Realtime Multimedia in Presence of Firewalls and Network Address Translation

Similar documents
Realtime Multimedia in Presence of Firewalls and Network Address Translation. Knut Omang Ifi/Oracle 9 Nov, 2015

About Knut Omang. About Paradial. Unified communications... Unified communications

About Knut Omang. About Paradial. Realtime Multimedia in Presence of Firewalls and Network Address Translation Knut Omang

About Knut Omang. About Paradial. Realtime Multimedia in Presence of Firewalls and Network Address Translation Knut Omang

Network Address Translators (NATs) and NAT Traversal

Internet Networking recitation #

Network Address Translation (NAT) Background Material for Overlay Networks Course. Jan, 2013

Network Address Translation (NAT) Contents. Firewalls. NATs and Firewalls. NATs. What is NAT. Port Ranges. NAT Example

MySip.ch. SIP Network Address Translation (NAT) SIP Architecture with NAT Version 1.0 SIEMENS SCHWEIZ AKTIENGESELLSCHAFT

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Ingate Firewall & SIParator Product Training. SIP Trunking Focused

SIP security and the great fun with Firewall / NAT Bernie Höneisen SURA / ViDe, , Atlanta, GA (USA)

Desktop sharing with the Session Initiation Protocol

Peer-to-Peer Connectivity Using Firewall and Network Address Translator Traversal. R. Naber

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Real-Time Communications for the Web. Presentation of paper by:cullen Jennings,Ted Hardie,Magnus Westerlund

VOIP Network Pre-Requisites

while the LAN interface is in the DMZ. You can control access to the WAN port using either ACLs on the upstream router, or the built-in netfilter

IPv4 addressing, NAT. Computer Networking: A Top Down Approach 6 th edition Jim Kurose, Keith Ross Addison-Wesley.

Network Requirements

P2PSIP, ICE, and RTCWeb

Advanced Computer Networks. IP Mobility

[MS-ICE2]: Interactive Connectivity Establishment (ICE) Extensions 2.0

If your router or firewall is SIP-aware or SIP ALG-enabled, you must turn it off (so the device doesn t interfere with any signalling).

Technical White Paper for NAT Traversal

If your router or firewall is SIP-aware or SIP ALG-enabled, you must turn it off (so the device doesn t interfere with any signalling).

If your router or firewall is SIP-aware or SIP ALG-enabled, you must turn it off (so the device doesn t interfere with any signalling).

Advanced Computer Networks

Internet Engineering Task Force (IETF) Request for Comments: 7604 Category: Informational. September 2015

APP NOTES Onsight Connect Network Requirements

Network Address Translator Traversal Using Interactive Connectivity Establishment

IP Mobility vs. Session Mobility

Unified Communications in RealPresence Access Director System Environments

APP NOTES TeamLink and Firewall Detect

Computer Science 461 Final Exam May 22, :30-3:30pm

When placing an order for BT SIP Trunks customers are requested to sign this document to acknowledge that;

Journal of Information, Control and Management Systems, Vol. X, (200X), No.X SIP OVER NAT. Pavel Segeč

Internet Technology 4/29/2013

ABC SBC: Secure Peering. FRAFOS GmbH

NAT Tutorial. Dan Wing, IETF77, Anaheim March 21, 2010 V2.1

Department of Computer Science. Burapha University 6 SIP (I)

OneXS will provide users with a reference server (IP, FQDN, or other means to connect to the service). This must be obtained before setup can begin.

Yealink VCS Network Deployment Solution

CSC Network Security

ASA Access Control. Section 3

Examination 2D1392 Protocols and Principles of the Internet 2G1305 Internetworking 2G1507 Kommunikationssystem, fk SOLUTIONS

Networking interview questions

GUIDELINES FOR VOIP NETWORK PREREQUISITES

Application Note 3Com VCX Connect with SIP Trunking - Configuration Guide

Chapter 8 roadmap. Network Security

A. On the VCS, navigate to Configuration, Protocols, H.323, and set Auto Discover to off.

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

Network and Security: Introduction

Chapter 4: outline. 4.5 routing algorithms link state distance vector hierarchical routing. 4.6 routing in the Internet RIP OSPF BGP

Different Layers Lecture 20

HUAWEI USG6000 Series Next-Generation Firewall Technical White Paper VPN HUAWEI TECHNOLOGIES CO., LTD. Issue 1.1. Date

CSC 4900 Computer Networks: Security Protocols (2)

Network Interconnection

Network Protocols - Revision

Layering and Addressing CS551. Bill Cheng. Layer Encapsulation. OSI Model: 7 Protocol Layers.

Application Note. Microsoft OCS 2007 Configuration Guide

Networking Potpourri: Plug-n-Play, Next Gen

Advanced Security and Mobile Networks


NAT Traversal for VoIP

Firewalls, Tunnels, and Network Intrusion Detection

CSE/EE 461: Introduction to Computer Communications Networks Autumn Module 9

Lecture 10: TCP Friendliness, DCCP, NATs, and STUN

Lecture 12: TCP Friendliness, DCCP, NATs, and STUN

Avi Networks Technical Reference (16.3)

Welcome to PHOENIX CONTACT Routing

IPv6 NAT. Open Source Days 9th-10th March 2013 Copenhagen, Denmark. Patrick McHardy

1 SIP Carriers. 1.1 LightBound Warnings Vendor Contact Vendor Web Site:

Voice over IP (VoIP)

CSC 4900 Computer Networks: Network Layer

Internet Technology 3/23/2016

Encryption setup for gateways and trunks

NAT (NAPT/PAT), STUN, and ICE

Table of Contents. Cisco How NAT Works

Security SSID Selection: Broadcast SSID:

Configuring Encryption for Gateways and Trunks

Installation & Configuration Guide Version 1.6

ABC SBC: Securing the Enterprise. FRAFOS GmbH. Bismarckstr CHIC offices Berlin. Germany.

HP Firewalls and UTM Devices

RP-FSO522 2-Line FXO, 2-Line FXS SIP IP Gateway. Feature

Internet Security: Firewall

An IP Network: Application s View. SIP & NATs / Firewalls. An IP Network: Router s View. Reminder: Internet Architecture

How to Configure a Remote Management Tunnel for Barracuda NG Firewalls

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Configuring Hosted NAT Traversal for Session Border Controller

Intranets 4/4/17. IP numbers and Hosts. Dynamic Host Configuration Protocol. Dynamic Host Configuration Protocol. CSC362, Information Security

ET4254 Communications and Networking 1

Advanced Security and Forensic Computing

Cisco Expressway with Jabber Guest

Fundamentals of IP Networking 2017 Webinar Series Part 4 Building a Segmented IP Network Focused On Performance & Security

Use this section to help you quickly locate a command.

CSC 474/574 Information Systems Security

Mobile Routing : Computer Networking. Overview. How to Handle Mobile Nodes? Mobile IP Ad-hoc network routing Assigned reading

Application Firewalls

Firewall-Friendly VoIP Secure Gateway and VoIP Security Issues

Transcription:

Realtime Multimedia in Presence of Firewalls and Network Address Translation Knut Omang Ifi/Oracle 9 Oct, 2017 1 Overview Real-time multimedia and connectivity Mobile users (roaming between devices) or mobile devices Applications: unified communications Common characteristics of unified communication demands Firewalls and NAT Firewalls and NAT characterization Why and how this is a problem for realtime multimedia Efforts to aid in discovery and traversal STUN (Simple Traversal Utilities for NAT) TURN (Traversal Using Relays around NAT) ICE (Interactive Connectivity Establishment) Other approaches Example session management and flow SIP/SDP examples 2

Unified communications... 3 Unified communications Types of service Voice Video Chat/presence Application sharing Session layer Protocols: SIP,H323,XMPP(Jabber),MSNP,IPsec(tunnel mode),oscar(aim),skype Transport layer IPsec (ESP/AH) Similar issues for all protocols and services! 4

Unified communications Characteristics: Real-time properties needed Multiple media flows Not the usual client/server model Want shortest/best path for media Delay Jitter Resource usage 5 A simple call example Assuming (simplified): Per knows Ida s network location (IP+port) Only one type of communication needed User: per User: ida 6

A simple call example Assuming: Per knows Ida s network location (IP+port) Only one type of communication needed But Ida is visiting a company network with an open policy User: per User: ida Per can t reach Ida Ida can reach Per and Per can respond (over the same connection) 7 A simple call example Assuming: Per knows Ida s network location (IP+port) Only one type of communication needed Ida is visiting a company network... And so are Per... User: per User: ida No communication possible by default A 3rd party is needed 8

A simple call example Per and Ida gets help from their registrar Per: 192.168.0.81:5060 Ida: 192.168.20.10:4560 User: per User: ida 192.168.20.10 192.168.0.81 Relay via 3rd party: Expensive (latency and bandwidth!) Depending on firewall: Tricks to go directly anyway..? 9 A simple call example Peris and firewalls perform NAT! This a Ida s common case! Per: 100.20.30.40:34567 Ida: 120.30.40.50:62567 120.30.40.50 100.20.30.40 User: per 192.168.0.81 User: ida 192.168.20.10 NAT-devices alters the IP and TCP/UDP headers of packets What if payload also contains addresses? 10

Firewalls Usually blocks all incoming traffic not on ESTABLISHED connections All communication must be initiated from the inside! May block certain protocols UDP considered dangerous May block a certain protocol with the exception of certain well protected ports May behave differently for different src/dst hosts/port combinations May block everything except services considered safe Everything blocked except a local web proxy The web proxy may require authentication and only HTTPS may pass through... A user may be behind multiple firewall/nat devices... Each adding to the complexity.. 11 Network Address Translation (NAT) Source NAT Both sides require outbound traffic to create NAT binding Only receiver can detect a sender s port May vary between destination hosts! We don t know the address/port allocation scheme.. (!) Destination NAT Specific addr:port pairs on the outside is bound to addr:port on the inside Used for public services not the problem here Masquerade (often called static nat ) Destination + Source NAT The sender may not know it s public address(es)/port(s) Different destination host:ports may see different sources for the same private address:port 12

Firewalls and connection tracking Connection tracking? Need to keep track of communication initiated from inside Also needed for NAT to map public addr:port [+remote addr:[port]] to private addr:port TCP: follows TCP states UDP is connectionless? A UDP communication path is said to have been ESTABLISHED if it has been responded to But short timeout (eg.30 seconds..) for security To reduce memory need for connection tracking Implementations: Memory usage priority NAT: Simple random port allocation scheme easier than trying to maintain any coherence seen from the outside.. More on this later Timeouts means: Keepalive needed to keep firewall open 13 Summary: The Connectivity Challenge Firewall/NAT devices interfere and often block communications Can t send packets to a private address from the internet Firewalls only accept outbound connections initiated from the inside NAT: Packets from the same port may be seen with different src by different hosts! Firewall holes times out quickly! Users normally do not know the infrastructure between two points Most protocols for RT multimedia Uses multiple ports for a single application Puts address/port information in session setup packets violated by NAT, blocked by firewall.. 14

STUN (Session Traversal Utilities for NAT) Client/server based protocol Designed to allow detection of firewall/nat properties: Firewall characteristics Can we use the desired protocol? Can we communicate directly? NAT discover public addresses assigned to address/ports on the private network Discover if the public address seen by one destination host/port can be used by another 15 Some example course grained firewall classes : All TCP/UDP allowed + NAT When initiated from inside When not any dangerous ports Source NAT All TCP allowed UDP allowed, but only from addr:port sent to no NAT All TCP allowed from inside But all UDP blocked All UDP/TCP blocked except https initiated from inside All direct access to outside forbidden Internet access only via web proxy in DMZ All web proxy traffic authenticated in proxy 16

NAT characterization (UDP focus) Categorization of NAT devices into classes (RFC 4787 revised from earlier attempts) - Endpoint independent mapping - A NAT mapping from one source addr:port to one destination addr:port can be reused by another destination addr:port - Address dependent mapping - A NAT mapping from one source addr:port can be reused by other destination ports on the same destination host - Address and port dependent mapping - Each (source addr:port,destination addr:port) tuple receives a unique public addr:port in the NAT (no reuse across ports/addresses) Note: Nothing prevents a NAT device from behaving differently depending on source or destination addresses or ports in question! Example: STUN ports for UDP: endpoint independent, other ports just blocked for UDP 17 NAT detection using STUN Per and Ida s firewalls are behind NAT can they talk directly? Per: 100.20.30.40:34567 Ida: 120.30.40.50:62567 STUN server 1: 130.1.2.1:3478 Per: 100.20.30.41:47875 Ida: 120.30.40.50:62567 STUN server 2: 130.1.2.2:3478 120.30.40.50 100.20.30.40-50 User: ida User: per src: 100.20.40.42:34444 dst: 120.30.40.50:62567 192.168.20.10 192.168.0.81 Ida s firewall seems to have endpoint independent mappings We are able to communicate directly if Per initiates if we are lucky... 18

NAT detection using STUN Per and Ida s firewalls are behind NAT can they talk directly this time? Per: 100.20.30.41:47875 Ida: 120.30.40.50:62567 Per: 100.20.30.40:34567 Ida: 120.30.40.50:63245 STUN server 1: 130.1.2.1:3478 STUN server 2: 130.1.2.2:3478 100.20.30.40-50 120.30.40.50 User: per 192.168.0.81 User: ida 192.168.20.10 Neither firewall has endpoint independent mappings We are able to communicate using UDP, but only using relay 19 STUN Relay -TURN (Traversal Using Relays around NAT) Protocol to facilitate relaying Clients request a public port on a relay server Server forwards incoming and outgoing traffic between two callers Clients may communicate with different relay servers Clients may use UDP,TCP or TLS as transport for TURN messages 20

What if STUN probes fail? 1. Per is behind a UDP blocked NAT Timeout no STUN answer request STUN server 1: 130.1.2.1:3478 STUN server 2: 130.1.2.2:3478 blocked 100.20.30.40-50 User: per 120.30.40.50 Try with TCP User: ida But use UDP here if possible why? 192.168.20.10 192.168.0.81 TCP and packet loss or reorder may distort sound/video! Not to mention Nagle s algorithm 21 Guaranteed delivery vs realtime, best effort Guaranteed delivery Increased latency over inconsistency packet loss/corruption/reorder not tolerated Bandwidth over smooth flow Realtime, best effort Rather lose something than get behind Jitter/bursts are bad smoothness needed! 22

Example flow: Media over TCP with overloaded switch (or a bad network...) sender s application RTP 1 sender s TCP stack TCP seq 1 RTP 2 Loaded switch/router receiver s TCP stack TCP ack 1 TCP seq 1 TCP ack 1 RTP 1 TCP seq 2 TCP seq 2 RTP 2 RTP 3 TCP ack 2 TCP ack 2 TCP seq 3 RTP 4 RTP 5 TCP seq 4 TCP seqtoo 4 much to TCP seq 3,5 TCP seq 6 TCP seq 3,5 TCP seq 6 RTP TCP timeout 6- retransmit receiver s application do throwing... Delay, jitter! RTP 3-6 23 Media quality UDP (usually) preferable over TCP As few hops as possible Price and quality issue.. If TCP must be used, use as short as possible (and UDP for the rest) 24

(N)ICE (Interactive Connectivity Establishment) 1.Gather as many addresses/port pairs as possible Local, STUN, TURN,... 2.Exchange alternative lists 3.Peers verifies available candidates: Defines priorities of candidates Probes candidates Selects the best verified candidate Defined for use with SIP/SDP work to extend to other protocols => ICE is a user of the underlying connectivity checks and relay methods. end-to-end protocol between clients servers not directly involved. 25 Paradial: RealTunnel Client on the local network detected network Call setup connectivity using STUN and some more... Worked together with server to find available transport mechanisms towards the peer in a call RealTunnel Server (Oslo) Used ICE client-to-client to communicate alternatives Bundled RealTunnel SDK Separate signalling and media servers for scalability Client software depending on application: Service provider/registrar (Germany) RealTunnel Server (USA) TCP/HTTPS If necessary, multiple connections 3rd party client SDK Enterprise Proxy RealTunnel Enterprise Proxy Client 1 (Oslo) Corporate LAN (USA) 26

Testing against firewalls 27 Controlled Firewalls Separate firewall control protocol Client requests opening of ports in firewall SOCKS, UPnP Must trust all clients on local network UPnp: Clients must trust any device replying to broadcast 28

Application Level Gateways (ALG) Protocol aware server in connection with firewall Allowed in FW rules Controls firewall through control protocol Or built into firewall Old proto example: ftp Some VPN gateways Session Border Controller: SIP ALG Terminates traffic in both directions Masks real source/destination at the session layer 29 Application Level Gateways (ALG) Breaks firewall principle: Interferes at session/application level Requires care: String replace not enough must understand protocol Encrypted data? (ex. SIP/TLS, IPsec, ) Hardware/firmware and rapidly evolving protocols? 30

Summary Unified communications demands good RT QoS Can generate very complex initiation scenarios Gets much more complicated due to firewalls and NAT Firewalls and NAT Firewalls and NAT can to some extent be characterized But there is an unlimited potential for issues and problems Discovery and traversal tools can aid in finding the best path STUN (Simple Traversal Utilities for NAT) TURN (Traversal Using Relays around NAT) ICE (Interactive Connectivity Establishment) And there is limited observability in the general case! RT multimedia gets into trouble quite easily because High demands for QoS Often different desired paths for setup and media flow Multiple connections needed, using different protocols Firewall modification might seem like a good idea But often complicates rather than simplify (ALG) And can also be a security risk (UPnp) 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback