kccvop.com basc vop tranng NAT/PAT extract 28 As we have seen n the prevous sldes, SIP and H2 both use addressng nsde ther packets to rely nformaton. Thnk of an envelope where we place the addresses of telephone/devce and call setup nformaton we want to send to the other VoIP user TO: 555-7@1.2.44.11 FROM: 55-2222@18.22.7. use: G72 port: 188 The envelope s addressed to the other user TO: 1.2.44.11 kccvop.net basc vop tranng extract 28
74 74 servces serv c es d rector es set t ngs d rectores set tngs AB C PQR S 74 servces drectores settngs 74 servces drectores settngs kccvop.com basc vop tranng NAT/PAT extract 28 and the return address s on the envelope FROM: 18.22.7. and sent va the routng to the address on the envelope. constructed wth the SIP or H2 content the same way an IP packet s 18.22.7. 1.2.44.11 All works fne as long as the return address on the envelope are the same as the addresses nsde the envelope. Both telephones can route traffc to each other. In more detal, for example n SIP the call setup would use port 5 (at default) so each end knows to open the 5 envelope and read the contents to setup the audo stream ; caller sends the envelope to the remote 18.22.7. 1.2.44.11 TO 555-7 FROM:55-222 USE: G72 PORT: 188 18.22.7.:5 1.2.44.11:5 kccvop.net basc vop tranng extract 28
DE F WX YZ CISCO IP P HONE 74 servces MN O drectores settngs CI SCO IP PH ON E 74 servces drectores settngs GHI JK L TU V CISCO IP PHO NE 74 me ss ag es servces d re ct or e s sett ngs GHI JK L TU V 74 servc es CISCO IP PH ONE 74 drectores s ettngs servces drectores settngs AB C 74 servces drectores settngs kccvop.com basc vop tranng NAT/PAT extract 28 (SIP would send as call setup usng port 5 as default) (H22 would send as call setup usng port 172 as default) remote responds to the caller wth ts requrements n a 5 envelope 18.22.7. 1.2.44.11 TO 55-2222 FROM:555-7 USE: G72 PORT: 1422 1.2.44.11:5 18.22.7.:5 Then the audo stream can begn and the conversaton start 18.22.7. 1.2.44.11 G72 audo G72 audo 18.22.7.:188 1.2.44.11:1422 1.2.44.11:188 18.22.7.:1422 18.22.7. 1.2.44.11 G72 audo G72 audo 1.2.44.11:188 18.22.7.:1422 1.2.44.11:188 18.22.7.:1422 kccvop.net basc vop tranng extract 28
CISCO I P P HONE 74 CISCO IP PH ONE 7 4 m ess age s dr ecto re s se rvce s settngs me ss ag es d re cto res se rvc es se ttn gs WX YZ 74 m ess age s dre ctor es se rvce s se ttng s WX Y Z CIS CO I P P HON E 74 mes sag es se rv ces d re ct or es se ttn gs kccvop.com basc vop tranng NAT/PAT extract 28 Even for more complex calls wth several addresses and optons n the envelope. All works fne, because all the addresses are vald and routable. 18.22.7. 1.2.44.11 TO:555-124@1.2.44.11 FROM:555-@18.22.7. TRANSFER: 555-212@18.2.11. USE: G72, G711 PORT:144 18.22.7.:5 1.2.44.11:5 1.2.44.11:5 18.22.7.:5 TO:555-124@1.2.44.11 FROM:555-@18.22.7. TRANSFER: 555-212@18.2.11. USE: G72, G711 PORT:144 Addresses nsde the SIP packets are real routable addresses and real port numbers allocated by the telephone systems to carry the audo streams. Now n the real-world - we have NAT and PAT If we are not usng IPv, we have the problem of lmted IPv4 address space and securty. so NAT s used to translate a publc address nto a prvate address ; 1.1.1. NAT 18...1 1.2.44. TO:555-4545@1.2.44. FROM: 555-@1.1.1. USE: G72 PORT: 1844 18...1:5 1.2.44.:5 1.2.44.11:188 18.22.7.:1422 TO:555-4545@1.2.44. FROM 555-@1.1.1. USE: G72 PORT: 1844 NOTICE that the address on the envelope no longer matches the address nsde. NAT has changed the prvate 1.1.1. address nto the outsde publc address 18...1 as t forwards the envelope to the remote ste. The remote ste can not respond to ths request because t does not know where 1.1.1. s. Call setup fals. Smply put ; the address on the envelope s the publc address, but the address nsde the envelope s the prvate address. The prvate address has no meanng outsde of the orgnatng ste. kccvop.net basc vop tranng extract 28
GH I JK L TU V MN O CI SCO IP PH ONE 7 4 me ss ag es d re cto res se rvc es se ttn gs 74 servces drectores sett ngs WX Y Z CIS CO I P P HON E 74 mes sag es se rv ces d re ct or es se ttn gs CI SCO I P PH ON E 74 serv ces drectores settngs kccvop.com basc vop tranng NAT/PAT extract 28 When the envelope s opened at the remote end. The requested call setup addresses are prvate addresses, can not be routed and therefore can not be used. call setup fals. To fx ths - there are varous methods avalable, but all result n the publc address from the outsde of the envelope beng coped to the packets nsde the envelope.. 1.1.1. NAT 18...1 1.2.44. TO:555-4545@1.2.44. FROM: 555-@1.1.1. USE: G72 PORT: 1844 ADDRESS CORRECTION DONE IN SOFTWARE TO:555-4545@1.2.44. FROM 555-@18..1 USE: G72 PORT: 1844 TO:555-4545@1.2.44. FROM: 555-@18...1 USE: G72 PORT: 1844 18...1:5 1.2.44.:5 1.2.44.11:188 18.22.7.:1422 Software runnng n the router, SBC, proxy, gateway or end devce uses STUN, ICE or TURN technques to read the outsde envelope address and re-wrte the nternal packet contents replacng the prvate address wth the publc address as t s sent out through NAT. Ths ensures the remote end receves the envelope wth the correctly addressed contents and the call setup can then proceed to the correct addresses. The same technque has to be appled to the audo stream addresses and port numbers (n each drecton) to mantan a translaton table and ensure the NAT publc to prvate addresses are re-wrtten n the SIP and RTP audo packets.. 1.1.1. NAT 18...1 1.2.44. G72 audo SRC = 1.1.1.:1888 DST = 1.2.44.:1844 ADDRESS CORRECTION DONE IN SOFTWARE G72 audo SRC = 18...1:1888 DST = 1.2.44.:1844 G72 audo SRC = 18...1:1888 DST = 1.2.44.:1844 kccvop.net basc vop tranng extract 28
PQR S PQR S 74 m ess age s dr ect ore s settngs se rvc es 74 m ess age s dr ect ore s se rvc es settngs 74 m es sag es dr ect ore s servces sett n gs kccvop.com basc vop tranng NAT/PAT extract 28 NOW magne NAT at both ends of the crcut.. twce as many translatons, but stll an easy soluton to handle the problems caused by these one-to-one NAT address translatons. All s workng agan through the NAT translaton.. but usng NAT on ts own only provdes a one-to-one mappng of publc to prvate addressng = we stll would need a publc address for every devce nsde our networks. not scalable not real-world. Hence PAT = port address translaton enables the enterprse to share a publc address among the hundreds of prvate addressed devces n the nternal network. So all the external packets have the same publc address but use a dfferent port number to correlate them wth ther orgnal prvate address and orgnal port number. PROBLEM for SIP/H2 etc.. once agan - the address on the envelope wll no longer match the address nsde the envelope.. but now a much more complex problem to fx... We now need to keep a database of NAT and PAT and how they relate to each SIP/H2 call, each voce stream and each control flow (and each vdeo stream). 1.1.1. NAT & PAT 18...1 1.2.44. ADDRESS CORRECTION DONE IN SOFTWARE telephone1 SIP call setup 1.1.1.:5 becomes 18...1:142 RTP audo stream 1.1.1.:188 becomes 18..1:1422 RTP audo control 1.1.1.:187 becomes 18..1.1421 telephone2 SIP call setup 1.1.1.7.5 becomes 18...1:142 RTP audo stream 1.1.1.7:1888 becomes 18...1:1424 RTP audo control 1.1.1.7:1887 becomes 18...1:1425 CALL SETUP SEEN FROM 18...1:142 and 142 AUDIO SENT BACK TO 18...1:1422 and 1424 AUDIO CONTROL SENT ON 18...1:1421 and 1425 the software has to keep track of whch port belongs to whch devce. and whch audo stream was requested by whch end devce and make all the necessary changes to the addresses and port numbers nsde each envelope. not too bad untl you factor n the features requred by the modern telephony systems = transfer, hold, re-drect, conference and three way callng etc. The software has to keep track of every stream n every flow. qute complex. not really we are just begnnng Next - let us factor nto the path a frewall or two kccvop.net basc vop tranng extract 28
7 4 messag es servces drectores settngs kccvop.com basc vop tranng NAT/PAT extract 28 One of the jobs of the frewall s to block traffc from the outsde that was not orgnated from the nsde. Here s another problem for our SIP or H2 traffc In ths example our telephone requested RT audo stream to be sent to t on port 144, the remote telephone requested port 1888. 188.22.. aud stream SRC: 1.22.22.55:1888 DST: 188.22..:144 FIREWALL BLOCKS TRAFFIC AS IT DID NOT ORIGINATE INSIDE So call setup functoned correctly, but the audo stream faled because the frewall was not mult-meda aware or confgured for the audo streams. The frewall does ts job and blocks that audo stream from the remote telephone, because port 144 was ntated from the outsde. Drty fx would be to allow the RTP port range through the frewall. Ths would be an un-secure soluton as t opens all the RTP ports to the outsde world. A better soluton s to have the ntellgence n the frewalls to look nto the call setup packets and be SIP and/or H2 aware = For example n SIP - usng the SDP packet nformaton to read the requred audo ports and open the frewall to those port when the call s made. Put these scenaros all together an you have a very basc understandng of SIP/H2 NAT/PAT and Frewall handlng problems you may encounter. Next we wll revew the call setup and packet structure of SIP and H2 to understand the call flow setup, redrect, transfer and other features and see how NAT/PAT and frewalls can really screw you up. kccvop.net basc vop tranng extract 28