Download Presentation

Intertex Data AB, Sweden

Firewall TraversalBringing SIP to the LAN

Prepared for: Session Initiation Protocol 2002 By: Karl Erik Ståhl

President Intertex Data ABChairman Ingate Systems [email protected]

© 2002 Intertex Data AB 1

© 2002 Intertex Data AB 2

VoIP as we have seen it…

InternetPC

PCWanna talkto me?

Do we want the PC as a phone?

Gateway

Internet

Gateway

STO

LA

Are cheaper phone bills all we want?

© 2002 Intertex Data AB 3

VoIP as we have seen it…

VoIP between branch offices

Gateway

PSTN

Europe

IP

InternetVPN VPN

USGateway

IP

- But NOT globally to others!

© 2002 Intertex Data AB 4

Hmm, didn’t we pass this stage…

Paper was a very compatible media - So is POTS today…

But we need to move beyond!

PSTN

email

printer

fax

Organization 1Email system 1

email

Organization 2Email system 2

fax faxfax

© 2002 Intertex Data AB 5

What about universal connectivity?

Wouldn’t that be fine?

Black Phone

RJ45

LAN Intranet Internet

IP Phone

PSTN

RJ11

IAP

Firewall/NAT problems! IP PhoneIP Phone

IP Phone

IP Phone

SIPServer PSTN

SIP/PSTNGateway

Internet

Home LANBusiness LAN

DSLCableMTU

VoIP and SIP Services Out to the Edge

Operator network with NAT

NATFirewall

NAT

XP

PIM

Status until now:SIP is the Protocol for IP Communication Person-to-Person,BUT IT DOES NOT REACH THE EDGE!

© 2002 Intertex Data AB 7

An extension to SIP in progress

See: http://www.jdrosen.net/papers/draft-rosenberg-impp-presence-00.txt

A single, extended standard instead of today's players

• ICQ• AOL Instant Messenger• Yahoo! Messenger• MSN Messenger• And more

Presence and Instant Messaging

Used in Windows XP

SIP

SIP

What Microsoft Has Done So Far

Progressed embedded End-to-end platform

Announced update PC-to-phone

provider choice & new UI

4255551212

Released Windows XP Windows Messenger

and rich APIs

10:s of miljons of RTC (SIP) users within a year

© 2002 Intertex Data AB 9

Windows XP: ECS (Exchange Conferencing Server)SIP based whiteboard, chat, video, audio, app

sharing…

© 2002 Intertex Data AB 10

SIP Firewall Problems

Firewall Problems:

Sessions initiated from outside the firewall

- OK, open port 5060, but…

Media streams on dynamically allocated port numbers

- Ooops… !Even with public IP addresses inside

© 2002 Intertex Data AB 11

SIP NAT/PAT Problems

NAT & PAT Problems:Where is the device?

- Registration/location function

Private IP addresses and ports in SIP messages

- Rewrite with globally routable addresses

IP address and port of media stream has to be modified

- NAT engine has to be dynamically controlled

Worse with privateIP addresses inside

© 2002 Intertex Data AB 12

Suggested Solutions

Dynamically controlled Firewall/NATs [Aravox, …]

Midcom: By Firewall Control Proxy [Dynamicsoft…]

uPnP: By the client (Windows) [Microsoft]

SIP aware Firewall/NATs (SIP Proxy + Registrar)

[Intertex (SOHO), Ingate (enterprise), …]

SIP aware Firewall/NATs (SIP ALG)

[Cisco,… TLS not possible]

Making SIP NAT friendly, Drafts in progress: • draft-rosenberg-sipping-nat-scenarios-00.txt• draft-rosenberg-midcom-stun-01.txt• draft-ietf-sip-nat-01.txt

© 2002 Intertex Data AB 13

Adding SIP Support to a Firewall

Important components:Firewall & NAT

Dynamic Firewall Engine

SIPProxy

SIP Proxy Server, controlling the firewall

UserLocation

SIP Registrar, user location information

FirewallControl

Protocol Communication between

SIP Proxy and firewall

© 2002 Intertex Data AB 14

NAT Friendly SIP

Mods to SIP, SDPSIGNALLING

Route new signalling through this open path

For some NATs, if both parties are behind firewalls, RTP streams must bounce through a server

LANRTP

IP Phone

FirewallNAT

RTPProxy

NAT

IP Phone

LAN

SIPRegistrar

INTERNET

Use STUN to find out “looks” from outside

STUNServer

Keep registrar NAT path (TCP or UDP) always open by frequent registrations

RTP media streams always start from inside + symmetric

RTPSIP clientsneed upgrade

New servers on the net

Firewall/NAT problems!

