Technical White Paper for NAT Traversal

Similar documents
AD SSO Technical White Paper

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

Huawei esight LogCenter Technical White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 1.0. Date PUBLIC

HUAWEI AR Series SEP Technical White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 1.0. Date

espace SoftConsole V200R001C02 Product Description HUAWEI TECHNOLOGIES CO., LTD. Issue 01 Date

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

An Efficient NAT Traversal for SIP and Its Associated Media sessions

Configuring Hosted NAT Traversal for Session Border Controller

NAT (NAPT/PAT), STUN, and ICE

S Series Switches. MACsec Technology White Paper. Issue 1.0. Date HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI Secospace USG Series User Management and Control White Paper

SBC Configuration Examples for Mediant SBC

espace UMS V100R001C01SPC100 Product Description Issue 03 Date HUAWEI TECHNOLOGIES CO., LTD.

MPLS OAM Technology White Paper

[MS-ICE2]: Interactive Connectivity Establishment (ICE) Extensions 2.0

Journal of Information, Control and Management Systems, Vol. X, (200X), No.X SIP OVER NAT. Pavel Segeč

HG531 V1 300Mbps Wireless ADSL2+ Router Product Description. Issue _01 HUAWEI TECHNOLOGIES CO., LTD.

esight V300R001C10 SLA Technical White Paper Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

NAT and Firewall Traversal Technical Report

SBC Configuration Examples

Advanced Anti-DDoS. User Guide. Issue 17 Date HUAWEI TECHNOLOGIES CO., LTD.

Live Streaming Accelerator. Quick Start. Issue 03 Date HUAWEI TECHNOLOGIES CO., LTD.

OceanStor 9000 InfiniBand Technical White Paper. Issue V1.01 Date HUAWEI TECHNOLOGIES CO., LTD.

OpenScape Business V2

Broadvox Fusion Platform Version 1.2 ITSP Setup Guide

Network Address Translators (NATs) and NAT Traversal

Anti-DDoS. User Guide (Paris) Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

VPN-1 Power/UTM. Administration guide Version NGX R

BGP/MPLS VPN Technical White Paper

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions

draft-aoun-mgcp-nat-package-02.txt

Unofficial IRONTON ITSP Setup Guide

CDCS: a New Case-Based Method for Transparent NAT Traversals of the SIP Protocol

Implementing SBC Firewall Traversal and NAT

HUAWEI TE Mobile&TE Desktop V100R001C10. Product Overview. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Load Balancing Technology White Paper

8.4 IMS Network Architecture A Closer Look

MySip.ch. SIP Network Address Translation (NAT) SIP Architecture with NAT Version 1.0 SIEMENS SCHWEIZ AKTIENGESELLSCHAFT

Abstract. Avaya Solution & Interoperability Test Lab

NAT Traversal for VoIP

HWTACACS Technology White Paper

ThinkTel ITSP with Registration Setup

Internet Engineering Task Force (IETF) Request for Comments: 7604 Category: Informational. September 2015

S Series Switch. Cisco HSRP Replacement. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Troubleshooting One Way Voice Issues

Virtual Private Cloud. User Guide. Issue 21 Date HUAWEI TECHNOLOGIES CO., LTD.

Enterprise Data Communication Products. Feature Description - IP Service. Issue 05 Date HUAWEI TECHNOLOGIES CO., LTD.

Voice over IP (VoIP)

Realtime Multimedia in Presence of Firewalls and Network Address Translation

White Paper. Huawei Campus Switches VXLAN Technology. White Paper

Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

Part Number: HG532s Home Gateway Product Description. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

Internet Networking recitation #

Domain Name Service. Product Description. Issue 03 Date HUAWEI TECHNOLOGIES CO., LTD.

Department of Computer Science. Burapha University 6 SIP (I)

Common Components. Cisco Unified Border Element (SP Edition) Configuration Profile Examples 5 OL

Request for Comments: 3989 Category: Informational T. Taylor Nortel February Middlebox Communications (MIDCOM) Protocol Semantics

SBC Deployment Guide Architecture Options and Configuration Examples

CUCM 10.5 / CUBE 9.5. BT SIP Trunk Configuration Guide. 1 BT SIP Trunk Configuration Guide

esdk Storage Plugins 1.0.RC4 Compilation Guide 01(vRO) Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

ETSF05/ETSF10 Internet Protocols Network Layer Protocols

Preface Preliminaries. Introduction to VoIP Networks. Public Switched Telephone Network (PSTN) Switching Routing Connection hierarchy Telephone

Configuration Guide IP-to-IP Application

IPsec NAT Transparency

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August 1964

Application Notes for Configuring SIP Trunking between the Skype SIP Service and an Avaya IP Office Telephony Solution Issue 1.0

BT SIP Trunk Configuration Guide

VoIP Basics. 2005, NETSETRA Corporation Ltd. All rights reserved.

[MS-TURNBWM]: Traversal using Relay NAT (TURN) Bandwidth Management Extensions

Table of Contents 1 IKE 1-1

Elastic Load Balance. User Guide. Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

P2PSIP, ICE, and RTCWeb

Quidway S5700 Series Ethernet Switches V100R006C01. Configuration Guide - Ethernet. Issue 02 Date HUAWEI TECHNOLOGIES CO., LTD.

Expires: August 22, 2005 Microsoft R. Mahy Airspace February 21, 2005

NAT Tutorial. Dan Wing, IETF77, Anaheim March 21, 2010 V2.1

H3C SecPath Series High-End Firewalls

EP A1 (19) (11) EP A1 (12) EUROPEAN PATENT APPLICATION. (51) Int Cl.: H04L 12/56 ( )

Peer-to-Peer Connectivity Using Firewall and Network Address Translator Traversal. R. Naber

Reserving N and N+1 Ports with PCP

Allstream NGNSIP Security Recommendations

Huawei FusionCloud Desktop Solution 5.1 Resource Reuse Technical White Paper HUAWEI TECHNOLOGIES CO., LTD. Issue 01.

Network Configuration Guide

Desktop sharing with the Session Initiation Protocol

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

A Flow Label Based QoS Scheme for End-to-End Mobile Services

Network Address Translator Traversal Using Interactive Connectivity Establishment

DPX8000 Series Deep Service Switching Gateway User Configuration Guide BRAS Service Board Module v1.0

APP NOTES TeamLink and Firewall Detect

DEPLOYMENT GUIDE Version 1.2. Deploying the BIG-IP LTM for SIP Traffic Management. Archived

An IP Network: Application s View. SIP & NATs / Firewalls. An IP Network: Router s View. Reminder: Internet Architecture

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

On Distributed Communications, Rand Report RM-3420-PR, Paul Baran, August

FreeSWITCH as a Kickass SBC. Moises Silva Manager, Software Engineering

Configuration Note. Connecting XO Communications SIP Trunking Service to Microsoft Lync Server Using

H3C SecPath Series High-End Firewalls

FIREWALL SETUP AND NAT CONFIGURATION GUIDE FOR H.323 / SIP ROOM SYSTEMS BLUEJEANS 2018

Application Notes for Configuring Tidal Communications tnet Business VoIP with Avaya IP Office using SIP Registration - Issue 1.0

Transcription:

V300R002 Technical White Paper for NAT Traversal Issue 01 Date 2016-01-15 HUAWEI TECHNOLOGIES CO., LTD.

2016. All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd. All other trademarks and trade names mentioned in this document are the property of their respective holders. Notice The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied. The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied. Huawei Technologies Co., Ltd. Address: Website: Email: Huawei Industrial Base Bantian, Longgang Shenzhen 518129 People's Republic of China http://www.huawei.com support@huawei.com i

About This Document About This Document Author Prepared by Song Xin Date 2013-11-30 Reviewed by Reviewed by Granted by Date Date Date Change History Date Version Description Author 2015-03-31 1.00 Completed the initial draft. Song Xin ii

Contents Contents About This Document... ii Overview... 2 Origin of NAT Traversal... 2 NAT Type... 3 Addressing NAT Traversal Problems by the Proxy Mechanism... 4 Proxy Mechanism Overview... 4 Location of the SE2900 on the Network... 5 Signaling NAT Traversal... 5 Registration Process... 6 Signaling NAT Keepalive... 7 Media NAT Traversal... 8 Comparison Between Traversal Technologies... 13 ALG Technology... 13 STUN Technology... 14 MIDCOM Technology... 15 Protocol Modification... 16 Traversal Technology Comparison... 16 iii

SE2900 V300R002 Keywords: NAT Abstract: Abbreviations: Abbreviations ALG NAT STUN Full Name Application Level Gateway Network Address Translation Simple Traversal of UDP through NAT 1

0Overview Overview Origin of NAT Traversal NAT technology was developed to alleviate IPv4 address exhaustion. The early IPv4 system aimed to enable each IP network element to have a globally reachable IP address. If so, all network elements can communicate with each other using IP addresses. As IP networks keep expanding, the available IP addresses become exhausted. NAT technology can mitigate this problem during the IPv4-to-IPv6 transition which provides larger address space. Unlike traditional gateways that connect various networks, NAT devices can be regarded as special gateways that connect private and public IP networks. NAT devices connect private and public networks by translating IP addresses. The source IP address contained in an IP packet from a private network is a private address. After the IP packet passes through a NAT device, its source IP address is translated into a routable public address. In addition, the NAT device create an address binding relationship covering the private source address, public source address, and public destination address. In this way, the response packet from the public network can be routed to the source element on the private network. Although NAT technology can mitigate IP address exhaustion, the technology brings about the following problems: Most of the existing protocols are incompatible with NAT technology. IP addresses can be translated by NAT devices at the network and transport layers but cannot be translated at the application layer. As a result, IP addresses contained in the application-layer protocol are still private addresses and response packets sent based on these IP addresses cannot be routed to the source network elements. NAT devices bind the private source address, public source address, and public destination address together only for IP packets sent from a private network to a public network. Public network entities cannot proactively connect to private network entities before the binding relationship is created. Each address mapping entry generated on a NAT device has a lifecycle. If no packets matching an entry are received before the lifecycle expires, the NAT device deletes the entry. This makes public network entities unable to connect to the intended private network entities after the lifecycle expires. NAT traversal includes four modes: static NAT, STUN, ALG, and proxy. For details about differences between these NAT traversal modes, see chapter 0"Comparison Between Traversal Technologies." This document describes the NAT traversal in proxy mode based on the SE2900. 2

0Overview NAT Type NAT is classified into the following types based on address mapping behaviors on NAT devices: Full cone NAT Restricted cone NAT Port restricted cone NAT Symmetric NAT Sample addresses used in the following NAT type descriptions are as follows: Private address 192.168.0.37:6060 Public address 202.96.0.1:5060 translated by NAT devices Public address 203.1.1.1:7060 Full cone NAT: After a NAT mapping is established between 192.168.0.37:6060 and 202.96.0.1:5060, the NAT device forwards all public network IP packets destined for 202.96.0.1:5060 to 192.168.0.37:6060. All static NAT mappings configured on the NAT device are full cone NAT mappings. Restricted cone NAT: The NAT device sends IP packets with the source address of 203.1.1.1 and destination address of 202.96.0.1:5060 to the network element at 192.168.0.37:6060 only if the NAT device sets up a dynamic NAT mapping between 192.168.0.37:6060 and 202.96.0.1:5060 and the private network entity at 192.18.0.37:6060 sends packets to the public network entity at 203.1.1.1:7060 through the NAT device. In the lifecycle of a NAT mapping, IP packets using the same private address as the source address use the same NAT mapping when passing through NAT devices. Therefore, the source address of all IP packets from 192.168.0.37:6060 is translated into 202.96.0.1:5060, regardless of their destination addresses. Port restricted cone NAT: This NAT type is similar to restricted cone NAT and has the restriction on port numbers. Only IP packets from 203.1.1.1:7060 are matched the NAT mapping. Symmetric NAT: Public ports selected for NAT mappings vary with destination addresses of IP packets. If IP packets from 192.168.0.37:6060 are sent to different destination addresses, NAT devices set up different mappings for the IP packets. Like port restricted cone NAT, symmetric NAT defines that a private address must proactively send IP packets to a public address before these IP packets are matched the NAT mapping. Currently, most of the NAT devices support port restricted cone NAT. 3

0Addressing NAT Traversal Problems by the Proxy Mechanism Addressing NAT Traversal Problems by the Proxy Mechanism Proxy Mechanism Overview An SE2900 functions as a proxy to address NAT traversal problems. It directionally transmits signaling or media streams in proxy mode that has no specific requirement for NAT devices. Carriers do not need to replace NAT devices on the live network. The SE2900 re-specifies a destination address and port for a signaling or RTP stream from a private or public address to help achieve address translation between various network domains, including address translation between private and public networks. This technically ensures that signaling or media streams can traverse NAT devices. The SE2900 is a logical function entity and provides two functions: SIP signaling proxy and media proxy. SIP signaling proxy: For users, the SE2900 can be regarded as part of an IMS or NGN network. Registration and call messages from IMS or NGN network users are sent to the SE2900. The SE2900 processes these messages and forwards them to the core CSCF or softswitch. For the core CSCF and softswitch, the SE2900 can be regarded as a user. The core CSCF or softswitch sends call requests to the SE2900. The SE2900 processes these messages and forwards them to callees. The SE2900 processes and analyzes the signaling to obtain address change and bandwidth requirement information about calls and determine whether the media streams pass through the SE2900 based on the network resource usage. This helps to protect networks, prevent bandwidth theft, and achieve NAT traversal. Media proxy: All RTP media streams pass through the SE2900. The SE2900 processes and forwards media streams to enable communications between internal and external users. The SE2900 checks whether the packets are valid and specifies a forwarding policy for the media streams based on the signaling processing results. The forwarding policy covers packet filtering, QoS, and address translation. The SE2900 specifies IP addresses and ports for internal and external users to receive RTP media streams to correctly forward the media streams and ensure QoS and security. 4

0Addressing NAT Traversal Problems by the Proxy Mechanism Location of the SE2900 on the Network 图 1-1 Location of the SE2900 on an IMS network Core network SE2900 Signaling Media NAT/ Firewall Access network Access network NAT/ Firewall The SE2900 that serves as a proxy is deployed at the edge or aggregation layer of an IP network and acts as a signaling and media aggregation point. Signaling NAT Traversal Enabling an INVITE request to reach the intended user behind an NAT device is the major problem to be resolved in signaling NAT traversal. The problem can be resolved by completing the registration process to set up an address mapping on the NAT device for sending messages. The SE2900 or user keeps the NAT channel alive by sending packets periodically. 5

0Addressing NAT Traversal Problems by the Proxy Mechanism Registration Process 图 1-2 Registration process when the SE2900 acts as a proxy The registration process is as follows: 1. A UE sends a REGISTER request to the NAT device. The source IP address contained in the REGISTER packet header and the contact address contained in the payload are both the private address/port (Aa) of the UE. 2. The NAT device executes the following operations: Allocates a public address/port (Nn) to the UE. Generates a mapping between Aa and Nn. Translates Aa in the packet header into Nn. Forwards the REGISTER request to the SE2900. 3. The SE2900 receives the REGISTER request and executes the following operations: - Allocates a public signaling address/port (Dd). Translates the address contained in the REGISTER packet header and payload. Records the mapping between Nn/Cc and Dd/Ee. Sends the REGISTER request to the P-CSCF or softswitch to which the UE belongs. 4. The P-CSCF or softswitch authenticates the UE and sends a response packet to the SE2900. 5. The SE2900 receives the response packet and executes the following operations: Modifies the address contained in the packet header and payload according to the address mapping. Forwards the response packet to the NAT device. 6. The NAT device translates the IP address contain in the response packet into Aa and forwards the packet to the UE. 6

0Addressing NAT Traversal Problems by the Proxy Mechanism Signaling NAT Keepalive After the registration process, a signaling channel between the SE2900 and UE is formed. The address mapping established on the NAT device, however, has an aging period. The address mapping will be deleted if the NAT device does not receive packets from the UE or SE2900 before the aging period expires. Therefore, the SE2900 or UE must send keepalive packets to the NAT device to update NAT entries and prevent the address mapping from getting aged. The SE2900 can send following packets to keep the address mapping alive: Hello packets The SE2900 sends a Hello packet (UDP packet) to the UE within a period of time. The format of the Hello packets can be customized. SIP Re-REGISTER packets After the SE2900 receives a response packet from the core network, the SE2900 changes the Expires header or parameter to make the UE quickly send a REGISTER request to update the address mapping entry. STUN packets If a NAT device is deployed between the SE2900 and the UE, the UE periodically sends STUN requests to the NAT device to keep the corresponding address mapping entries on the NAT device alive. SIP keepalive using STUN requests applies to SIP over UDP in the A-SBC scenario. PING/PONG packets PING and PONG messages are transmitted between the UE and SE2900 to keep a TCP connection alive. If a NAT device is deployed between the SE2900 and the UE, the exchanges of the PING and PONG packets also keep corresponding address mapping entries on the NAT device alive. SIP keepalive using PING/PONG packets applies to SIP over TCP in the A-SBC scenario. 表 1-1 shows the differences between the four types of packets. 表 1-1 Differences between sending the four types of packets Category Sending Hello Packets Sending SIP Re-REGISTE R Packets Sending STUN Packets Sending PING/PONG Packets Remarks Flexibility Flexible Not flexible Flexible Flexible The format of the Hello packets can be customized. Impact on SE2900 performance Lightly impacted Greatly impacted Lightly impacted Lightly impacted The SE2900 needs to transcode the SIP Re-REGISTER packets. This affects SE2900 performance. 7

0Addressing NAT Traversal Problems by the Proxy Mechanism Media NAT Traversal Media streams are transmitted over an IMS or NGN network using RTP. RTP is carried over UDP. The IP addresses and ports used for the RTP media streams are negotiated using the signaling messages sent for establishing calls. The following signaling protocols can be used to establish calls: SIP, H.323, H.248, and MGCP. These protocols use the SDP information of the caller and callee to negotiate the media addresses and ports for the caller and callee. When the signaling carrying SDP information passes through the NAT device, the NAT device converts only the IP, TCP, and UDP packet headers, and not the IP address and port. The media address obtained by a callee is the private address and port a caller. As a result, the callee cannot use the private address to access the caller on the private network. Deploying a media proxy on the network is an effective way to implement media NAT traversal. The media proxy translates private media addresses and ports into public addresses and ports during E2E media negotiation. The SE2900 provides the media proxy function to support media NAT traversal without the need to upgrade the NAT devices on the live network. The SE2900-based media NAT traversal can be divided into two stages: signaling negotiation and media latching. Signaling negotiation stage, at which media address mappings are set up by SDP negotiation 8

0Addressing NAT Traversal Problems by the Proxy Mechanism Before a caller and callee make a call, they must send signaling packets to negotiate a channel for transmitting media streams. The SE2900 executes the following operations at the signaling negotiation stage: 7. Obtains the caller and callee IP address and port for receiving media streams according to SDP information contained in the signaling packets. 8. Allocates the access- and core-side media addresses and ports to the caller and callee. 9. Creates address mapping entry (192.168.1.2:2008, 20.1.3.8:7003)<->(10.10.3.5:5007, 20.1.5.9:9000) for media sessions. All media streams will pass through the SE2900 but only the media streams matching media session entries on the SE2900 will be forwarded. Media transmission stage, at which the IP addresses for media packets are learned and translated The media transmission stage can be further divided into three sub stages: pre-media-latching, media latching, and post-media-latching. Pre-media-latching sub stage Because UE1 with the IP address of 192.168.1.2 has not sent media packets to the SE2900, the media address mapping between the UE1 and SE2900 is not generated on the NAT device. As a result, the NAT device discards all media packets destined for UE1. 9

0Addressing NAT Traversal Problems by the Proxy Mechanism Media latching sub stage UE1 sends the first media packet to the SE2900. After the first media packet passes through the NAT device, the NAT device creates an address mapping between 192.168.1.2:3008 and 20.1.2.3:8028. The SE2900 receives the media packet processed by the NAT device and executes the following operations: 1. Learns the transport-layer address and port (20.1.2.3:8028) contained in the media packet. 2. Updates the address mapping entry (20.1.2.3:8028, 20.1.3.8:7003)<->(10.10.3.5:5007, 20.1.5.9:9000) for media sessions. 10

0Addressing NAT Traversal Problems by the Proxy Mechanism Post-media-latching sub stage The SE2900 queries the updated address mapping entry (20.1.2.3:8028, 20.1.3.8:7003)<->(10.10.3.5:5007, 20.1.5.9:9000) after it receives media packets destined for UE1 and forwards the media packets to 20.1.2.3:8028. The NAT device queries the address mapping entry (192.168.1.2:3008)<->(20.1.2.3:8028) and forwards the media packets to UE1. 11

0Addressing NAT Traversal Problems by the Proxy Mechanism The disadvantage of the preceding media NAT traversal solution is that, in some cases, the UE receives but does not send media packets. For example, if the stream mode in the SDP information contained in the signaling packets from the caller is sendonly, the stream mode negotiated for the callee can only be recvonly. To prevent this problem, the SE2900 changes the stream mode for the caller to sendrecv before it forwards the caller's SDP information to the callee. By doing this, the stream mode negotiated for the callee can be sendrecv or sendonly. 12

0Comparison Between Traversal Technologies Comparison Between Traversal Technologies At present, the following traversal technologies are available: ALG, STUN, MIDCOM, protocol modification, and proxy. ALG Technology NAT and NAPT are applicable only to IP addresses in IP packet headers and port information in TCP/UDP packet headers. The data part of packets using special protocols may contain IP address or port information that cannot be fully translated by the NAT device. This may cause problems. For example, an FTP server using a private address may need to send its IP address to a PC on the public network to establish a session between them. The private address is in the data part of the IP packet and cannot be translated by the NAT device. Once the PC receives and uses this private address, the FTP server becomes unreachable for the PC. The ALG technology can be used to resolve such a problem. The ALG is a proxy for translating IP addresses contained in the packets with a certain application protocol. It interacts with the NAT device to establish the state, uses the NAT state information to modify the specific data encapsulated in the data part of IP packets, and implements other necessary works to make the application protocol run across different ranges. Use an ICMP packet for which the destination is unreachable as an example. The data part of this packet contains the packet A's header that causes the error. Before the NAT device forwards packet A, the NAT device has translated the IP address contained in packet A. Therefore, the source address contained in packet A is not the real IP address of the PC on the private network. If the ICMP ALG function is enabled, the ALG interworks with the NAT device before the NAT device forwards the ICMP packet. The ALG opens the ICMP packet and translates the address in packet's A header of the data part. The translated address is presented as the real address of the PC on the private network. The NAT device forwards the ICMP packet after the ALG completes other necessary works. The H.323 ALG, SIP ALG, MGCP ALG, H.248 ALG functions must be implemented for the following protocols: H.323, SIP, MGCP, and H.248. 13

0Comparison Between Traversal Technologies 图 1-3 shows a typical networking scenario in which ALG technology is applied. 图 1-3 Typical NAT ALG networking diagram Softswitch Register Response Register Request Provider Network NAT with ALG Function Firewall/NAT NAT with ALG Function Firewall/NAT L2 Intranet of Corporation L2 Intranet of Corporation SoftPhone IAD STUN Technology STUN consists of two parts: the STUN client deployed on the private network and the STUN server deployed on the public network. The UE must support the STUN client function. The STUN server can be integrated into a component of the corresponding application device, such as a softswitch on the NGN, or function as an independent device. 图 1-4 shows a typical networking scenario in which STUN technology is applied. 图 1-4 Typical STUN networking diagram Provider Network Register Response Register Request Softswitch Binding Response Binding Request STUN Server Firewall/NAT Firewall/NAT L2 Intranet of Corporation L2 Intranet of Corporation STUN Client SoftPhone STUN Client IAD 14

0Comparison Between Traversal Technologies STUN technology is simple traversal of UDP through a NAT device. The STUN client uses UDP to send a STUN request to the STUN server. After the STUN server receives the request, it generates a response message that carries information about the source port in the request, that is, the corresponding public port of the STUN client on the NAT device. The NAT device then forwards the response message to the STUN client. The STUN client obtains its public address on the NAT device based on the response message, adds this public address to the UDP load of the later call protocol, and notifies the remote end that the local RTP receiving address and port are those in the front of the NAT device. The NAT mapping entry for media streams has been established on the NAT device using the STUN protocol. The media streams can successfully traverse the NAT device. The STUN protocol supports NAT traversal without the need to change existing NAT devices or firewalls on the live network. A large number of NAT devices and firewalls on the live network do not support VoIP services. To resolve this problem using MIDCOM or NAT ALG technology, the NAT devices and firewalls must be replaced. Replacing all these devices is difficult. STUN technology, however, can resolve the problem without the need to replace all the existing NAT devices and firewalls. In addition, STUN technology can be used on a network where multiple NAT devices are connected in series. On the contrary, MIDCOM technology cannot effectively control multi-level NAT devices. For details, see section 0"MIDCOM Technology." The disadvantage of STUN technology is that the NGN UE must support the STUN client function. STUN technology does not support H.323 or traversal of TCP connections. In addition, STUN technology does not support firewall traversal for NGN services or symmetric NAT traversal. On an enterprise network that requires high security, symmetric NAT is usually deployed at the egress node. MIDCOM Technology MIDCOM technology includes two parts: MIDCOM agent and Middlebox. The MIDCOM agent instructs the Middlebox to establish NAT mapping entries. Generally, the Middlebox is integrated into a NAT device or firewall. A softswitch, proxy server, or UE can act as the MIDCOM agent. 图 1-5 shows a typical networking scenario in which MIDCOM technology is applied. 图 1-5 Typical MIDCOM networking diagram Provider Network Softswitch MIDCOM Agent Firewall/NAT/MIDBOX Firewall/NAT/MIDBOX L2 Intranet of Corporation L2 Intranet of Corporation SoftPhone IAD 15

0Comparison Between Traversal Technologies The MIDCOM agent, not the Middlebox, identifies application services. According to the MIDCOM architecture, more services can be supported by upgrading the MIDCOM agent without modifying basic Middlebox features. This makes MIDCOM technology outperform NAT ALG technology. In NGN service applications, the Middlebox function can be implemented on a NAT device or firewall. The softswitch, MIDCOM agent, identifies the IP voice and video protocols such as H.323, SIP, MGCP, and H.248, and controls the NAT device and firewall. Therefore, MIDCOM can be a solution for NGN services to traverse the NAT device and firewall. MIDCOM technology supports control packet and media stream encryption and is secure. Protocol Modification Current multimedia application protocols cannot traverse a NAT device or firewall. Modifying the protocols can address this problem. Protocols such as H.323, SIP, MGCP, and H.248, however, cannot be modified for the traversal because technology for tackling this issue is being developed. It is not described in this document. Traversal Technology Comparison 表 1-2 Traversal technology comparison Technology Type ALG STUN MIDCOM Protocol Modification Proxy Location Edge of a private or public network Any location Any location Any location Any location Requirements for the Existing NAT Devices and Firewalls The existing NAT devices and firewalls must be replaced or upgraded to support ALG technology. Symmetric NAT is not supported. The existing NAT devices and firewalls must be replaced or upgraded to support the Middlebox function. Changing the existing NAT devices and firewalls is not required. Changing the existing NAT devices and firewalls is not required. Multi-level NAT The NAT device at each level must support ALG technology. No NAT device at any level is the symmetric NAT device. The Middlebox or ALG function must be supported. Supported Supported Impact on the Live Network Routes need to be added. No impact Routes need to be added. No impact No impact 16

0Comparison Between Traversal Technologies Technology Type ALG STUN MIDCOM Protocol Modification Proxy Requirements for UEs No specific requirements UEs must support the STUN client function. No specific requirements (The MIDCOM agent function can be implemented on the server.) Protocol modification A UE uses the same port to send and receive streams. Requirements for the Server No specific requirements No specific requirements The server must support the MIDCOM agent function. Protocols must be modified. No specific requirements Deployment location: If proxy technology is used, a proxy device can be deployed at the edge or aggregation layer of the IP network in overlay network mode. If ALG technology is used, the device implementing ALG technology must be deployed at the private network's egress to the public network. If STUN, MIDCOM, or protocol modification technology is used, the device implementing the technology can also be deployed at any location on the IP network. Requirements for the existing NAT devices and firewalls: If proxy or protocol modification technology is used, the existing NAT devices and firewalls do not need to be modified or upgraded. If ALG, STUN, or MIDCOM technology is used, the existing NAT devices and firewall must support the technology. If they do not support the technology, they must be upgraded. Multi-level NAT: If proxy technology is used, multi-level NAT is supported and all the NAT devices do not need to be upgraded or modified. If ALG, STUN, or MIDCOM technology is used, the NAT devices and firewall at all levels must support the ALG, STUN, or MIDCOM function. The NAT device that does not support the ALG, STUN, or MIDCOM function must be upgraded. If protocol modification technology is used, the server and UE must support the corresponding functions and multi-level NAT. Impact on the live network: If proxy, STUN, or protocol modification technology is used, the live network is not impacted, and the live network topology and routes remain unchanged. If ALG or MIDCOM technology is used, routes must be added. Requirements for UEs: Proxy, ALG, and MIDCOM technologies have no requirements for UEs. STUN and protocol modification technologies require UEs to provide specific functions. UEs that do not provide specific functions must be upgraded. Requirements for the server: Proxy, ALG, and STUN technologies have no requirements for the server. MIDCOM and protocol modification technologies require the server to support specific functions. 17

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback