ページ1に含まれる内容の要旨
snom 4S NAT Filter
Admin Manual
snom 4S
NAT Filter
Version 2.11��������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������
ページ2に含まれる内容の要旨
snom 4S NAT Filter Version 2.11 © 2004-2005 snom technology Aktiengesellschaft. All Rights Reserved. This document is supplied by snom technology AG for information purposes only to licensed users of the snom 4S NAT filter and is supplied on an “AS IS” basis, that is, without any warranties whatsoever, express or implied. Information in this document is subject to change without notice and does not represent any commitment on the part of snom technology AG. The software described in this docum
ページ3に含まれる内容の要旨
Table of Contents 1 Overview ..........................................................5 1.1 Applications ...................................................................... 6 1.2 Features ........................................................................... 6 2 Architecture .....................................................9 2.1 The NAT Filter and SIP ........................................................ 9 2.2 NAT ..................................................................
ページ4に含まれる内容の要旨
[ S N O M 4 S N A T F I L T E R ] .............................................................................................................................................................................. 4.3.4 Media Ports 35 ........................................................................................................................................................................ 4.3.5 Port Budgets 35 ............................................................................
ページ5に含まれる内容の要旨
1 Overview Network address translation (NAT) is a reality today. There have been many discussions about the evil and the good of this network topol- ogy and the replacement by IP version 6. However, operators and busi- ness want to offer VoIP services today and therefore must address the problem. The snom 4S NAT Filter is a SIP session border controller (SBC). It enables non-NAT aware devices to operate in private networks. It also allows operating the data center in a private network. It ta
ページ6に含まれる内容の要旨
[ S N O M 4 S N A T F I L T E R ] 1.1 Applications The filter can be used in the following scenarios: • Corporations. Corporations which operate their infrastructure be- hind NAT and/or firewalls can talk to the public Internet through the filter. • Operators. Operators offer the NAT traversal feature to their cus- tomers. Using the scalability feature of the filter, the operation of large networks becomes possible. • Record specific calls for legal purposes. In many countries, opera- tors must pro
ページ7に含まれる内容の要旨
[ S N O M 4 S N A T F I L T E R ] • Both http and https as web interface for simple access from any- where on the Internet. • The filter supports Interactive Connectivity Establishment (ICE). User agents that support this feature will optimize the media path for the shortest possible delay. • Media relay is established using connection-oriented media. User- agents that are not NAT-aware inherently support this feature. This makes the operation of the NAT filter backward-compatible. • Call-alive
ページ8に含まれる内容の要旨
[ S N O M 4 S N A T F I L T E R ] • The first exception is a REGISTER request. When a user agent tries to register and needs the support of the filter, the filter will set up a local data structure representing the user agents. It will make sure that the connection to the user agents stays alive. It will also make sure that requests destined to the user agents will be forwarded properly. • The second exception is an SDP attachment. The filter checks if the user agent needs support (or must be
ページ9に含まれる内容の要旨
2 Architecture 2.1 The NAT Filter and SIP In the SIP architecture, the SBC acts as the first proxy that is contacted by user agents. There are two ways to make sure that the rel- evant traffic gets routed trough the filter: • User agents can be set up to use the filter as outbound proxy. When using this method, all SIP traffic will flow through the SBC, whether it is destined to the operator or not. That means that service for calls outside of the operator’s domain may also be serviced by the SBC.
ページ10に含まれる内容の要旨
[ S N O M 4 S N A T F I L T E R ] to register and needs the support of the SBC, the SBC will set up a local data structure representing the user agents. It will make sure that the connection to the user agents stays alive. It will also make sure that requests destined to the user agents will be forwarded properly. • The second exception is an SDP attachment. The SBC checks if the user agent needs support (or must be recorded) and, in that case, will add a local contact to the SDP that can
ページ11に含まれる内容の要旨
[ S N O M 4 S N A T F I L T E R ] 2.2.1 How does NAT work? NAT is essentially a translation table that maps public IP address and ports combinations to private IP address and port combinations. The translation table is implicitly set up when a packet is sent from the private network to the public network. The association is kept alive for a certain time and is refreshed every time a new packet is sent from the same origin. This fact is used by STUN (RFC3489) to set up an association betwee
ページ12に含まれる内容の要旨
[ S N O M 4 S N A T F I L T E R ] In SIP it is legal to send from a different port than the receiving port. When this is being done, there is no way of supporting these de- vices behind NAT. However, some phones offer an option that disables this mechanism so that the sending port is the same as the receiving port. Typically, the SIP proxy will run on a public IP address where it is possible to deal with all kinds of NAT. Keep-Alive messages may keep the NAT binding open (for example, short
ページ13に含まれる内容の要旨
[ S N O M 4 S N A T F I L T E R ] devices that have been designed without having NAT in mind. These devices can register only for a short period of time, so that the REG- ISTER messages keep the port association open (the SIP messages are used to keep the port association). Also, these devices need a NAT-aware media server or other device that forward the RTP pack- ets of these devices. • Symmetrical NAT devices. These devices may be NAT-aware; how- ever, because they operate behind symmetric
ページ14に含まれる内容の要旨
[ S N O M 4 S N A T F I L T E R ] When the NAT Filter sees a message that contains information about sending media (session description protocol, SDP), it opens a local globally routable port on behalf of the user agent and patches these mes- sages in a way that the destination will send media via this port. The NAT Filter will relay the media to the user agent like it relays SIP messages. Using symmetrical RTP, it can detect the user agent’s public media iden- tity and reroute the packets t
ページ15に含まれる内容の要旨
[ S N O M 4 S N A T F I L T E R ] 2.3 SBC Behaviour 2.3.1 Registering When a user agent registers, it puts its IP address in the top Via. If the user agent is on public Internet or properly supports NAT, this Via will match the perceived IP address. In this case the SBC does not interfere with the registering process and just forwards this packet to the registrar. If the top Via does not contain the perceived address, the SBC will take care of the request. It will replace the provided conta
ページ16に含まれる内容の要旨
[ S N O M 4 S N A T F I L T E R ] 0637ced821ef40a3;ua=c9b140ab598290e5bb491e9c3aaca440 Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bK- abx3au3mxb01;rport=17401 From: ;tag=k9p6fmeg7h To: ;tag=epuy85kzm5 Call-ID: 3c26701d7cb9-pady07b5783t@203-145-183-113 CSeq: 14 REGISTER Contact: ;expires=3600;gruu=”sip:denny@snomag.de;gruu=hobiv52b” Date: Wed, 26 May 2004 16:03:33 GMT Content-Le
ページ17に含まれる内容の要旨
[ S N O M 4 S N A T F I L T E R ] simply not programmed to allocate an address properly or because it is behind symmetrical NAT, which makes it impossible to properly allocate this address. In this case, the help of the media SBC will make sure that media will always be delivered properly. The media filter supports the “interactive connectivity establish- ment” (ICE) method that has been published recently in the IETF. Using this method, user agents may probe several addresses and decide whic
ページ18に含まれる内容の要旨
[ S N O M 4 S N A T F I L T E R ] a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:3 gsm/8000 a=rtpmap:18 g729/8000 a=rtpmap:2 g726-32/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=sendrecv a=silenceSupp:off - - - - The NAT Filter changes the private address to a globally routable address and inserts the local port. It also inserts a hint that tells the other user agent that it should not do silence suppression. This reduces the risk that the connection is closed during a
ページ19に含まれる内容の要旨
[ S N O M 4 S N A T F I L T E R ] The distribution of user agents to a server is performed using DNS SRV (RFC 2782). This means that you need to list the available serv- ers on DNS level; the user agents must perform DNS SRV look ups and pick one of the servers (possible using the detection algorithms described below). The following table shows an example configuration for Linux named(8): _sip._udp IN SRV 3 5 5082 frankfurt1 _sip._udp IN SRV 3 5 5082 newyork1 _sip._udp I
ページ20に含まれる内容の要旨
[ S N O M 4 S N A T F I L T E R ] The snom 4S NAT Filter includes a STUN server that operates on the SIP UDP port. User agents should send their test packets to the SIP port. 2.6 Requirements on User Agents Generally, there are two categories of user agents: The non NAT aware user agents and the STUN/ICE capable user agents. 2.6.1 Non NAT-Aware User Agents Non-NAT aware user agents must have at least the following fea- tures: 1. Must send SIP UDP packets from the port where they receive SIP