Firewall/NAT SIP transparency! IP PhoneIP Phone

IP Phone

IP Phone

SIPServer PSTN

SIP/PSTNGateway

Operator network with NAT

Internet

Home LAN

NATFirewall

NAT

Business LAN

DSLCableMTU

DMZinGateSIParator

SIP Enabling the Private Networks

inGateFirewall

IP Phone IP Phone

IP Phone

SELECT

SET ALT CFG E T 1

A I

R

U S B

E T 2

W A N

T X D

R X D

ADR CFG DHP RST LQ

TX RX

SC IX66

IAP

IX66

Home User

USASweden

Internet

Just Another Internet Service…

IX66

IAP

Home LAN

Enterprise LAN

XP

inGateFirewall

SOHO LAN

IX66

XP

Helsinki PSTNSIP/PSTNGateway

DNSSRV

DMZinGateSIParator

XP

Ingate Linköping LAN

IX66

Intertex Stockholm LAN

Sweden

17

IP Communications Using IP NetworksIP Communications Using IP Networks

• Intranet IP VPN with IP communications• Domestic and global IP communications• PBX and PSTN – E.164 resolution

Customer Customer PremisesPremises

PBX PSTN Phone

ManagedServices

Router

Vmail OSS

SIP Phone

WorldComPSTN

DialingPlans

Network GWY

Conf

PSTN Phone

IM

IN

EnterpriseGateway

SIP Routing

Firewall

SIP Server

IP VPN

Global IP Comm

Intranet IP Comm

…other…

Many call routing options:• Private/Public IP address• DNS and DNS SRV records• SIP aware NAT/PAT servers

Henry Sinnreich 4/10/2002

WorldComPublic

IP Network

18

IP Communications Using IP NetworksIP Communications Using IP Networks

PBX PSTN Phone

ManagedServices

Router

Vmail OSS

SIP Phone

WorldComPSTN

DialingPlans

Network GWY

Conf

PSTN Phone

IM

IN

EnterpriseGateway

SIP Routing

Firewall

SIP Server

IP VPN

Global IP Comm

Intranet IP Comm

…other…

Integration with existing phones

SIP Capable FirewallIngate and IntertexFirst through SIT

Customer Customer PremisesPremises

No IP PBX Needed!

Enhanced Functionality

Enterprise LAN

WorldComPublic

IP Network

© 2002 Intertex Data AB 19

Product Examples – Ingate Systems AB

A Complete Firewall An add-on to an Existing Firewall

DMZ

Existing Firewall

Firewall & NAT/PAT SIP Proxy SIP Registrar

Enterprise Products

Firewall 1400 SIParator 40

© 2002 Intertex Data AB 20

Internet

IP Phone

DMZinGateSIParator

IP Phone

Existing Firewall

The Ingate SIParator

© 2002 Intertex Data AB 21

The Ingate SIParator

Existing Firewall InternetLANPrivate IP Addresses

SIP traffic(5060 UDP/TCP)

RTP traffic(UDP port interval)

SIParator

RTP ProxyNAT/PATEngine

SIP Proxy

DMZ

SIP Registrar

© 2002 Intertex Data AB 22

Product Examples – Intertex Data AB

IX66 Internet Gate with or withoutADSL modem built-in

OEM as: Telia SurfinBird Gate PowerBit SafeGateReview at: www.adslguide.org.uk/hardware/reviews/2002/q1/intertex_ix66-edflc.asp

SOHO Products

© 2002 Intertex Data AB 23

The Intertex IX66 Internet Gate

A closer look

Firewall & NAT/PAT SIP Proxy and Registrar DHCP Server and Client WEB Server for configuration Smart Card Reader for security applications SIP Appliance Control, LAC via expansion port

SELECT

SET ALT CFG E T 1

A I

R

U S B

E T 2

W A N

T X D

R X D

ADR CFG DHP RST LQ

TX RX

SC

Optional ADSLand Splitter Built-in

Internet Appliances Control

http://www. research.telcordia.com/iapp/index.shtml

© 2002 Intertex Data AB 25

SIP Capable Firewalls!

Ingate Systems ABwww.ingate.comBox 10013, Slakthusplan 4 SE-121 26 Stockholm, SwedenCEO Olle [email protected] Tel +46 8 6007750

Intertex Data ABwww.intertex.seRissneleden 45 SE-174 44 Sundbyberg, SwedenPresident Karl Erik Stå[email protected] Tel +46 8 6282828