SIP NAT / FW
Default 字 9 9pt10pt11pt12pt13pt14pt15pt16pt17pt18pt20pt25pt30pt35pt40pt45pt50pt
NAT and FIREWALL Basic Principle First, NAT's way: Full Cone: When the host in a private network sends a package to the public network, its local address and port are {A: B}, NAT will put it private address {A: b} is converted to the public address {x: y} and bind. Any bag can be sent to the {A: B} address of the host by address {x: y}, and NAT will convert any incoming package sent to {x: y} into {A: Y}. B}. Partial / Restricted Cone: When the host in a private network sends a package to the public network, its local address and fracture are {A: B}, and NAT will convert its private address {A: B} to the public address {x And bind. Any bag can be sent to the host's {A: B} address via address {x: y}, but NAT is just a package that is first sent to {x: y} {A: B} | {X: y} <-> {C: D}, where {C: D} is the source address and port of the package. That is, only the package from {C: D} can communicate with the host {A: B}. Partial and Restricted Cones are the IP address of Partial only bind the IP address of the incoming packet, and the Restricted Cone will bind the IP address and port of the incoming packet. That is, the situation described above. Symmetric Cone: When the host in a private network sends a package to a host host, {a: b} à {C: D}. NAT converts its address {A: B} into {x: y} and binds it into {A: B} | {x: y}. NAT only accepts incoming packet from {C: D}, forward it to {a: b}. That is, if the host in the private network wants to send a package out, it must know the other party's public network IP and port. But if the other party is in a private network, it is difficult to know the other party's public network IP and port. It can be seen that the Symmetric Cone condition is the most stringent, and the Partial / Restricted conte is the least strict. Let's take a look at the basic strategy of FireWall: l FireWall will judge that all packages are from internal (Inside) or Outside. l General, allow all packages from inside. l General, allowing the package from Outside to, but this connection must be initiated by INSIDE. l General, prohibiting all connects from the package initiated by Outside. l General, FireWall will allow several trusted Outside hosts, they can initiate establish a connection and package it in. All NAT and FireWall are processed and filtered below the TCP / IP layer, while the address of the SIP application is at the application layer. So you must use other ways to solve this problem. For different NAT types, there can be different solutions. l UPNPL External Queryl Stunl ALG Among them, they get their public network addresses and ports before INVITE via SIP Client (including UA and Proxy) through some means or protocol. The SIP Client provides additional support and is not adapted to all NAT methods. Alg (Application Layer Gateway) Adapts to all NAT methods and does not require SIP Client to do any additional support. It processes and modifications to the SIP signaling of the Application layer, resulting in a transparent conversion address. The ALG solution is described in detail below for a case.
SIP ALG Solution ALG Modify the SIP address and port in the SIP address and the port and ports in the SDP message, where the RTP address and port are requested to get the RTP Proxy, and RTP Proxy assigns its own free address and port, and This Call holds the mapping relationship. Binds the address and port of the call to the call, so that the RTP connection address of the call between the calls is RTP Proxy, which is transferred from RTP Proxy to a real destination. Suppose there are two SIP Client to communicate, Ada and Bob, they are located behind their NAT Server: two NAT Server is Symmetric Cone. Its signaling process is as follows: 1. ADA initiates signaling, invite bob. IP Packet IP Address: From: 192.168.1.10:5060T 128.97.41.56:5060 (SIP ALG) SIP Msg IP Address: From: 192.168.1.10:5060T 128.97.41.56:5060SDP Body IP Address for RTP: 192.168.1.10: 100242. After NAT Server, NAT converts its private address to the public address, and binds, since it is used to use the Symmetric cone mode, the IP address of the purpose is also bound. {192.168.1. : From: 192.168.1.10:5060t 128.97.41.56:5060sdp body IP Address for RTP: 192.168.1. Then, then modify it related to the SIP IP address. And check if its Body is included in the SDP information, if yes, and there is an RTP address, the SIP ALG will request a public RTP address to replace the original RTP address to replace the original RTP address to RTP Proxy. IP Packet IP Address: from: 48.97.56:5060t 128.96.63.25:5566sip MSG IP address: from: from: 19:5566 (next hop address) SDP Body IP Address for RTP: 128.97.44.5 : 30004. Because Bob sent a registration package to SIP ALG, its NAT Server always retains such bindings for it, {10.0.96.63.25:5566} <-> {128.97 .41.56: 5060}. Therefore, the invite, Bob, which is sent by the SIP ALG, can be received. Bob returns 200 OK, including SDP information. IP Packet IP Address: from: 10.0.0.41.56:5060sip MSG IP Address: from: 10.0.0.0.56:5060 (next hop address) SDP Body IP Address for RTP: 10.0.0.12 : 100025. NAT Server modifies the IP address of its package. Send to SIP ALG.
