Intertex Data AB, Sweden Firewall Traversal Bringing SIP to the LAN Prepared for: Session Initiation Protocol 2002 By: Karl Erik Ståhl President Intertex Data AB Chairman Ingate Systems AB [email protected] © 2002 Intertex Data AB 1
Intertex Data AB, Sweden
Firewall TraversalBringing SIP to the LAN
Prepared for: Session Initiation Protocol 2002 By: Karl Erik Ståhl
President Intertex Data ABChairman Ingate Systems [email protected]
© 2002 Intertex Data AB 1
© 2002 Intertex Data AB 2
VoIP as we have seen it…
InternetPC
PCWanna talkto me?
Do we want the PC as a phone?
Gateway
Internet
Gateway
STO
LA
Are cheaper phone bills all we want?
© 2002 Intertex Data AB 3
VoIP as we have seen it…
VoIP between branch offices
Gateway
PSTN
Europe
IP
InternetVPN VPN
USGateway
IP
- But NOT globally to others!
© 2002 Intertex Data AB 4
Hmm, didn’t we pass this stage…
Paper was a very compatible media - So is POTS today…
But we need to move beyond!
PSTN
printer
fax
Organization 1Email system 1
Organization 2Email system 2
fax faxfax
© 2002 Intertex Data AB 5
What about universal connectivity?
Wouldn’t that be fine?
Black Phone
RJ45
LAN Intranet Internet
IP Phone
PSTN
RJ11
IAP
Firewall/NAT problems! IP PhoneIP Phone
IP Phone
IP Phone
SIPServer PSTN
SIP/PSTNGateway
Internet
Home LANBusiness LAN
DSLCableMTU
VoIP and SIP Services Out to the Edge
Operator network with NAT
NATFirewall
NAT
XP
PIM
Status until now:SIP is the Protocol for IP Communication Person-to-Person,BUT IT DOES NOT REACH THE EDGE!
© 2002 Intertex Data AB 7
An extension to SIP in progress
See: http://www.jdrosen.net/papers/draft-rosenberg-impp-presence-00.txt
A single, extended standard instead of today's players
• ICQ• AOL Instant Messenger• Yahoo! Messenger• MSN Messenger• And more
Presence and Instant Messaging
Used in Windows XP
SIP
SIP
What Microsoft Has Done So Far
Progressed embedded End-to-end platform
Announced update PC-to-phone
provider choice & new UI
4255551212
Released Windows XP Windows Messenger
and rich APIs
10:s of miljons of RTC (SIP) users within a year
© 2002 Intertex Data AB 9
Windows XP: ECS (Exchange Conferencing Server)SIP based whiteboard, chat, video, audio, app
sharing…
© 2002 Intertex Data AB 10
SIP Firewall Problems
Firewall Problems:
Sessions initiated from outside the firewall
- OK, open port 5060, but…
Media streams on dynamically allocated port numbers
- Ooops… !Even with public IP addresses inside
© 2002 Intertex Data AB 11
SIP NAT/PAT Problems
NAT & PAT Problems:Where is the device?
- Registration/location function
Private IP addresses and ports in SIP messages
- Rewrite with globally routable addresses
IP address and port of media stream has to be modified
- NAT engine has to be dynamically controlled
Worse with privateIP addresses inside
© 2002 Intertex Data AB 12
Suggested Solutions
Dynamically controlled Firewall/NATs [Aravox, …]
Midcom: By Firewall Control Proxy [Dynamicsoft…]
uPnP: By the client (Windows) [Microsoft]
SIP aware Firewall/NATs (SIP Proxy + Registrar)
[Intertex (SOHO), Ingate (enterprise), …]
SIP aware Firewall/NATs (SIP ALG)
[Cisco,… TLS not possible]
Making SIP NAT friendly, Drafts in progress: • draft-rosenberg-sipping-nat-scenarios-00.txt• draft-rosenberg-midcom-stun-01.txt• draft-ietf-sip-nat-01.txt
© 2002 Intertex Data AB 13
Adding SIP Support to a Firewall
Important components:Firewall & NAT
Dynamic Firewall Engine
SIPProxy
SIP Proxy Server, controlling the firewall
UserLocation
SIP Registrar, user location information
FirewallControl
Protocol Communication between
SIP Proxy and firewall
© 2002 Intertex Data AB 14
NAT Friendly SIP
Mods to SIP, SDPSIGNALLING
Route new signalling through this open path
For some NATs, if both parties are behind firewalls, RTP streams must bounce through a server
LANRTP
IP Phone
FirewallNAT
RTPProxy
NAT
IP Phone
LAN
SIPRegistrar
INTERNET
Use STUN to find out “looks” from outside
STUNServer
Keep registrar NAT path (TCP or UDP) always open by frequent registrations
RTP media streams always start from inside + symmetric
RTPSIP clientsneed upgrade
New servers on the net
Firewall/NAT problems!
