Conference PaperPDF Available

Solving the firewall and NAT traversal issues for SIP-based VoIP

Authors:

Abstract and Figures

Voice over the Internet Protocol (VoIP) - telephony over the Internet - is gaining popularity. VoIP is an evolving technology that still has several problems. Some of them are caused by network topology, such as the deployment of firewalls and network address translation (NAT). This is referred to as the ldquoNAT and firewall problemrdquo. This paper discusses the problems of SIP-based VoIP. SIP is the most relevant signaling protocol for VoIP today. Unfortunately, a VoIP call cannot be established if one of the SIP softphones is situated behind a NAT gateway or behind a restrictive firewall. A VoIP call involves three random UDP ports for replies that must be allowed. This can be problematic due to security reasons. In this paper, we present a software suite that solves the aforementioned problems. This ldquoSIP-RTP-Proxyrdquo (SRP) works as a ldquosession border controllerrdquo (SBC) by accepting and relaying SIP signaling data and RTP / RTCP media data. A special feature of this solution is the possibility to place the SRP inside a private network, while former solutions such as SBCs have to be installed directly on the NAT gateway or in the public Internet. One goal of this project was to develop a universal solution that solves the NAT problem for VoIP in small business and home environments. It can be used in combination with various operating systems and does not depend on modified clients or a modified ldquoInternet Protocol Private Branch Exchangeldquo (IP PBX).
Content may be subject to copyright.
A preview of the PDF is not available
... On the contrary, out-of-band protocols like SIP and H.323 cannot easily tackle firewall and NAT traversal issues unless VoIP aware security devices, proxies or protocols like STUN (Simple Traversal of UDP through NAT) are used, but in the cost of increased expense and/or perplexity. (Goode, 2002;Yeryomin et al., 2008). Apart from being more flexible with security appliances, IAX is also more bandwidth efficient. ...
... By whitelisting the fire department's SocialNAT, these calls would go through without each user needing to specifically add the fire department to her personal policy. These domain policies go a long way in enhancing the Internet's ability to function similar to a public switched telephone network, something current NAT technology prevents [13]. The other feature-enhancement SocialNATs provide is the ability to define valid users within a domain. ...
Conference Paper
Full-text available
The rapid evolution of the Internet has forced the use of Network Address Translation (NAT) to help slow the decline of publicly available IPv4 address space. While NAT provides the requisite address space as well as privacy and security to its users, it also eliminates the ability to establish incoming connections to devices within a private network. To address this issue, we propose combining social network topologies with traditional NAT architecture to better integrate peer-to-peer communication through NATed networks. This socially enhanced NAT allows incoming connections from trusted parties, resolving one of the central criticisms of the NAT approach.
... The NAT permits to pass the outgoing connections requests produced from a host behind the NAT into the outside network (like Internet) [6], however it does not permit to pass any connection request produced from the outside network (like Internet) to any host behind the NAT [7]. This is because the translation table entry is constructed only when a client (behind the NAT) initializes a request to connect to a host on the outside network (Internet) [8], [9]. ...
Article
Full-text available
This paper presents a novel method that exploits the strength features of two streaming protocols (Real-time Transport Protocol (RTP) and Hypertext Transfer Protocol (HTTP)) to overcome the Network Address Translation (NAT) and firewall traversal problem. The proposed solution is able to bypass the RTP over all kinds of NATs (including symmetric NATs) by adding extra fields to the RTP/UDP packet at transport layer in the sender side. The NAT and firewall will detect these packets as TCP packets on the channel that initialized the connection. The receiver side will then remove the extra fields and recover the packets to their original content. The proposed work involves adding two modules, one at the client and the other at the video streaming server. The proposed work also avoids any modification to the NAT or the RTP protocol itself.
Conference Paper
The Session Initiation Protocol (SIP) is a signaling protocol widely used nowadays for controlling multimedia communication sessions. Thus, understanding and troubleshooting SIP behavior is of utmost importance to network designers and operators. However, SIP traffic traces are hard to come by due to privacy and confidentiality issues. SIP contains a lot of personal information spread within the various SIP messages - IP addresses, names, usernames and domains, e-mail addresses etc. The known IP-address anonymization methods are thus insufficient. We present SiAnTo, an extended anonymization technique that substitutes session-participant information with matching, but nondescript, labels. This allows for SIP traces to be publicly shared, while keeping interesting traffic-session properties intact. We further demonstrate its usefulness by studying the problem of SIP NAT traversal as recorded in the anonymized traces. We analyze properties of the so-called “registration storm” incident and measure the influence of the active NAT traversal techniques on SIP traffic pattern, both only possible thanks to the preservation of session relationships inside the anonymized traces. As further benefit to the research community, we set up a public data-store with both the anonymization module and the anonymized traces available and invite other parties to share further SIP data using these open tools.
Conference Paper
Voice-over-IP (VoIP) is currently one of the most commonly used communication options and Session Initiation Protocol (SIP) is most often used for VoIP deployment. However, there is not a lot of general knowledge about typical SIP traffic and research in this area largely works with various assumptions. To address this deficiency, we present a thorough study of traffic of a real, free and publicly open SIP server. The findings reveal, among others, a surprisingly high overhead of SIP due to connection maintenance through Network Address Translation (NAT) nodes, differences from typical Web server Zipf's-law patterns and various unexpected creative uses of SIP servers.
