kccvoip.com basic voip training NAT/PAT extract 2008

Similar documents
Virtual Memory. Background. No. 10. Virtual Memory: concept. Logical Memory Space (review) Demand Paging(1) Virtual Memory

Wightman. Mobility. Quick Reference Guide THIS SPACE INTENTIONALLY LEFT BLANK

Thomson Gateways and Multiple IP Adresses

Real-Time Guarantees. Traffic Characteristics. Flow Control

Notes on Organizing Java Code: Packages, Visibility, and Scope

Complex Numbers. Now we also saw that if a and b were both positive then ab = a b. For a second let s forget that restriction and do the following.

VRT012 User s guide V0.1. Address: Žirmūnų g. 27, Vilnius LT-09105, Phone: (370-5) , Fax: (370-5) ,

IP Training Programme

Setup and Use. Version 3.7 2/1/2014

Setup and Use. For events not using AuctionMaestro Pro. Version /7/2013

RESISTIVE CIRCUITS MULTI NODE/LOOP CIRCUIT ANALYSIS

with Optic65 and Optic25 Cameras FOR OUTDOOR TRACKING ONLY unless used in conjunction with the Indoor Tracking Accessory.

Evaluation of an Enhanced Scheme for High-level Nested Network Mobility

Cisco TelePresence MCU 4200 Series

Avaya Scopia XT Meeting Center

Codian MCU MCU 4200 Series

Avaya T3 Telephones connected to Integral 5 Setting up and using conference bridge Appendix to user s guide

ELEC 377 Operating Systems. Week 6 Class 3

IP Camera Configuration Software Instruction Manual

If you miss a key. Chapter 6: Demand Paging Source:


DLK Pro the all-rounder for mobile data downloading. Tailor-made for various requirements.

#4 Inverted page table. The need for more bookkeeping. Inverted page table architecture. Today. Our Small Quiz

Range images. Range image registration. Examples of sampling patterns. Range images and range surfaces

Circuit Analysis I (ENGR 2405) Chapter 3 Method of Analysis Nodal(KCL) and Mesh(KVL)

Wireless Temperature Monitoring Overview

Simulation Based Analysis of FAST TCP using OMNET++

CMPS 10 Introduction to Computer Science Lecture Notes

Loop Transformations for Parallelism & Locality. Review. Scalar Expansion. Scalar Expansion: Motivation

LOOP ANALYSIS. The second systematic technique to determine all currents and voltages in a circuit

Problem Set 3 Solutions

Compiler Design. Spring Register Allocation. Sample Exercises and Solutions. Prof. Pedro C. Diniz

Assembler. Building a Modern Computer From First Principles.

Support Vector Machines

Real-time interactive applications

Re-routing Instability in IEEE Multi-hop Ad-hoc Networks *

Nachos Project 3. Speaker: Sheng-Wei Cheng 2010/12/16

Brave New World Pseudocode Reference

Intro. Iterators. 1. Access

AMath 483/583 Lecture 21 May 13, Notes: Notes: Jacobi iteration. Notes: Jacobi with OpenMP coarse grain

Computer Animation and Visualisation. Lecture 4. Rigging / Skinning

mquest Quickstart Version 11.0

Exercises (Part 4) Introduction to R UCLA/CCPR. John Fox, February 2005

CTS2134 Introduction to Networking. Module Network Implementation

Steps for Computing the Dissimilarity, Entropy, Herfindahl-Hirschman and. Accessibility (Gravity with Competition) Indices

Fault Detection in Rule-Based Software Systems

TN348: Openlab Module - Colocalization

Service Provider PAT Port Allocation Enhancement for RTP and RTCP

Lobachevsky State University of Nizhni Novgorod. Polyhedron. Quick Start Guide

Configuring Hosted NAT Traversal for Session Border Controller

Operator's Manual EU4 / EU6 / EU8. External Unwinder. Made in Germany

SMART PHOTO PRINTER USER'S GUIDE. Version V MODEL SmartD90-EV

Collaboratively Regularized Nearest Points for Set Based Recognition

Technical White Paper for NAT Traversal

Professional competences training path for an e-commerce major, based on the ISM method

Goals and Approach Type of Resources Allocation Models Shared Non-shared Not in this Lecture In this Lecture

Configuration manual. Grandstream Type: Analog Telephone Adapter. Configuration manual Grandstream Version 1.2

Common Components. Cisco Unified Border Element (SP Edition) Configuration Profile Examples 5 OL

The example below contains two doors and no floor level obstacles. Your panel calculator should now look something like this: 2,400

Optimal Fault-Tolerant Routing in Hypercubes Using Extended Safety Vectors

T3 (IP) Classic connected to Integral 5

Hybrid Non-Blind Color Image Watermarking

124 Chapter 8. Case Study: A Memory Component ndcatng some error condton. An exceptonal return of a value e s called rasng excepton e. A return s ssue

T3 Classic connected to IP Office

CHAPTER 2 DECOMPOSITION OF GRAPHS

Some Tutorial about the Project. Computer Graphics

Machine Learning 9. week

Agenda & Reading. Simple If. Decision-Making Statements. COMPSCI 280 S1C Applications Programming. Programming Fundamentals

2x x l. Module 3: Element Properties Lecture 4: Lagrange and Serendipity Elements

K-means and Hierarchical Clustering

Cisco IP Phone Configuration Guide

Product documentation. Issue:

Connection-information-based connection rerouting for connection-oriented mobile communication networks

Analysis of Collaborative Distributed Admission Control in x Networks

Solution Brief: Creating a Secure Base in a Virtual World

Oracle Database: 12c Administrator

SRB: Shared Running Buffers in Proxy to Exploit Memory Locality of Multiple Streaming Media Sessions

LOOP ANALYSIS. determine all currents and Voltages in IT IS DUAL TO NODE ANALYSIS - IT FIRST DETERMINES ALL CURRENTS IN A CIRCUIT

Configure Address Book. Configure Show Send To. Options Supervision Message. Options Flood Preventer

ETAtouch RESTful Webservices

T3 (IP) Classic connected to Integral 5

AP PHYSICS B 2008 SCORING GUIDELINES

Scaling IP Addresses DHCP CCNA 4

Machine Learning: Algorithms and Applications

T3 (IP) Comfort connected to Integral 5

Elements of a wireless network

Lecture #15 Lecture Notes

Implementing SBC Firewall Traversal and NAT

Midterms Save the Dates!

Resource-Efficient Multi-Source Authentication Utilizing Split-Join One-Way Key Chain

T3 Comfort connected to IP Office

Global Information Assurance Certification Paper. Copyright SANS Institute Author Retains Full Rights

Post Operative: Six week follow-up

Programming Assignment Six. Semester Calendar. 1D Excel Worksheet Arrays. Review VBA Arrays from Excel. Programming Assignment Six May 2, 2017

Security. Workplace Manager

NUMERICAL SOLVING OPTIMAL CONTROL PROBLEMS BY THE METHOD OF VARIATIONS

Private Information Retrieval (PIR)

Loop Permutation. Loop Transformations for Parallelism & Locality. Legality of Loop Interchange. Loop Interchange (cont)

5.0 Quality Assurance

DEAR: A DEVICE AND ENERGY AWARE ROUTING PROTOCOL FOR MOBILE AD HOC NETWORKS

Transcription:

kccvop.com basc vop tranng NAT/PAT extract 28 As we have seen n the prevous sldes, SIP and H2 both use addressng nsde ther packets to rely nformaton. Thnk of an envelope where we place the addresses of telephone/devce and call setup nformaton we want to send to the other VoIP user TO: 555-7@1.2.44.11 FROM: 55-2222@18.22.7. use: G72 port: 188 The envelope s addressed to the other user TO: 1.2.44.11 kccvop.net basc vop tranng extract 28

74 74 servces serv c es d rector es set t ngs d rectores set tngs AB C PQR S 74 servces drectores settngs 74 servces drectores settngs kccvop.com basc vop tranng NAT/PAT extract 28 and the return address s on the envelope FROM: 18.22.7. and sent va the routng to the address on the envelope. constructed wth the SIP or H2 content the same way an IP packet s 18.22.7. 1.2.44.11 All works fne as long as the return address on the envelope are the same as the addresses nsde the envelope. Both telephones can route traffc to each other. In more detal, for example n SIP the call setup would use port 5 (at default) so each end knows to open the 5 envelope and read the contents to setup the audo stream ; caller sends the envelope to the remote 18.22.7. 1.2.44.11 TO 555-7 FROM:55-222 USE: G72 PORT: 188 18.22.7.:5 1.2.44.11:5 kccvop.net basc vop tranng extract 28

