Network Address Translation |
257 |
Typically hole punching will fail due to a combination of address or port mapping and address or port dependent filtering, such as that shown in Figure 10.14. When hole punching fails, a media relay must be used that is in the public Internet and reachable by both hosts. TURN is a protocol used by a UA to acquire a media relay transport address to use as a fall back when hole punching fails.
10.14 TURN: Traversal Using Relays Around NAT
TURN is a protocol extension of STUN used for acquiring and configuring a remote relay. TURN has been in development in the IETF for many years. Earlier versions were quite different, and even had a different title: traversal using relay NAT. The current version is [16] and will soon be published as an RFC.
A server operating as a TURN relay uses significant resources on the server. For one thing, each media stream relayed uses up double the bandwidth of the stream (incoming bandwidth + outgoing bandwidth). Also, the relay must process and forward each packet. Media relays also introduce delay (latency) and add extra IP routing hops, which increase the chance of packet loss. As a result, the use of TURN should be minimized for an efficient Internet communication or VoIP system.
Figure 10.14 Hole punching example.
258 |
SIP: Understanding the Session Initiation Protocol |
10.15 ICE: Interactive Connectivity Establishment
Interactive connectivity establishment (ICE) is the solution to the problem of when to use hole punching and when to use a media relay. ICE is an IETF protocol that standardizes hole punching and is an optimal methodology. Users of ICE gather as many transport addresses as they can (the private and public address pairs in the previous section on hole punching are only a minimum). They are listed in the order so the most preferred are tested first. A media relay (TURN) address is included as the lowest priority address. After the candidate addresses are exchanged using a SIP offer answer exchange, both sides begin hole punching and noting successes and failures at the end. Both sides choose the highest priority working transport pairs. In the worst case, this might be the media relay address if the NATs in the path make hole punching fail. The basic call flow is shown in Figure 10.15.
The following is an example set of address candidates in SDP. You can see the two candidate addresses used by Host A in the previous hole punching examples.
v=0
o=hosta 2890844526 2890842807 IN IP4 192.168.0.1 s=-
c=IN IP4 23.3.2.9
Figure 10.15 ICE call flow.
Network Address Translation |
259 |
t=0 0 a=ice-pwd:a8fgdfpdd777uzjYhagZg a=ice-ufrag:88fgdhhY
m=audio 4219 RTP/AVP 0 a=rtpmap:0 PCMU/8000
a=candidate:1 1 UDP 13d0706431 192.168.0.1 1234 typ host a=candidate:2 1 UDP 69d4498152 23.3.2.9 4219 typ srflx raddr
192.168.0.1 rport 1234
Besides NAT traversal, ICE has other benefits. For example, address candidates can include both IPv4 and IPv6 addresses for dual stack UAs. As such, ICE can help in the transition between IPv4 and IPv6. ICE also includes keep alives to ensure that UDP mappings do not expire through NATs. ICE also provides a level of media authorization. When both UAs use ICE, media will only flow after a successful ICE check exchange. This ensures that both UAs are willing to send and receive media. Compare this to the case without ICE where a UA will start sending media to the address listed in the SDP without any check or verification. For example, a denial of service packet flood could be introduced by sending a high definition video server an INVITE and include the address of the target. The target will then receive the video stream without the ability to stop or understand.
10.16 Conclusion
This chapter has looked at the history, justification, and operation of Network Address Translation. The effect of NAT on SIP and RTP has also been discussed. Various approaches to the traversal of SIP and RTP through NAT have been covered including hole punching, relays, STUN, TURN, and ICE. These are summarized in Table 10.4. For more examples of SIP NAT traversal, see the Best Current Practices for SIP NAT Traversal document [17].
Table 10.4
Summary of SIP and RTP NAT Traversal
SIP Symmetric Routing (rport)
Symmetric RTP
Outbound
STUN
ICE
TURN
RTCP port attribute
260 |
SIP: Understanding the Session Initiation Protocol |
10.17 Questions
Q10.1 In a few paragraphs, explain how NATs came to be and why they are popular today.
Q10.2 Explain the operation of an address and port dependent mapping NAT that has two IP addresses (19.34.2.1 and 19.34.2.2) assigned to it. Use three examples of UDP packets sent from
192.168.1.101 |
port |
42194 |
to |
204.32.44.21 |
port |
413, |
31.32.56.5 port 443, and 204.32.44.21 port 9753. Use |
port |
|||||
parity preservation in your examples. |
|
|
|
|||
Q10.3 Is an endpoint independent mapping NAT or an address dependent mapping NAT more friendly to Internet communications? Why?
Q10.4 Deduce as many properties of the NAT below as you can based on the information in the following tables.
X = 10.0.100.1
X1 = 73.42.4.1
X2 = 73.42.4.8
Y1 = 118.3.4.2
Y2 = 65.65.4.3
Active NAT Mapping Table
10.0.100.1:8080 |
maps |
to |
73.42.4.1:3420 |
10.0.100.1:4343 |
maps |
to |
73.42.4.1:7433 |
10.0.100.1:8080 |
maps |
to |
73.42.4.8:3212 |
|
|
|
|
Filtering Table
73.42.4.8:3212 118.3.4.2:* 73.42.4.8:7433 118.3.4.2:* 73.42.4.1:3420 65.65.4.3:*
Q10.5 Explain the advantages and disadvantages of a SIP user agent supporting ICE.
Q10.6 For the packets of Question Q10.2, assume that each UDP packet contains a SIP OPTIONS request. Show the Via header field in each of the three 200 OK responses, assuming that the user agent has implemented appropriate SIP NAT traversal extensions.
Q10.7 Consider the hole punching scenario shown next.