NAT Traversal for VoIP
Ai-Chun Pang
Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr.
National Taiwan University
What is NAT
NAT - Network Address Translation
RFC 3022 - Traditional IP Network Address Translator
RFC 1918 - Address Allocation for Private Internets (BCP 5)
RFC 2993 - Architectural Implications of NAT
RFC 3027 - Protocol Complications with the IP Network Address Translator
RFC 3235 - Network Address Translator (NAT)-Friendly Application Design Guidelines
Convert IP Address (possibly with Port multiplexing) between private and public realm
Works on network and transport layers
Transparent for Application
Router Router 39.39.88.9
Packet 8765
SP
80 DP
54.38.54.4 SA
39.39.88.9 DA
Packet 80
SP
8765 DP
39.39.88.9 SA
54.38.54.4 DA
54.38.54.4
39.39.88.9
54.38.54.49
DA DP SA SP
DA DP SA SP
39.39.88.9 80 192.168.5.2 8765
DA DP SA SP
39.39.88.9 80 192.168.5.2 8765
Packet 80
SP
8765 DP
39.39.88.9 SA
192.168.5.2 DA
192.168.5.2 Packet
8765 SP
80 DP
192.168.5.2 SA
39.39.88.9 Packet DA
8765 SP
80 DP
54.38.54.49 SA
39.39.88.9 DA
54.38.54.49
Packet 80
SP
8765 DP
39.39.88.9 SA
54.38.54.49 DA
Flavors of NAT [1/3]
Static NAT
Requires the same number of globally IP addresses as that of hosts in the private environment
Maps between internal IP addresses and external addresses is set manually
This mapping intends to stay for a long period
of time
Flavors of NAT [2/3]
Dynamic NAT
Collect the public IP addresses into an IP address pool
A host connecting to the outside network is
allocated an external IP address from the
address pool managed by NAT
Flavors of NAT [3/3]
NAPT (Network Address and Port Translation)
A special case of Dynamic NAT
Use port numbers as the basis for the address translation
Most commonly used
NAT Schematic
Computer A IP: 192.168.0.5
Port: 80
Computer B IP: 192.168.0.8
Port: 80
NAT
IP: 140.113.131.89 Port: 10080
IP: 140.113.131.89 Port: 20080
Mapping Table 192.168.0.5:80 <-> 10080 192.168.0.8:80 <-> 20080
DHCP Server
DHCP Client Private NIC Public NIC
Public Internet
NAT
Forwarding Engine
Types of NAT
Full Cone
Restricted Cone
Port Restricted Cone
Symmetric
Full Cone NAT
Client sends a packet to public address A.
NAT allocates a public port (12345) for private port (21) on the client.
Any incoming packet (from A or B) to public port (12345) will dispatch to private port (21) on the client.
Client IP: 10.0.0.1
Port: 21
NAT
IP: 202.123.211.25 Port: 12345
Mapping Table 10.0.0.1:21 <-> 12345
Computer A IP: 222.111.99.1
Port: 20202 Computer B IP: 222.111.88.2
Port: 10101
Restricted Cone NAT [1/2]
Client sends a packet to public address A.
NAT allocate a public port (12345) for private port (21) on the client.
Only incoming packet from A to public port (12345) will dispatch to private port (21) on the client.
Client IP: 10.0.0.1
Port: 21
NAT
IP: 202.123.211.25 Port: 12345
Mapping Table
10.0.0.1:21 <-> 12345 (for A)
Computer A IP: 222.111.99.1
Port: 20202 Computer B IP: 222.111.88.2
Port: 10101
Restricted Cone NAT [2/2]
Client sends another packet to public address B.
NAT will reuse allocated public port (12345) for private port (21) on the client.
Incoming packet from B to public port (12345) will now dispatch to private port (21) on the client.
Client IP: 10.0.0.1
Port: 21
NAT
IP: 202.123.211.25 Port: 12345
Mapping Table
10.0.0.1:21 <-> 12345 (for A) 10.0.0.1:21 <-> 12345 (for B)
Computer A IP: 222.111.99.1
Port: 20202 Computer B IP: 222.111.88.2
Port: 10101
Port Restricted Cone NAT
Client sends a packet to public address A at port 20202.
NAT will allocate a public port (12345) for private port (21) on the client.
Only incoming packet from address A and port 20202 to public port (12345) will dispatch to private port (21) on the client.
Client IP: 10.0.0.1
Port: 21
NAT
IP: 202.123.211.25 Port: 12345
Mapping Table
10.0.0.1:21 <-> 12345 (for A : 20202) 10.0.0.1:21 <-> 12345 (for A : 30303)
Computer A IP: 222.111.99.1
Port: 20202 Port: 30303
Symmetric NAT
NAT allocates a public port each time the client sends a packet to different public address and port
Only incoming packet from the original mapped public address and port will dispatch to private port on client
Client IP: 10.0.0.1
Port: 21
NAT
IP: 202.123.211.25 Port: 12345
Mapping Table
10.0.0.1:21 <-> 12345 (for A : 20202) 10.0.0.1:21 <-> 45678 ( for B : 10101)
Computer A IP: 222.111.99.1
Port: 20202 Computer B IP: 222.111.88.2
Port: 10101
IP: 202.123.211.25 Port: 45678
VoIP Protocol and NAT
NAT converts IP addresses and port numbers on network and transport layers
Problem 1:
SIP, H.323, Megaco and MGCP are application layer protocol but contain IP address/port info in messages, which is not translated by NAT
Problem 2:
Private client must send an outgoing packet first (to create a mapping on NAT) to receive
incoming packets
Solutions for Problem I
Objectives
To discover the mapped public IP & port for a private IP &
port
To use the mapped public IP & port in application layer message
To keep this mapping valid
Issues
NAT will automatically allocate a public port for a private address & port if needed.
NAT will release the mapping if the public port is “idle”
No TCP connection on the port
No UDP traffic on the port for a period
Keep a TCP connection to destination
Send UDP packets to destination every specified interval
NAT Solutions
IPv6 (Internet Protocol Version 6)
UPnP (Universal Plug-and-Play)
UPnP Forum - http://www.upnp.org/
Proprietary protocol by NAT/Firewall
SIP ALG (Application Level Gateway)
SIP extensions for NAT traversal
RFC 3581
Works for SIP only, can not help RTP to pass through NAT
STUN (Simple Traversal of UDP Through Network Address Translators)
RFC 3489
Works except for symmetric NAT
TURN (Traversal Using Relay NAT)
Internet Draft
for symmetric NAT
Two Distinct Cases – NAT Deployment [1/2]
Case I : SIP Provider is the IP Network Provider
Two Distinct Cases – NAT Deployment [2/2]
Case II : SIP Provider is NOT IP Network Provider
Solution for Case I – ALG [1/2]
Separate Application Layer NAT from IP Layer NAT
SIP
Control
RTP
Proxy Server/ALG
Firewall/NAT Packet Filter
Decomposed Firewall/NAT z Centralized (Master/Slave)
Architecture
¾ Proxy Server/ALG: Master
¾ Firewall/NAT: Slave z Advantages
¾ Better scaling
¾ Load balancing
¾ Low cost
Solution for Case I – ALG [2/2]
INVITE
BIND REQ BINDING
INVITE 200 OK 200 OK
OPEN
ACK
ACK
Proxy Firewall/NAT
PC
A control Protocol
between application-layer NATs and IP-layer NATs
Main Requirements
Binding Request: To give a private address and obtain a public address
Binding Release
Open Hole (firewall)
Close Hole (firewall)
Proposed Solution for Case II
Much harder problem
No way to control firewall or NAT
Cascading NATs
Variable firewall/NAT behaviors
Proposed Solution
Make SIP “NAT-Friendly”
Minor extensions
Address the issues for SIP only, not RTP
Accepted by IETF (RFC 3581)
Develop a protocol for traversal of UDP through NAT
Work for RTP
Also support other applications
SIP Extension to NAT Friendly [1/2]
Client Behavior
Include an “rport” parameter in the Via header
This parameter MUST have no value
It serves as a flag
The client SHOULD retransmit its INVITE every 20 seconds if UDP is adopted for transport.
To keep the binding fresh
SIP Extension to NAT Friendly [2/2]
Server Behavior
Examine the Via header field value of the request
If it contains an “rport” parameter,
A “received” parameter
An “rport” parameter
The response MUST be sent to the IP address listed in the “received” parameter, and the port in the “rport”
parameter.
UPnP [1/2]
Universal Plug and Play
It is being pushed by Microsoft
Windows
®Messenger
A UPnP-aware client can ask the UPnP-
enabled NAT how it would map a particular IP:port through UPnP
It will not work in the case of cascading NATs
http://www.upnp.org/
UPnP [2/2]
A: Private Network
UPnP-aware device
The UPnP-enabled NAT allows “A” to be aware of its external IP
B: Public Internet
“B” and “A” can communicate with each other
UPnP- enabled
NAT
Public Internet
B Private
Network A
UPnP Operation
詢 問 NAT的 Private IP位 址
詢 問 NAT的 Public IP位 址
請 求 NAT建立 Port Mapping
External Query
A server sits listening for packets (NAT probe)
When receiving a packet, it returns a message from the same port to the source containing the IP:port that it sees
IP: 10.0.0.1
Port: 8000 NAT
Public Internet NAT Probe
IP: 202.123.211.25 Port: 12345
STUN
Simple Traversal of UDP Through NAT
RFC 3489
In Working Group IETF MIDCOM Group
Simple Protocol
Works with existing NATs
Main features
Allow Client to Discover Presence of NAT
Works in Multi-NAT Environments
Allow Client to Discover the Type of NAT
Allows Client to Discover the Binding Lifetimes
Stateless Servers
STUN Server
Allow client to discover if it is behind a NAT, what type of NAT it is, and the public address & port NAT will use.
A simple protocol, easy to implement, little load
Client IP: 10.0.0.1
Port: 5060
IP: 202.123.211.25
Port: 12345 STUN Server
IP: 222.111.99.1 Port: 20202
NAT
Client wants to receive packet at port 5060
Send a query to STUN server from port 5060
STUN Server receives packet from 202.123.211.25 port
12345
STUN Server send a response packet to client. Tell him his public address is
202.123.211.25 port 12345
Binding Acquisition
STUN Server can be ANYWHERE on Public Internet
Call Flow Proceeds
Normally
STUN Message Flow
STUN Message [1/3]
TLV (type-length-value)
Start with a STUN header, followed by a STUN payload (a series of STUN attributes depending on the message type)
Format
STUN
Header STUN Payload (can have none to many blocks)
STUN Message [2/3]
STUN
Header STUN Payload (can have none to many blocks)
Message Type (16 bits) Message Length (16bits) Transaction ID (128 bits)
Message Types
0x0001: Binding Request 0x0101: Binding Response 0x0111: Binding Error Response
0x0002: Shared Secret Request 0x0102: Shared Secret Response 0x0112: Shared Secret Error Response
STUN Message [3/3]
STUN Header STUN Payload (can have none to many blocks)
Attribute Type (16 bits) Attribute Length (16bits) Attribute Value (Variable length)
Attribute Types
0x0001: MAPPED-ADDRESS 0x0002: RESPONSE-ADDRESS 0x0003: CHANGE-REQUEST 0x0004: SOURCE-ADDRESS 0x0005: CHANGED-ADDRESS 0x0006: USERNAME
0x0007: PASSWORD 0x0008: MESSAGE-INTEGRITY
0x0009: ERROR-CODE 0x000a: UNKNOWN-ATTRIBUTES
0x000b: REFLECTED-FROM
Automatic Detection of NAT Environment [1/2]
STUN Client Environment
STUN Server
IP1 ServerSTUN
IP2 Port1
Port2
Port2 Port1
Test I Test II Test IV Test III
Automatic Detection of NAT Environment [2/2]
Test I
Test II
Test III Test IV
Resp?
Resp?
Resp?
Resp?
Yes No UDP
Blocked
IP and Port Same as original?
Test II
Yes No
InternetOpen
SymUDP Firewall Yes
ConeFull NAT No
Yes Same
IP and Port as Test I?
Symmetric NAT
Port Restricted
Restricted NAT No
No Yes
Yes
No
Binding Lifetime Determination
STUN
Client NAT
Bind Req.
Bind (Pa, Pp) Binding Resp.
MAPPED-ADDRESS (Pa, Pp) Start Timer T
If it receives Binding Response on socket X, the binding has not expired.
