This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Taken from SIP IllustratedSIP Illustrated – Advanced Topics Module
Preface: The home/office VoIP problem (Sound alert!)
Jeng is sitting at home in front of her PC. She has just installed a new (SIP-based) soft phone (Xten) on the PC. She can’t wait to use it to call her professor at school (on his soft phone) and tell him the good news… She locates the professor’s contact in her address book and clicks on it... You can try it yourself by clicking the red circle below. Looks like this is going to work. Is that so...?
Home Comcast School
DNSA
BProxy192.168.1.101
129.119.110.17
129.119.110.19
192.168.1.1/24.15.254.243NAT/
Router
68.87.66.196
IP
Taken from SIP IllustratedSIP Illustrated – Advanced Topics Module
Note: Voice Narrations appear in the SIP Illustrated eLearning only in places where extra emphasize or clarifications are needed! This demo has no Voice Narrations.
What NAT is ……………………………………………………………..………………………………………………...
4 Why we need ALG …………………………………………………………………………………………………....... 5 How ALG works ……………………………………………………………………………………………………...... 6-7
• ALG built in the phone – a detailed example ……………………………………………………………………………… 8
Overview ………………………………………………………………………………………………………………….... 9 Step 1 - resolving the host name of the web server …………………………………………………………. 10 Step 2 - receiving the IP address of the web server ………………………………………………………... 11 Step 3 - asking the web server for the NAT address ……………………………………………………….. 12 Step 4 - receiving the “NATTed” IP address of the PC ……………………………………………………. 13 Step 5 - Sending an INVITE req. to the outbound SIP proxy ………………………………………….. 14 Step 6 - Forwarding the INVITE to user B ……………………………………………………………………. 15 Step 7 - Stop (potential) retransmissions at A (100 Trying) ………………….............................. 16 Step 8 - user B’s phone is ringing ………………………………………………………………………………… 17 Step 9 - user A’s phone plays a Ring Back Tone …………………………………………………………….. 18 Step 10 - user B has picked up the phone ……………………………………………………………………… 19 Step 11 - user A’s phone receives an answer indication …………………………………………………… 20 Step 12 - Completing the SIP signaling handshake (ACK) ……………………………………………….. 21 Step 13 - Forwarding the ACK to user B ……………………………………………………………............... 22 Step 14 - Conversation time (first RTP - “Hello”) …………………………….................................... 23
play
stop
Taken from SIP IllustratedSIP Illustrated – Advanced Topics Module
NAT stands for "Network Address Translator". It is a network layer creature whose job in life is to "hide" hosts on a corporate or home private sub network by granting them on-the-fly "external" IP addresses when they send packets to the external IP world. The motivation behind this trick is to enable private networks reuse expensive and rare IPV4 addresses, which might be in "official" use by hosts on the public Internet or on other private networks. The NAT accomplishes the “hiding” task by mapping the internal IP address of the host (and port) to a public/routable one. In figure 1 below the NAT server maps the private IP address of user-A (10.1.1.1) to a public one, 157.55.0.1. User-B will therefore see incoming IP packets (from A) with the address 157.55.0.1. User-B will send IP packets back to A by using destination address of 157.55.0.1. The NAT server (based on its internal mapping/binding) will translate the IP address 157.55.0.1 back to the original private address, 10.1.1.1, and will then forward the packet to user-A.
Figure 1: A typical NAT server
NAT server
Private IP
Public IP Public IP
Taken from SIP IllustratedSIP Illustrated – Advanced Topics Module
Why we need ALGSeemingly, so far so good… However NAT and private IP domains introduce serious traversal problem for SIP networks. For instance, SIP endpoint, which “hides” in the private domain behind a NAT, would naturally populate the address related fields in a SIP message it generates with private IP address values (e.g. Contact: SIP:[email protected]:5060)! Same for the address fields in the SDP element (e.g. C = IN IP4 10.1.1.1). These values are not routable, meaning both SIP messages and RTP packets sent back to these addresses would not be able to reach these destinations. The figure below illustrates this problematic situation.
How ALG worksALG (Application Layer Gateway) is one of the offered solutions to that problem. It is a piece of hardware or/and (application layer) software, which works together with the NAT. It replaces the private IP:port addresses in an outgoing SIP/SDP message with public ones. It then instructs the NAT to create public-private mapping accordingly. The incoming SIP and RTP packets will thus carry public IP addresses:ports, which will get mapped-back by the NAT to the original private IP addresses:ports of the SIP endpoint behind it. In the example below the private IP address of user-A, 10.1.1.1, is mapped to 157.55.0.1, and the private ports 5060 (SIP) and 49172 (RTP) are mapped to 2222 and 3333 respectively.
ALG and NAT therefore can be viewed as two components of the same solution. Normally they would be implemented by two applications sharing the same machine. The SIP signaling must always go through the ALG component. This will ensure it gets the right translation. The RTP media does NOT have to go through the ALG component, but can go directly through the NAT component. The NAT will make sure it correctly redirects/maps incoming RTP packets back to the end point (e.g. user-A in our example). Same for incoming SIP packets.
Figure 4: A typical NAT server + ALG NAT server
ALGSIP
RTPPrivate IP
Public IP
Taken from SIP IllustratedSIP Illustrated – Advanced Topics Module
ALG may be also built-in a ‘smart’ SIP phone. The SIP phone in such a case can learn by various means about being located behind a NAT. These means include running the STUN protocol or other proprietary solutions (e.g. obtaining the public IP address of the NAT from a ‘special’ web server). What follows is a detailed example of a SIP call initiated by such a smart phone. The ‘smart’ phone, A, is used by a student (Jeng) from her home to call her Professor, who uses his SIP phone, B, at school. As can be seen below Jeng’s home is connected to the Internet via cable modem. Her home router acts as a NAT (since the IP addresses of the home devices are allocated by it locally). She uses SIP Xten soft phone on her PC (AKA CounterPath). The Call (signaling) goes via SIP proxy, which is located at the school domain.
step 1 - resolving the host name of the web server
Step 1: SIP phone, A, is configured with the Host name of HTTP (web) server in the Internet (brands.xten.net). It received via DHCP the IP address of the DNS server (along with its own IP address). It sends the DNS server a query for resolving the Host name of the web server to an IP address. (Note: The IP packet below was captured by a sniffer sitting on the LAN of the DNS server. That’s why the source IP address is the IP address of the NAT)
=> Click HERE to play the animation (and look below…) <=
Home Comcast School
DNSA
BProxy192.168.1.101
129.119.110.17
129.119.110.19
192.168.1.1/24.15.254.243NAT/
Router
MAC IP: Src add: 24.15.254.243 Dst add: 68.87.66.196
UDP: Src port: 1026 Dst port: 53
DNS: (brands.xten.net; IP address = ?)
68.87.66.196 “brands.xten.net” 64.69.76.10
Web server
Xten.comdomain
IP
Taken from SIP IllustratedSIP Illustrated – Advanced Topics Module
step 2 - receiving the IP address of the web server
Step 2: The DNS server responds with the IP address of the web server. (Note: The DNS server saw source address of 24.15.254.243. i.e. the IP address of the home NAT. Thus it sends its response there. It does not know neither care that the source of the query sits behind a NAT. The NAT forwards the IP packet, which encapsulates the DNS response back to the PC, based on the mapping it created between the PC IP address (192.168.1.101) and the IP address of the DNS server (68.87.66.196)) => Click HERE to play the animation (and look below…) <=
Home Comcast School
DNSA
BProxy192.168.1.101
129.119.110.17
129.119.110.19
192.168.1.1/24.15.254.243NAT/
Router
MAC IP: Src add: 68.87.66.196 Dst add: 24.15.254.243
UDP: Src port: 53 Dst port: 1026
DNS: (IP address is: 64.69.76.10)
68.87.66.196 “brands.xten.net” 64.69.76.10
Web server
Xten.comdomain
IP
Taken from SIP IllustratedSIP Illustrated – Advanced Topics Module
step 3 - asking the web server for the NAT address
Step 3: The SIP client, A, establishes a TCP connection with the web server and sends over it an HTTP GET request. (Note: This is a non-standard trick used by Xten to implement the STUN idea.)
=> Click HERE to play the animation (and look below…) <=
Home Comcast School
DNSA
BProxy192.168.1.101
129.119.110.17
129.119.110.19
192.168.1.1/24.15.254.243NAT/
Router
MAC IP: Src add: 24.15.254.243 Dst add: 64.69.76.10
step 4 - receiving the “NATTed” IP address of the PC
Step 4: The web server responds with the IP address of the NAT. (Note: next the PC will use this information to set up correctly the address related fields in the SIP INVITE and its SDP payload (and by doing so it practically implements ALG functionality!))
=> Click HERE to play the animation (and look below…) <=
Home Comcast School
DNSA
BProxy192.168.1.101
129.119.110.17
129.119.110.19
192.168.1.1/24.15.254.243NAT/
Router
MAC IP: Src add: 64.69.76.10 Dst add: 24.15.254.243
TCP: Src port: 80 Dst port: 1082
DNS: (NAT IP address is: 24.15.154.243)
68.87.66.196 “brands.xten.net” 64.69.76.10
Web server
Xten.comdomain
IP
Taken from SIP IllustratedSIP Illustrated – Advanced Topics Module
step 5 – Sending an INVITE req. to the outbound SIP proxy
Step 5: The Xten SIP client sends an INVITE request destined to the SIP proxy (Note: The PC Xten client is configured with the IP address of the SIP proxy (located at school). Every outgoing SIP request will be sent therefore to the proxy on/to the well known port)
=> Click HERE to play the animation (and look below…) <=
Home Comcast School
DNSA
BProxy192.168.1.101
129.119.110.17
129.119.110.19
192.168.1.1/24.15.254.243NAT/
Router
MAC IP: Src add: 24.15.254.243 Dst add: 129.119.110.17
step 6 – Forwarding the INVITE to user B (Sound alert!)
Step 6: The SIP proxy (looks up user B in its registry table and based on that) forwards the INVITE to endpoint B (Note: The school IP network is in the public domain (129.119.x.x))
=> Click HERE to play the animation (and look below…) <=
Home Comcast School
DNSA
B192.168.1.101
129.119.110.19
192.168.1.1/24.15.254.243NAT/
Router
MAC IP: Src add: 129.119.110.17 Dst add: 129.119.110.19
step 7 – Stop (potential) retransmissions at A (100 Trying)
Step 7: The SIP proxy sends ‘100 Trying’ back to A, (so A can now advance its state machine to the next state and halts potential retransmissions of the INVITE)
=> Click HERE to play the animation (and look below…) <=
Home Comcast School
DNSA
B192.168.1.101
129.119.110.19
192.168.1.1/24.15.254.243NAT/
Router
MAC IP: Src add: 129.119.110.17 Dst add: 24.15.254.243
step 9 - user A’s phone plays a Ring Back Tone (Sound alert!)
Step 9: The SIP proxy forwards the ‘180 Ringing’ back to A, (so based on that A knows it can play now a Ring Back Tone (RBT) to the user) Note: The NAT doesn’t touch the UDP header.
=> Click HERE to play the animation (and look below…) <=
Home Comcast School
DNSA
B192.168.1.101
129.119.110.19
192.168.1.1/24.15.254.243NAT/
Router
MAC IP: Src add: 129.119.110.17 Dst add: 24.15.254.243
step 11 - user A’s phone receives an answer indication
Step 9: The SIP proxy forwards the ‘200 OK’ back to A, (so based on that A knows it can display/sound an answer indication to the user) Note: The NAT doesn’t touch the UDP header.
=> Click HERE to play the animation (and look below…) <=
Home Comcast School
DNSA
B192.168.1.101
129.119.110.19
192.168.1.1/24.15.254.243NAT/
Router
MAC IP: Src add: 129.119.110.17 Dst add: 24.15.254.243
UDP: Src port: 1039 Dst port: 5060 SIP: 200 OK
68.87.66.196 “brands.xten.net” 64.69.76.10
Web server
Xten.comdomain
SIP: SIP/2.0 200 OK; Via: SIP/2.0/UDP 24.15.254.243:5060; Record-Route: <sip:129.119.110.17:5060>; Contact:<sip:[email protected]>; SDP: c= IN IP4 129.119.110.19; media port =8386
IP
Taken from SIP IllustratedSIP Illustrated – Advanced Topics Module
step 12 - Completing the SIP signaling handshake (ACK)
Step 12: The Xten SIP client sends an ACK request destined to the SIP proxy (Note: The proxy has Record Routed itself, so now by definition every request got to go via it regardless of the initial configuration)
=> Click HERE to play the animation (and look below…) <=
Home Comcast School
DNSA
BProxy192.168.1.101
129.119.110.17
129.119.110.19
192.168.1.1/24.15.254.243NAT/
Router
MAC IP: Src add: 24.15.254.243 Dst add: 129.119.110.17
Step 14: User B says “hello”. SIP client B encapsulates the bits, which represent the user’s voice in G.711 over RTP, and sends it directly to A (i.e. the proxy is not in the media loop) (Note: check out the port numbers below. Compare them with the ones, which were advertised in the SDP payloads!)
=> Click HERE to play the animation (and look below…) <=
Home Comcast School
DNSA
BProxy192.168.1.101
129.119.110.17
129.119.110.19
192.168.1.1/24.15.254.243NAT/
Router
MAC IP: Src add: 129.119.110.19 Dst add: 24.15.254.243
UDP: Src port: 8386 Dst port: 8000 RTP: “Hello”
68.87.66.196 “brands.xten.net” 64.69.76.10
Web server
Xten.comdomain
IP
Taken from SIP IllustratedSIP Illustrated – Advanced Topics Module
Taking the approach of “do not confuse me with the facts…” we cheated a little bit…In our Lab experiment the first RTP packet was really sent by B right after step 12. i.e. before receiving the ACK. Commercial SIP clients have a tendency of doing that. The idea is to reduce call setup time. This phenomena is known as “early media”. The draw back is the possibility of running into an embarrassing case when the ‘200 OK’ gets lost, and client A has no way yet to send media back (nor RTCP receiver reports) to B (as the SDP is part of the ‘200 OK’). However in general things seem to work.
DNSA
BProxy192.168.1.101
129.119.110.17
129.119.110.19
192.168.1.1/24.15.254.243NAT/
Router
68.87.66.196 “brands.xten.net” 64.69.76.10
Web server
Xten.comdomain
IP
“Please, do not confuse me with the facts…”
Taken from SIP IllustratedSIP Illustrated – Advanced Topics Module