Firewall/NAT SIP transparency! IP PhoneIP Phone
IP Phone
IP Phone
SIPServer PSTN
SIP/PSTNGateway
Operator network with NAT
Internet
Home LAN
NATFirewall
NAT
Business LAN
DSLCableMTU
DMZinGateSIParator
SIP Enabling the Private Networks
inGateFirewall
IP Phone IP Phone
IP Phone
SELECT
SET ALT CFG E T 1
A I
R
U S B
E T 2
W A N
T X D
R X D
ADR CFG DHP RST LQ
TX RX
SC IX66
IAP
IX66
Home User
USASweden
Internet
Just Another Internet Service…
IX66
IAP
Home LAN
Enterprise LAN
XP
inGateFirewall
SOHO LAN
IX66
XP
Helsinki PSTNSIP/PSTNGateway
DNSSRV
DMZinGateSIParator
XP
Ingate Linköping LAN
IX66
Intertex Stockholm LAN
Sweden
17
IP Communications Using IP NetworksIP Communications Using IP Networks
• Intranet IP VPN with IP communications• Domestic and global IP communications• PBX and PSTN – E.164 resolution
Customer Customer PremisesPremises
PBX PSTN Phone
ManagedServices
Router
Vmail OSS
SIP Phone
WorldComPSTN
DialingPlans
Network GWY
Conf
PSTN Phone
IM
IN
EnterpriseGateway
SIP Routing
Firewall
SIP Server
IP VPN
Global IP Comm
Intranet IP Comm
…other…
Many call routing options:• Private/Public IP address• DNS and DNS SRV records• SIP aware NAT/PAT servers
Henry Sinnreich 4/10/2002
WorldComPublic
IP Network
18
IP Communications Using IP NetworksIP Communications Using IP Networks
PBX PSTN Phone
ManagedServices
Router
Vmail OSS
SIP Phone
WorldComPSTN
DialingPlans
Network GWY
Conf
PSTN Phone
IM
IN
EnterpriseGateway
SIP Routing
Firewall
SIP Server
IP VPN
Global IP Comm
Intranet IP Comm
…other…
Integration with existing phones
SIP Capable FirewallIngate and IntertexFirst through SIT
Customer Customer PremisesPremises
No IP PBX Needed!
Enhanced Functionality
Enterprise LAN
WorldComPublic
IP Network
© 2002 Intertex Data AB 19
Product Examples – Ingate Systems AB
A Complete Firewall An add-on to an Existing Firewall
DMZ
Existing Firewall
Firewall & NAT/PAT SIP Proxy SIP Registrar
Enterprise Products
Firewall 1400 SIParator 40
© 2002 Intertex Data AB 20
Internet
IP Phone
DMZinGateSIParator
IP Phone
Existing Firewall
The Ingate SIParator
© 2002 Intertex Data AB 21
The Ingate SIParator
Existing Firewall InternetLANPrivate IP Addresses
SIP traffic(5060 UDP/TCP)
RTP traffic(UDP port interval)
SIParator
RTP ProxyNAT/PATEngine
SIP Proxy
DMZ
SIP Registrar
© 2002 Intertex Data AB 22
Product Examples – Intertex Data AB
IX66 Internet Gate with or withoutADSL modem built-in
OEM as: Telia SurfinBird Gate PowerBit SafeGateReview at: www.adslguide.org.uk/hardware/reviews/2002/q1/intertex_ix66-edflc.asp
SOHO Products
© 2002 Intertex Data AB 23
The Intertex IX66 Internet Gate
A closer look
Firewall & NAT/PAT SIP Proxy and Registrar DHCP Server and Client WEB Server for configuration Smart Card Reader for security applications SIP Appliance Control, LAC via expansion port
SELECT
SET ALT CFG E T 1
A I
R
U S B
E T 2
W A N
T X D
R X D
ADR CFG DHP RST LQ
TX RX
SC
Optional ADSLand Splitter Built-in
Internet Appliances Control
http://www. research.telcordia.com/iapp/index.shtml
© 2002 Intertex Data AB 25
SIP Capable Firewalls!
Ingate Systems ABwww.ingate.comBox 10013, Slakthusplan 4 SE-121 26 Stockholm, SwedenCEO Olle [email protected] Tel +46 8 6007750
Intertex Data ABwww.intertex.seRissneleden 45 SE-174 44 Sundbyberg, SwedenPresident Karl Erik Stå[email protected] Tel +46 8 6282828