Understanding SIP with Network Address Translation (NAT)
来源:互联网 发布:移动协同软件v2.3.0 编辑:程序博客网 时间:2024/04/24 10:29
The Network Address Translation (NAT) protocol enables multiple hosts in a private subnet to share a single public IP address to access the Internet. For outgoing traffic, NAT replaces the private IP address of the host in the private subnet with the public IP address. For incoming traffic, the public IP address is converted back into the private address, and the message is routed to the appropriate host in the private subnet.
Before You Begin
For background information, read
- Understanding the SIP ALG
- SIP ALG Request Methods Overview
Using NAT with the SIP service is more complicated because SIP messages contain IP addresses in the SIP headers as well as in the SIP body. When using NAT with the SIP service, the SIP headers contain information about the caller and the receiver, and the device translates this information to hide it from the outside network. The SIP body contains the Session Description Protocol (SDP) information, which includes IP addresses and port numbers for transmission of the media. The device translates SDP information for allocating resources to send and receive the media.
How IP addresses and port numbers in SIP messages are replaced depends on the direction of the message. For an outgoing message, the private IP address and port number of the client are replaced with the public IP address and port number of the Juniper Networks firewall. For an incoming message, the public address of the firewall is replaced with the private address of the client.
When an INVITE message is sent out across the firewall, the SIP ALG collects information from the message header into a call table, which it uses to forward subsequent messages to the correct endpoint. When a new message arrives, for example an ACK or 200 OK, the ALG compares the “ From:, To:, and “ Call-ID: fields against the call table to identify the call context of the message. If a new INVITE message arrives that matches the existing call, the ALG processes it as a REINVITE.
When a message containing SDP information arrives, the ALG allocates ports and creates a NAT mapping between them and the ports in the SDP. Because the SDP requires sequential ports for the Real-Time Protocol (RTP) and Real-Time Control Protocol (RTCP) channels, the ALG provides consecutive even-odd ports. If it is unable to find a pair of ports, it discards the SIP message.
This topic covers:
- Outgoing Calls
- Incoming Calls
- Forwarded Calls
- Call Termination
- Call Re-INVITE Messages
- Call Session Timers
- Call Cancellation
- Forking
- SIP Messages
- SIP Headers
- SIP Body
- SIP NAT Scenario
- Classes of SIP Responses
- Related Topics
Outgoing Calls
When a SIP call is initiated with a SIP request message from the internal to the external network, NAT replaces the IP addresses and port numbers in the SDP and binds the IP addresses and port numbers to the Juniper Networks firewall. Via, Contact, Route, and Record-Route SIP header fields, if present, are also bound to the firewall IP address. The ALG stores these mappings for use in retransmissions and for SIP response messages.
The SIP ALG then opens pinholes in the firewall to allow media through the device on the dynamically assigned ports negotiated based on information in the SDP and the Via, Contact, and Record-Route header fields. The pinholes also allow incoming packets to reach the Contact, Via, and Record-Route IP addresses and ports. When processing return traffic, the ALG inserts the original Contact, Via, Route, and Record-Route SIP fields back into the packets.
Incoming Calls
Incoming calls are initiated from the public network to public static NAT addresses or to interface IP addresses on the device. Static NATs are statically configured IP addresses that point to internal hosts; interface IP addresses are dynamically recorded by the ALG as it monitors REGISTER messages sent by internal hosts to the SIP registrar. When the device receives an incoming SIP packet, it sets up a session and forwards the payload of the packet to the SIP ALG.
The ALG examines the SIP request message (initially an INVITE) and, based on information in the SDP, opens gates for outgoing media. When a 200 OK response message arrives, the SIP ALG performs NAT on the IP addresses and ports and opens pinholes in the outbound direction. (The opened gates have a short time-to-live, and they time out if a 200 OK response message is not received quickly.)
When a 200 OK response arrives, the SIP proxy examines the SDP information and reads the IP addresses and port numbers for each media session. The SIP ALG on the device performs NAT on the addresses and port numbers, opens pinholes for outbound traffic, and refreshes the timeout for gates in the inbound direction.
When the ACK arrives for the 200 OK, it also passes through the SIP ALG. If the message contains SDP information, the SIP ALG ensures that the IP addresses and port numbers are not changed from the previous INVITE—if they are, the ALG deletes old pinholes and creates new pinholes to allow media to pass through. The ALG also monitors the Via, Contact, and Record-Route SIP fields and opens new pinholes if it determines that these fields have changed.
Forwarded Calls
A forwarded call is when, for example, user A outside the network calls user B inside the network, and user B forwards the call to user C outside the network. The SIP ALG processes the INVITE from user A as a normal incoming call. But when the ALG examines the forwarded call from B to C outside the network and notices that B and C are reached using the same interface, it does not open pinholes in the firewall, because media will flow directly between user A and user C.
Call Termination
The BYE message terminates a call. When the device receives a BYE message, it translates the header fields just as it does for any other message. But because a BYE message must be acknowledged by the receiver with a 200 OK, the ALG delays call teardown for five seconds to allow time for transmission of the 200 OK.
Call Re-INVITE Messages
Re-INVITE messages are used to add new media sessions to a call, and to remove existing media sessions. When new media sessions are added to a call, new pinholes are opened in the firewall and new address bindings created. The process is identical to the original call setup. When one or more media sessions are removed from a call, pinholes are closed and bindings released just as with a BYE message.
Call Session Timers
The SIP ALG uses the Session-Expires value to time out a session if a Re-INVITE or UPDATE message is not received. The ALG gets the Session-Expires value, if present, from the 200 OK response to the INVITE and uses this value for signaling timeout. If the ALG receives another INVITE before the session times out, it resets all timeout values to this new INVITE or to default values, and the process is repeated.
As a precautionary measure, the SIP ALG uses hard timeout values to set the maximum amount of time a call can exist. This ensures that the device is protected should one of the following events occur:
- End systems crash during a call and a BYE message is not received.
- Malicious users never send a BYE in an attempt to attack a SIP ALG.
- Poor implementations of SIP proxy fail to process Record-Route and never send a BYE message.
- Network failures prevent a BYE message from being received.
Call Cancellation
Either party can cancel a call by sending a CANCEL message. Upon receiving a CANCEL message, the SIP ALG closes pinholes through the firewall—if any have been opened—and releases address bindings. Before releasing the resources, the ALG delays the control channel age-out for approximately five seconds to allow time for the final 200 OK to pass through. The call is terminated when the five second timeout expires, regardless of whether a 487 or non-200 response arrives.
Forking
Forking enables a SIP proxy to send a single INVITE message to multiple destinations simultaneously. When the multiple 200 OK response messages arrive for the single call, the SIP ALG parses but updates call information with the first 200 OK message it receives.
SIP Messages
The SIP message format consists of a SIP header section and the SIP body. In request messages, the first line of the header section is the request line, which includes the method type, request-URI, and protocol version. In response messages, the first line is the status line, which contains a status code. SIP headers contain IP addresses and port numbers used for signaling. The SIP body, separated from the header section by a blank line, is reserved for session description information, which is optional. J Series devices currently support the Session Description Protocol (SDP) only. The SIP body contains IP addresses and port numbers used to transport the media.
SIP Headers
In the following sample SIP request message, NAT replaces the IP addresses in the header fields—shown in bold font—to hide them from the outside network.
- INVITE bob@10.150.20.5 SIP/2.0
- Via: SIP/2.0/UDP 10.150.20.3:5434
- From: alice@10.150.20.3
- To: bob@10.150.20.5
- Call-ID: a12abcde@10.150.20.3
- Contact: alice@10.150.20.3:5434
- Route: <sip:netscreen@10.150.20.3:5060>
- Record-Route: <sip:netscreen@10.150.20.3:5060>
How IP address translation is performed depends on the type and direction of the message. A message can be any of the following:
- Inbound request
- Outbound response
- Outbound request
- Inbound response
Table 38 shows how NAT is performed in each of these cases. Note that for several of the header fields the ALG must know more than just whether the messages comes from inside or outside the network. It must also know what client initiated the call, and whether the message is a request or response.
Table 38: Requesting Messages with NAT Table continued on next page
Inbound Request
(from public to private)
To:
Replace domain with local address
From:
None
Call-ID:
None
Via:
None
Request-URI:
Replace ALG address with local address
Contact:
None
Record-Route:
None
Route:
None
Outbound Response
(from private to public)
To:
Replace ALG address with local address
From:
None
Call-ID:
None
Via:
None
Request-URI:
N/A
Contact:
Replace local address with ALG address
Record-Route:
Replace local address with ALG address
Route:
None
Outbound Request
(from private to public)
To:
None
From:
Replace local address with ALG address
Call-ID:
Replace local address with ALG address
Via:
Replace local address with ALG address
Request-URI:
None
Contact:
Replace local address with ALG address
Record-Route:
Replace local address with ALG address
Route:
Replace ALG address with local address
Outbound Response
(from public to private)
To:
None
From:
Replace ALG address with local address
Call-ID:
Replace ALG address with local address
Via:
Replace ALG address with local address
Request-URI:
N/A
Contact:
None
Record-Route:
Replace ALG address with local address
Route:
Replace ALG address with local address
SIP Body
The SDP information in the SIP body includes IP addresses the ALG uses to create channels for the media stream. Translation of the SDP section also allocates resources, that is, port numbers to send and receive the media.
The following excerpt from a sample SDP section shows the fields that are translated for resource allocation.
- o=user 2344234 55234434 IN IP4 10.150.20.3
- c=IN IP4 10.150.20.3
- m=audio 43249 RTP/AVP 0
SIP messages can contain more than one media stream. The concept is similar to attaching multiple files to an e-mail message. For example, an INVITE message sent from a SIP client to a SIP server might have the following fields:
- c=IN IP4 10.123.33.4
- m=audio 33445 RTP/AVP 0
- c=IN IP4 10.123.33.4
- m=audio 33447 RTP/AVP 0
- c=IN IP4 10.123.33.4
- m=audio 33449 RTP/AVP 0
J Series devices support up to 6 SDP channels negotiated for each direction, for a total of 12 channels per call. For more information, see SDP Session Descriptions.
SIP NAT Scenario
Figure 23 and Figure 24 show a SIP call INVITE and 200 OK. In Figure 23, ph1 sends a SIP INVITE message to ph2. Note how the IP addresses in the header fields—shown in bold font—are translated by the device.
The SDP section of the INVITE message indicates where the caller is willing to receive media. Note that the Media Pinhole contains two port numbers, 52002 and 52003, for RTCP and RTP. The Via/Contact Pinhole provides port number 5060 for SIP signaling.
Observe how, in the 200 OK response message in Figure 24, the translations performed in the INVITE message are reversed. The IP addresses in this message, being public, are not translated, but gates are opened to allow the media stream access to the private network.
Figure 23: SIP NAT Scenario 1
Figure 24: SIP NAT Scenario 2
Classes of SIP Responses
SIP responses provide status information about SIP transactions and include a response code and a reason phrase. SIP responses are grouped into the following classes:
- Informational (100 to 199)—Request received, continuing to process the request.
- Success (200 to 299)—Action successfully received, understood, and accepted.
- Redirection (300 to 399)—Further action required to complete the request.
- Client Error (400 to 499)—Request contains bad syntax or cannot be fulfilled at this server.
- Server Error (500 to 599)—Server failed to fulfill an apparently valid request.
- Global Failure (600 to 699)—Request cannot be fulfilled at any server.
Table 39 provides a complete list of current SIP responses.
Table 39: SIP Responses
Informational
100 Trying
180 Ringing
181 Call is being forwarded
182 Queued
183 Session progress
Success
200 OK
202 Accepted
Redirection
300 Multiple choices
301 Moved permanently
302 Moved temporarily
305 Use proxy
380 Alternative service
Client Error
400 Bad request
401 Unauthorized
402 Payment required
403 Forbidden
404 Not found
405 Method not allowed
406 Not acceptable
407 Proxy authentication required
408 Request time-out
409 Conflict
410 Gone
411 Length required
413 Request entity too large
414 Request-URL too large
415 Unsupported media type
420 Bad extension
480 Temporarily not available
481 Call leg/transaction does not exist
482 Loop detected
483 Too many hops
484 Address incomplete
485 Ambiguous
486 Busy here
487 Request canceled
488 Not acceptable here
Server Error
500 Server internal error
501 Not implemented
502 Bad gateway
502 Service unavailable
504 Gateway time-out
505 SIP version not supported
Global Failure
600 Busy everywhere
603 Decline
604 Does not exist anywhere
606 Not acceptable
Related Topics
- Configuring Host Inbound Traffic
- Understanding Security Zones
- Understanding SIP with Network Address Translation (NAT)
- NAT Network Address Translation
- NAT Network Address Translation
- NAT (Network Address Translation)
- NAT(Network Address Translation)
- Chapter 5. Network Address Translation (NAT)
- 网络地址转换(NAT,Network Address Translation)
- 网络地址转换(NAT,Network Address Translation)
- 网络地址转换(NAT,Network Address Translation)
- NAT(Network Address Translation,网络地址转换)
- NAT(Network Address Translation)介绍
- NAT(Network Address Translation,网络地址转换)
- Introduction to Network Address Translation (NAT) and NAT Traversal
- NAT(network address translation) tcp udp 打洞
- NAT (Net Address Translation)
- Network Address Translation
- How Network Address Translation Works
- "JSTUN" - Java Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translation (NAT)
- gdb 和core dump
- android 同步监听输入框,以及电话号码正则表达式!
- FFMpeg视频播放器
- 经典计算机书籍
- Struts学习笔记之ActionServlet
- Understanding SIP with Network Address Translation (NAT)
- 各种开源协议的比较
- 欢迎大家过劳看看
- 第一阶段:Java初级 ------- API
- 2011-05-13 19:07:10
- Struts 学习笔记之五种Action
- Ubuntu Linux:Apache安装设置
- Struts 学习笔记之ActionForm
- struts 学习笔记之MVC模式