Running SIP behind NAT Dr. Christian Stredicke, snom technology AG, Voice Over Net, USA, April 2003

V1.0 2 Doing SIP without NAT was a little bit naïve… IPv4 32-bit are not enough –USA might have enough addresses, ROW does not –16 bit port address can be recycled into part of address (that’s called NAT) –Ethernet uses 48 bit which seems to be enough IPv6 –Solves the problems –Big migration headache –Who is using it? People ARE using Routers that do NAT –Increases Security –Reduce cost by sharing address

V1.0 3 Which information does a client has to set up for port forwarding in NAT equipment? Router needs information where to send packets in private network –Map port to private address and port –By default packets will be rejected or sent to DMZ Router needs hint for security checking –Accept packets from any destination –Accept packets only from associated host –Accept packets only from associated host and port Router Client

V1.0 4 How did other applications solve the problem? HTTP, telnet, … –Using TCP DNS, others –“Digging holes”: Set up association when client sends out packet from unmapped port for seconds –Security policy hardwired by vendor –Some offer a DNS proxy (application layer gateway) ftp –Does not work! –Inexperienced users use http instead –Some routers offer applications layer gateway Heterogeneous environment –Every vendor does it in a different way –“Digging holes” is common denominator

V1.0 5 Application layer gateways (ALG) solve the problem in the business area Business customers have different requirements than home users –Many phones –Want to run proxies, media servers, application servers behind their firewall –These applications probably will not have UPnP or STUN Therefore, firewalls will probably include SIP-aware ALG Commercial products e.g. from Cisco, Intertex, Ingate, Jasomi, …

V1.0 6 STUN uses the digging hole trick to set up port associations Initialization procedure checks environment –Goal: Check if STUN is needed –Type of NAT does actually not really matter because user is not interested in failure reason SIP port kept alive by sending packets every s RTP ports are allocated dynamically when starting a call –Otherwise keep-alive traffic would be double –RTCP port can not be allocated because next port allocation is unlikely –Long ringing and putting caller on hold is problematic (no port refresh during this time)

V1.0 7 TURN works in symmetrical NAT environment, but has too many problems Set up a “mirror” in the public Internet –Forward all packets to the “hole” Scalability –TURN server becomes “media server” –Every call generates about 50 packets per second Delay –Sending packets over media server increases transport delay significantly –E.g. local call in Tokyo when TURN server is in Frankfurt

V1.0 8 The “almost” problem: STUN works fine in 90 % of the cases Programmer: “I am almost finished” –Translation: “I solved the simple problems, and I don’t yet have a clue what the hard problems are” Some routers do not run STUN without user interaction –Stateful inspection –Trying to be smart –Users must set up DMZ 10 % support calls are intolerable STUN can only be „gap-filler“ –“Best Effort” –No support Need clear indication if VoIP will work –Clear technical specification under which circumstances customers can expect setup to work –UPnP is good candidate for this

V1.0 9 UPnP is the right approach. Generic protocol to allocate ports on router –Works with SIP, can be used with other applications as well –Can be integrated with firewalls –Not too hard to implement Microsoft Messenger uses UPnP –“De facto standard” –Many DSL router vendors offer UPnP now Problem: Old Equipment –Software Updates! –Use STUN –Maybe use TURN, even if call duration is terrible –Instruct customers to set up ports manually

V How does port forwarding in UPnP work? Find the Internet access device –Broadcast messages (no user setup required) –Download the description of the UPnP device via http Retrieve the public IP address from the router Set up port mapping explicitly –http requests using XML (SOAP) attachments Other commands also available –UPnP is much more than setting up port forwarding on routers

V With the increasing availability of UPnP, most home customers can be addressed UPnP STUN UPnP STUN Beginning of 2003End of 2003 Software Updates New Equipment

V Calling phones in the same network requires ancillary information* 1a) Phone A sends to public address of B 1b) Router will not forward packet, call will fail 2) A knows B is in the same NAT and sends packet to private address instead * If no ALG is involved

V Ancillary information must be placed in contact URI and in SDP INVITE SIP/2.0 Via: SIP/2.0/UDP :5060;branch=z9hG4bK-6rms4e9tmtsz Max-Forwards: 70 From: ;tag=16z5zw9lqt To: Call-ID: CSeq: 1 INVITE Contact: Content-Type: application/sdp Content-Length: 311 v=0 o=root IN IP s=SIP Call c=IN IP t=0 0 m=audio RTP/AVP a=rtpmap:0 pcmu/8000 a=rtpmap:101 telephone-event/8000 a=fmtp: a=srcadr: : :10004

V Alternatively, we could use a “no router” as additional path element REGISTER sip:bla.com SIP/2.0 Path: Contact:... When it receives a message this could look like this: INVITE sip: :54456;nr=1 SIP/2.0 Route:... SIP/ Wonderful Record-Route: Contact:

V NAT2NAT3 NAT1 Multi-tier NAT with STUN requires a STUN server between the tiers and in the public Internet A has three identities: : : :5678 B has three identities: : : :5679 STUN Phone APhone B When using STUN, a STUN server is required between the layers

V NAT2 NAT1 Multi-tier NAT with UPnP would require a access to all involved UPnP routers Phone A Normal UPnP Access and Detection Somehow we have to bypass the first router

V How should a phone boot up? Try UPnP Use UPnP Try to Register Use STUNUse Given Identity UPnP available No response (5 seconds) or not available No problem: either public address, ALG or total private environment Registrar complains about private address This step can be done even without STUN, as the registrar returns the response quick

V Is UPnP secure? A possible man-in-the-middle attack scenario… 1. A opens RTP forwarding port Phone BPhone A 2. B retrieves forwarding table 3. B rearranges port forwarding 4. B receives all RTP from the IAD and forwards it to A (after recording it) Same attack can be done with signaling Can be solved with TLS and SRTP

V Security is ok for home networks, but for business networks some enhancements are needed How much security needs a home? –Son listens to call of daughter –Son listens to call of father doing telephone banking –Son using Ethereal, son is listening on the door STUN is also not secure –ARP attacks can also redirect the packet flow (however that’s not so easy) Attacks from the outside –Orphan bindings may give access to private devices –Devices should be able to deal with this anyway Security enhancements in UPnP Version 2 Businesses should use ALG which takes care about it

V To make UPnP more reliable, clients need to allocate bandwidth Don’t allocate bandwidth “just in case” –Allocating ports at startup is easy and can set scheduling priorities –But when too many VoIP calls are done, all of them suffer Ask for bandwidth before a call starts –Sending busy is better than having stuttering calls –Phone needs to know when bandwidth is available again so that call completion can be indicated –Notification when bandwidth is available Could be added to current allocation requests –Bandwidth indication –Insufficient bandwidth as denial reason

V Some words about the current UPnP V2 specification process “Lessons Learned” clearly on the agenda –Moderated discussion –Results be expected not before end of this year QoS scope too narrow for VoIP –QoS only within the UPnP network –Focus on delivering video at home –UPnP edge devices must serve as QoS gateways –No improvement for VoIP calls outside the home network Security profile still tuned at home requirements –Seems to be still no option for business

V Conclusion: Tell the customer what he should do about NAT If you can, use an ALG –Works will all SIP-compliant equipment –Most expensive solution, but complete functionality Else if you can, use UPnP –Works with all SIP- and UPnP-compliant equipment –“MS Messenger” solution, routers for 65 $ available –Problems making calls within the private network Else if you dare, use STUN –Works with all SIP- and STUN-compliant equipment if the routers are not inspecting packets –Could become support-headache –Also problems in the private network If you also want to support the rest, think about TURN –Works with all SIP-, STUN/TURN-compliant equipment and the 99% of the NAT routers

© 2003 snom technology Aktiengesellschaft Written by: Dr. Christian Stredicke Version: 1.0 The author has made his best effort to prepare this document. The content is based upon latest information whenever possible. The author makes no representation or warranties of any kind with regard to the completeness or accuracy of the contents herein and accept no liability of any kind including but not limited to performance, merchantability, fitness for any particular purpose, or any losses or damages of any kind caused or alleged to be caused directly or indirectly from this document. For more information, mail Pascalstr. 10E, Berlin, Germany.

V In cases when NAT is symmetrical, TURN could be a solution Router Client STUN/TURN Server Allocate Request/Response 2. Activate Request/Response 3. SIP/Media