DE F WX YZ CISCO IP P HONE 74 servces MN O drectores settngs CI SCO IP PH ON E 74 servces drectores settngs GHI JK L TU V CISCO IP PHO NE 74 me ss ag es servces d re ct or e s sett ngs GHI JK L TU V 74 servc es CISCO IP PH ONE 74 drectores s ettngs servces drectores settngs AB C 74 servces drectores settngs kccvop.com basc vop tranng NAT/PAT extract 28 (SIP would send as call setup usng port 5 as default) (H22 would send as call setup usng port 172 as default) remote responds to the caller wth ts requrements n a 5 envelope 18.22.7. 1.2.44.11 TO 55-2222 FROM:555-7 USE: G72 PORT: 1422 1.2.44.11:5 18.22.7.:5 Then the audo stream can begn and the conversaton start 18.22.7. 1.2.44.11 G72 audo G72 audo 18.22.7.:188 1.2.44.11:1422 1.2.44.11:188 18.22.7.:1422 18.22.7. 1.2.44.11 G72 audo G72 audo 1.2.44.11:188 18.22.7.:1422 1.2.44.11:188 18.22.7.:1422 kccvop.net basc vop tranng extract 28

CISCO I P P HONE 74 CISCO IP PH ONE 7 4 m ess age s dr ecto re s se rvce s settngs me ss ag es d re cto res se rvc es se ttn gs WX YZ 74 m ess age s dre ctor es se rvce s se ttng s WX Y Z CIS CO I P P HON E 74 mes sag es se rv ces d re ct or es se ttn gs kccvop.com basc vop tranng NAT/PAT extract 28 Even for more complex calls wth several addresses and optons n the envelope. All works fne, because all the addresses are vald and routable. 18.22.7. 1.2.44.11 TO:555-124@1.2.44.11 FROM:555-@18.22.7. TRANSFER: 555-212@18.2.11. USE: G72, G711 PORT:144 18.22.7.:5 1.2.44.11:5 1.2.44.11:5 18.22.7.:5 TO:555-124@1.2.44.11 FROM:555-@18.22.7. TRANSFER: 555-212@18.2.11. USE: G72, G711 PORT:144 Addresses nsde the SIP packets are real routable addresses and real port numbers allocated by the telephone systems to carry the audo streams. Now n the real-world - we have NAT and PAT If we are not usng IPv, we have the problem of lmted IPv4 address space and securty. so NAT s used to translate a publc address nto a prvate address ; 1.1.1. NAT 18...1 1.2.44. TO:555-4545@1.2.44. FROM: 555-@1.1.1. USE: G72 PORT: 1844 18...1:5 1.2.44.:5 1.2.44.11:188 18.22.7.:1422 TO:555-4545@1.2.44. FROM 555-@1.1.1. USE: G72 PORT: 1844 NOTICE that the address on the envelope no longer matches the address nsde. NAT has changed the prvate 1.1.1. address nto the outsde publc address 18...1 as t forwards the envelope to the remote ste. The remote ste can not respond to ths request because t does not know where 1.1.1. s. Call setup fals. Smply put ; the address on the envelope s the publc address, but the address nsde the envelope s the prvate address. The prvate address has no meanng outsde of the orgnatng ste. kccvop.net basc vop tranng extract 28

GH I JK L TU V MN O CI SCO IP PH ONE 7 4 me ss ag es d re cto res se rvc es se ttn gs 74 servces drectores sett ngs WX Y Z CIS CO I P P HON E 74 mes sag es se rv ces d re ct or es se ttn gs CI SCO I P PH ON E 74 serv ces drectores settngs kccvop.com basc vop tranng NAT/PAT extract 28 When the envelope s opened at the remote end. The requested call setup addresses are prvate addresses, can not be routed and therefore can not be used. call setup fals. To fx ths - there are varous methods avalable, but all result n the publc address from the outsde of the envelope beng coped to the packets nsde the envelope.. 1.1.1. NAT 18...1 1.2.44. TO:555-4545@1.2.44. FROM: 555-@1.1.1. USE: G72 PORT: 1844 ADDRESS CORRECTION DONE IN SOFTWARE TO:555-4545@1.2.44. FROM 555-@18..1 USE: G72 PORT: 1844 TO:555-4545@1.2.44. FROM: 555-@18...1 USE: G72 PORT: 1844 18...1:5 1.2.44.:5 1.2.44.11:188 18.22.7.:1422 Software runnng n the router, SBC, proxy, gateway or end devce uses STUN, ICE or TURN technques to read the outsde envelope address and re-wrte the nternal packet contents replacng the prvate address wth the publc address as t s sent out through NAT. Ths ensures the remote end receves the envelope wth the correctly addressed contents and the call setup can then proceed to the correct addresses. The same technque has to be appled to the audo stream addresses and port numbers (n each drecton) to mantan a translaton table and ensure the NAT publc to prvate addresses are re-wrtten n the SIP and RTP audo packets.. 1.1.1. NAT 18...1 1.2.44. G72 audo SRC = 1.1.1.:1888 DST = 1.2.44.:1844 ADDRESS CORRECTION DONE IN SOFTWARE G72 audo SRC = 18...1:1888 DST = 1.2.44.:1844 G72 audo SRC = 18...1:1888 DST = 1.2.44.:1844 kccvop.net basc vop tranng extract 28

PQR S PQR S 74 m ess age s dr ect ore s settngs se rvc es 74 m ess age s dr ect ore s se rvc es settngs 74 m es sag es dr ect ore s servces sett n gs kccvop.com basc vop tranng NAT/PAT extract 28 NOW magne NAT at both ends of the crcut.. twce as many translatons, but stll an easy soluton to handle the problems caused by these one-to-one NAT address translatons. All s workng agan through the NAT translaton.. but usng NAT on ts own only provdes a one-to-one mappng of publc to prvate addressng = we stll would need a publc address for every devce nsde our networks. not scalable not real-world. Hence PAT = port address translaton enables the enterprse to share a publc address among the hundreds of prvate addressed devces n the nternal network. So all the external packets have the same publc address but use a dfferent port number to correlate them wth ther orgnal prvate address and orgnal port number. PROBLEM for SIP/H2 etc.. once agan - the address on the envelope wll no longer match the address nsde the envelope.. but now a much more complex problem to fx... We now need to keep a database of NAT and PAT and how they relate to each SIP/H2 call, each voce stream and each control flow (and each vdeo stream). 1.1.1. NAT & PAT 18...1 1.2.44. ADDRESS CORRECTION DONE IN SOFTWARE telephone1 SIP call setup 1.1.1.:5 becomes 18...1:142 RTP audo stream 1.1.1.:188 becomes 18..1:1422 RTP audo control 1.1.1.:187 becomes 18..1.1421 telephone2 SIP call setup 1.1.1.7.5 becomes 18...1:142 RTP audo stream 1.1.1.7:1888 becomes 18...1:1424 RTP audo control 1.1.1.7:1887 becomes 18...1:1425 CALL SETUP SEEN FROM 18...1:142 and 142 AUDIO SENT BACK TO 18...1:1422 and 1424 AUDIO CONTROL SENT ON 18...1:1421 and 1425 the software has to keep track of whch port belongs to whch devce. and whch audo stream was requested by whch end devce and make all the necessary changes to the addresses and port numbers nsde each envelope. not too bad untl you factor n the features requred by the modern telephony systems = transfer, hold, re-drect, conference and three way callng etc. The software has to keep track of every stream n every flow. qute complex. not really we are just begnnng Next - let us factor nto the path a frewall or two kccvop.net basc vop tranng extract 28

7 4 messag es servces drectores settngs kccvop.com basc vop tranng NAT/PAT extract 28 One of the jobs of the frewall s to block traffc from the outsde that was not orgnated from the nsde. Here s another problem for our SIP or H2 traffc In ths example our telephone requested RT audo stream to be sent to t on port 144, the remote telephone requested port 1888. 188.22.. aud stream SRC: 1.22.22.55:1888 DST: 188.22..:144 FIREWALL BLOCKS TRAFFIC AS IT DID NOT ORIGINATE INSIDE So call setup functoned correctly, but the audo stream faled because the frewall was not mult-meda aware or confgured for the audo streams. The frewall does ts job and blocks that audo stream from the remote telephone, because port 144 was ntated from the outsde. Drty fx would be to allow the RTP port range through the frewall. Ths would be an un-secure soluton as t opens all the RTP ports to the outsde world. A better soluton s to have the ntellgence n the frewalls to look nto the call setup packets and be SIP and/or H2 aware = For example n SIP - usng the SDP packet nformaton to read the requred audo ports and open the frewall to those port when the call s made. Put these scenaros all together an you have a very basc understandng of SIP/H2 NAT/PAT and Frewall handlng problems you may encounter. Next we wll revew the call setup and packet structure of SIP and H2 to understand the call flow setup, redrect, transfer and other features and see how NAT/PAT and frewalls can really screw you up. kccvop.net basc vop tranng extract 28

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback