1.2.3.4:802200 OK

Send media to12.13.14.15:100NAT# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDSession Border Controllers (SBC)End result is that each agent will send RTP packets towards the SBCThis creates a binding in intervening NATSBC remembers source IP of RTP packets from each sideSBC relays packets back towards each source

SIPProxySBCNATRTPPackets# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDClassic STUNClient discovers presence and type of NAT at startupIf NAT is a good NAT, it can use STUNAt call setup time, gathers a server reflexive candidate from STUN server and includes it in m/c-line of INVITEProblems Doesnt work with bad NAT Doesnt work if both behind same NAT NAT type classification known to be inaccurateSTUN RequestSTUNResponse1.2.3.4:8866INVITE1.2.3.4:8866200 OKACKRTP

NATSTUNServerSIPProxy# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDTURNAt call setup time, agent gathers a relayed candidate from STUN relay server and includes it in m/c-line of INVITECall flow much like STUN caseMedia always relayed through STUN relaySTUN RequestSTUNResponse9.7.6.5:8866INVITE9.7.6.5:8866200 OKACKRTP

NATSTUNServerSIPProxy# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDUPnPUniversal Plug N PlaySimilar to STUN, in that client learns its IP and port on the public side of NATHowever, client talks to the NAT, not through it No separate STUN serverNAT discovered via multicastUPnP RequestUPnPResponse9.7.6.5:8866INVITE9.7.6.5:8866200 OKACKRTP

NATSIPProxy# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDICE Step 1: AllocationBefore Making a Call, the Client Gathers CandidatesEach candidate is a potential address for receiving mediaThree different types of candidates Host Candidates Server Reflexive Candidates Relayed Candidates

RelayHostCandidates resideon the agent itselfServer Reflexive candidatesare addresses residing on a NATNATNATRelayed candidates reside on a host actingas a relay towards theagent# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDUsing STUN to Obtain CandidatesServer reflexive and relayed candidates are learned by talking to a STUN server using the Relay UsageClient sends query to STUN relay serverQuery passes through NAT, creates bindingsSTUN relay server allocates a relayed address and also reports back source address of request to client This will be the server reflexive address

STUNServer1.2.3.4:1000NATNAT12.13.14.15:820010.0.1.1:500AllocateRequestAllocateResponsereflexive=1.2.3.4:1000relayed=12.13.14.15:8200# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDICE Step 2: PrioritizationType-Preference: Preference for type (host, server reflexive, relayed)Usually 0 for relayed, 126 for hostLocal Preference: Amongst candidates of same type, preference for themIf host is multihomed, preference by interfaceIf host has multiple STUN servers, preference for that serverComponent ID as described previouslyThis algorithm is only SHOULD strengthpriority = (2^24)*(type preference) +(2^8)*(local preference) +(2^0)*(256 - component ID) Local PreferenceComponent IDType Preference32 bits# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDEncoding the OfferEach candidate is placed into an a=candidate attribute of the offerEach candidate line hasIP address and portComponent IDFoundationTransport ProtocolPriorityTypeRelated Address

v=0 o=jdoe 2890844526 2890842807 IN IP4 10.0.1.1 s= c=IN IP4 192.0.2.3 t=0 0 a=ice-pwd:asd88fgpdd777uzjYhagZg a=ice-ufrag:8hhY m=audio 45664 RTP/AVP 0 a=rtpmap:0 PCMU/8000 a=candidate:1 1 UDP 2130706178 10.0.1.1 8998 typ local a=candidate:2 1 UDP 1694498562 192.0.2.3 45664 typ srflx raddr 10.0.1.1 rport 8998 # 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDICE Step 3: InitiationCaller sends a SIP INVITE as normalNo ICE processing by proxiesSIP itself traverses NAT using SIP outbound and rport

SIPProxyINVITE# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDICE Step 4: AllocationCalled party does exactly same processing as caller and obtains its candidatesRecommended to not yet ring the phone!

STUNServerNATNATAllocateRequestAllocateResponse# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDICE Step 5: InformationCaller sends a provisional response containing its SDP with candidates and prioritiesCan also happen in 2xx, but this flow is bestProvisional response is periodically retransmittedAs with INVITE, no processing by proxiesPhone has still not rung yet

SIPProxy1xx# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDICE Step 6: VerificationEach agent pairs up its candidates (local) with its peers (remote) to form candidate pairsEach agent sends a connectivity check every 20ms, in pair priority order Binding Request from the local candidate to the remote candidateUpon receipt of the request the peer agent generates a response Contains a mapped address indicating the source IP and port seen in the requestIf the response is received the check has succeededSTUNServerNATNAT

STUNServerNATNAT

12345# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDPeer Reflexive CandidatesConnectivity checks can produce additional candidatesPeer reflexive candidatesTypically happens when there is a symmetric NAT between usersPeer reflexive candidate will be discovered by both usersFor user A, from the ResponseFor user B, from the RequestAllows direct media even in the presence of symmetric NAT!

SymNATNAT allocates new binding towards BSTUN RequestSTUN ResponseABB informs A of new bindingA learns a new local candidate towards B!# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDICE Step 7: Coordination ICE needs to finalize on a candidate pair for each component of each media streamMore than one may workEach agent needs to conclude on the same set of pairsFinalization takes place without SIP signaling all through STUN One agent acts as the controlling agent Controlling agent includes a flag in its STUN request indicating completion

# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDICE Step 8: CommunicationMedia can flow in each direction once pairs have been selected by the controlling agent for each componentAllows early media in both directionsSTUNServerNATNAT

STUNServerNATNAT

# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDICE Step 9: Confirmation200 OK and ACK work as normal200 mirrors SDP from provisionalIf m/c-line in original INVITE didnt match candidate pairs selected by ICE, controlling agent does a re-INVITE to place them in m/c-lineRe-INVITE ensures that middleboxes have the correct media address QoS installation (i.e., IMS or Packetcable) Diagnostic tools Monitoring applications Firewalls

OffererAnswererRe-INVITE200 OK200 OKACKACK# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDComparison: MetricsRequires client changes?Requires proxy changes?Requires addition of new box?Requires NAT support?Reduces or eliminates usage of relays?Good security?Works through broad range of NAT and firewalls?Works for other applications besides SIP?Fast call setup?Operator cost?

# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDComparison TableCriteriaALGSBCSTUNTURNUPnPICEClient Changes?NNYYYYProxy Changes?NY (SBC)NNNNNAT Changes?YNNNYNNew Box?NYYYNYMinimize Relays?MostlyNoYes when it worksNoMostlyYesSecurityAwfulNot greatGoodGoodAwfulExcellentWorks broadly?No (has to be there)Mostly no TCP storyNoYesNo (has to be there)YesNon-SIP?YesNoYesYesYesYesFast call setup?No increaseNo increaseSlight increaseSlight increaseSlight increaseModerate increaseOperator CostN/AVery highModerateHighN/AMinimal possibleAreas of ICE strengths# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_IDMarket Adoption of NAT TechnologiesEnterprises SIP support needed primarily for Centrex Mostly provided by ALG Some SBC support Beginning interests in ICE through MSFTFacilities-Based Service Providers Almost entirely SBCs Cable now formally adopting ICE in Packetcable 2.0 Being added as optional in IMS R7 though some challenges remain in wireless applicability

Application Service Providers Mix of SBCs, STUN and ICE ICE is attractive here due to cost minimization# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID

# 2005 Cisco Systems, Inc. All rights reserved.Session NumberPresentation_ID28 2005, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr