NATs and Firewalls

Because Network Address Translation (NAT) devices change addresses and sometimes port numbers and because addresses and port numbers are inside both SIP and SDP there can be a problem!

Fredrik Thernelius, “SIP, NAT, and Firewalls”, looked at this in detail in his M.Sc. thesis [Thernelius 2000]. See also the other documents at http://www.cs.columbia.edu/sip/drafts_firewall.html Links to an external site.

Note: CNAME’s in RTCP may need to be updated by the Network Address Translation (NAT) to hide private network addresses.

Two protocols being developed to help deal with NATs:

Simple Traversal of User Datagram Protocol Through Network Address Translators (STUN)
Globally Routable User Agent Universal (GRUU) Resource Indicator [RFC 5627] - a URI which can be used by anyone on the Internet to route a call to a specific UA instance

Slide Notes

Fredrik Thernelius, “SIP, NAT, and Firewalls”, M.Sc. Thesis, Royal Institute of Technology (KTH), Department of Teleinformatics, Stockholm, Sweden, May 2000 https://urn.kb.se/resolve?urn=urn%3Anbn%3Ase%3Akth%3Adiva-93546 Links to an external site.

J. Rosenberg, Obtaining and Using Globally Routable User Agent URIs (GRUUs) in the Session Initiation Protocol (SIP), Internet Request for Comments, ISSN 2070-1721, RFC 5627, RFC Editor, October 2009, http://www.rfc-editor.org/rfc/rfc5627.txt Links to an external site. Links to an external site.

Transcript

[slide367] Now, all of you are familiar with network address translation devices, right? They got introduced because of the problems with shortage of IPv4 addresses. Personally, I think they're one of the worst things that ever happened. Because the problem is, it let the problem persist, it didn't solve the problem, and we have a difficulty in VoIP. Why? Think about what the content of the SDP has in it. It has IP addresses and port numbers. But those are the IP addresses and port numbers as seen by the clients and servers, right? The two parties or the several parties are communicating. What happens to their address on the other side of the NAT? It's a different address, right? And potentially a different port number. So the problem is, NAT basically horribly destroys SIP-based communications. Well, Frederic Thernelius in a thesis called "SIP, NAT, and Firewalls" came up with the first approach of how you could actually manage to have VoIP sessions go past NATs. Now, one of the outcomes has been the use of a protocol called STUN, the Simple Traversal of User Datagram Protocol through Network Address Translators. And basically the idea here is, you have a party outside the NAT, you send traffic to them, and you learn what your address is on the other side of the NAT. Now you put in your SDP, your external address, and when you send it off, you know the address that it looks like you're really using. Does that work in all cases? No, it turns out, because there are a variety of NATs, depending on who you're sending the packet to, you might have both different addresses and different port numbers. So it gets much more complex than one might think. There's also, we talked about yesterday, this Globally Routable User Agent Universal Resource Indicator, the GRUU, to talk to a specific user agent.