Socket X
Socket Y
Another Binding Request,
RESPONSE-ADDRESS is set to (Pa, Pp)
Binding Acquisition Procedure
STUN
Client 1 NAT Client 2
Control Media
SIP Message RTP
Shared Secret Request and Response
Binding Request and Response (Pa, Pp) Binding Request and Response (Pa’, Pp’)
RESPONSE- ADDRESS is set to (Pa, Pp)
STUN - Pros and Cons
Benefits
No changes required in NAT
No changes required in Proxy
Works through Multi-NAT Environment
Drawbacks
Doesn’t allow VoIP to work through
Symmetric NAT
Is STUN suitable for Symmetric NAT
Absolutely not
Client A IP: 10.0.0.1
Port: 21 NAT
IP: 202.123.211.25 Port: 12345
Mapping Table
10.0.0.1:21 <-> 12345 (for 222.111.99.1 : 20202)
STUN Server IP: 222.111.99.1
Port: 20202 Client B IP: 222.111.88.2
Port: 10101
Solutions for Symmetric NATs
Connection Oriented Media
RTP-Relay
Connection Oriented Media
The endpoint outside the NAT must wait until it receives a packet from the client before it can know where to reply
Add a line to the SDP message (coming from the client behind the NAT)
a=direction:active
The initiating client will “actively” set up the IP:port to which the endpoint should return RTP
The IP:port found in the SDP message should be
ignored
Problem?
1)
If the endpoint does not support the a=direction:active tag
2)
If both endpoints are behind
Symmetric NATs
RTP-Relay
For either of the cases considered in the previous slide, one solution is to have
an RTP Relay in the middle of the RTP flow between endpoints.
The RTP Relay acts as the second endpoint to each of the actual
endpoints that are attempting to
communicate with each other.
Example
1
2 3 6 8
9 12
7
4 5
10 11
NAT Proxy
Voice Gateway
NAT UA
RTP Relay
The following is a typical call flow that might be instantiated between a User Agent behind a symmetric NAT and a voice gateway on the open Internet.
TURN
Traversal Using Relay NAT
draft-rosenberg-midcom-turn-06.txt
TURN
Client NAT TURN
Server Public Internet
Private NET
Obtaining a One Time Password
TURN
Client NAT TURN
Server 1.Client generates
and sends Shared Secret Request (with no attribute)
2.TURN Server reject it with a Shared Secret
Error Response (code=401,contain NONCE and REALM)
3.Client generate a new Shared Secret Request (contain NONCE、
REALM 、USERNAME)
4.TURN Server generate a Shared Secret Response (contain USERNAME and PASSWORD)
Allocating a Binding
1.Client generates and sends Initial Allocate Request (contain
BANDWIDTH 、 LIFETIME 、
USERNAME 、 MESSAGE_INTEGRITY )
TURN
Client NAT TURN
Server
2.TURN Server generates and sends Allocate Response (contain
MAPPED_ADDRESS、LIFETIME、
BANDWIDTH、MESSAGE_INTEGRITY)
Refreshing a Binding
TURN
Client NAT TURN
Server 1.Client generates and sends
Subsequent Allocate Request (contain LIFETIME 、 USERNAME 、
MESSAGE_INTEGRITY )
2.TURN Server generates and sends Allocate Response (contain MAPPED_ADDRESS、LIFETIME、
MESSAGE_INTEGRITY、MAGIC_COOKIE)
Sending Data
TURN Peer
Client NAT TURN
Server 1.TURN Client generates and
sends Send Request (contain DESTINATION_ADDRESS、
DATA)
2.TURN Server set default destination address to DESTINATION_ADDRESS, and
add this address to the list of permission.
Then TURN Server relay the data to Peer.
3.TURN Server generates and sends Send Response to
TURN Client.
Receiving Packet
TURN Peer Server TURN NAT
Client
1.Peer sends packet to the mapped address of TURN Client.
2.TURN Server checks whether the source IP address and port are
listed amongst the set of permission for the binding or not.
3.TURN Server generates Data Indication message to relay the
packet to TURN Client.
Tearing Down a Binding
TURN
Client NAT TURN
Server 1.Client generates and sends
Subsequent Allocate Request (contain LIFETIME=0)
2.TURN Server will tearing down the binding.
TURN – Pros and Cons
Pros
No change required in NAT
Work through firewall and all kinds of NAT.
Cons
Long latency