Conference Paper
The protocols of voice-over-IP (SIP, RTP and RTCP) have several issues, for example the NAT and the firewall problem. They lead to solutions such as "back-to-back user agents" (B2BUA), "session border controllers" and helper- protocols such as "simple traversal of UDP through NATs" (STUN) and "traversal using relay NAT" (TURN). This paper focusses on a different challenge, a problem that arises when a user becomes mobile and his IP-enabled telephone is forced to change its network access technology due to network coverage issues ("perform a vertical handover"). We present a middleware-based solution that makes SIP-based VoIP handover-aware and effectively solves the NAT and firewall problem. This approach builds on the "roaming-enabled architecture" (REACH), a plugin-driven middleware that uses proxy servers. REACH offers relay plugins for multiple data capturing schemes required to provide an easy-to-use handover-aware solution, but VoIP was not supported yet. Here, we present a self- implemented "session border controller" for SIP and RTP that was divided into two relay plugins designed to be used within the infrastructure of REACH. This mechanism adds full support for VoIP to the REACH software suite, allowing telephony in combination with any kind of vertical handover such as hard-, soft and softer handovers in IP-based networks of any kind.
Conference Paper
Full-text available
Modern mobile PCs have different kinds of network access technologies, such as wire-based interfaces (Ethernet) or wireless adapters (IEEE 802.11 WLAN, GPRS/GSM or UMTS). Ongoing research deals with the problem of performing a "vertical handover", that allows switching your currently used network access technology on-the-fly without interruption of the application sessions. The "Roaming-Enabled Architecture" (REACH) presented in this paper is a middleware-based approach that does not use IP mobility extensions and does not depend on modifications of the infrastructure. In fact, it is related to the already published mechanisms MSOCKS and the Universal Seamless Handoff Architecture (USHA). However, REACH is designed plugin-driven in order to support multiple coexistent schemes to perform vertical handovers on different layers of the Internet protocol suite. Each relay plugin is able to intercept data coming from the applications, which is necessary to route all data through the protection schemes in order to make the mobile nodes handover-aware. Hard and soft handovers are supported by REACH as well as softer handovers and channel bundling. A mobile node can connect to multiple proxy servers simultaneously in order to utilize different services, take care of some forms of performance degradation that are related to triangle routing and to do load balancing.
Article
It may be a while before Internet telephony with VoIP (Voice over Internet Protocol) reaches critical mass, but there's already tremendous movement in that direction. A lot of organizations are not only attracted to VoIP's promise of cost savings, but its ability to move data, images, and voice traffic over the same connection. Think of it: a single Internet phone call can take information sharing to a whole new level. That's why many IT administrators and developers are actively looking to set up VoIP-based private telephone switching systems within the enterprise. The efficiency that network users can reach with it is almost mind-boggling. And cheap, if the system is built with open source software like Asterisk. There are commercial VoIP options out there, but many are expensive systems running old, complicated code on obsolete hardware. Asterisk runs on Linux and can interoperate with almost all standards-based telephony equipment. And you can program it to your liking.
Article
Network Address Translation is a method by which IP addresses are mapped from one realm to another, in an attempt to provide transparent routing to hosts. Traditionally, NAT devices are used to connect an isolated address realm with private unregistered addresses to an external realm with globally unique registered addresses. This document attempts to describe the operation of NAT devices and the associated considerations in general, and to define the terminology used to identify various flavors of NAT.
Conference Paper
The protocols of voice-over-IP (SIP, RTP and RTCP) have several issues, for example the NAT and the firewall problem. They lead to solutions such as "back-to-back user agents" (B2BUA), "session border controllers" and helper- protocols such as "simple traversal of UDP through NATs" (STUN) and "traversal using relay NAT" (TURN). This paper focusses on a different challenge, a problem that arises when a user becomes mobile and his IP-enabled telephone is forced to change its network access technology due to network coverage issues ("perform a vertical handover"). We present a middleware-based solution that makes SIP-based VoIP handover-aware and effectively solves the NAT and firewall problem. This approach builds on the "roaming-enabled architecture" (REACH), a plugin-driven middleware that uses proxy servers. REACH offers relay plugins for multiple data capturing schemes required to provide an easy-to-use handover-aware solution, but VoIP was not supported yet. Here, we present a self- implemented "session border controller" for SIP and RTP that was divided into two relay plugins designed to be used within the infrastructure of REACH. This mechanism adds full support for VoIP to the REACH software suite, allowing telephony in combination with any kind of vertical handover such as hard-, soft and softer handovers in IP-based networks of any kind.
Conference Paper
Mobile PCs are equipped with a multitude of network access technologies, such as IEEE 802.11 WLAN, GPRS over GSM or wire-based Ethernet. If the user wants to access the Internet he has to choose one of the technologies and has to use it for the whole duration of the session. But this is problematic when the user wants to be mobile and has to change network access technologies. It was quite problematic so far to start a session using Ethernet (¿ laptop at work) and then perform a seamless vertical handover to WLAN when the user becomes mobile. The protocols used in the Internet were not designed with mobility in mind. Some proposals were made to circumvent these problems, for example by using enhancements like Mobile IP or IPv6, but a solution that could easily be applied to a multitude of different "real-world systems" has not been presented yet. We developed a method that implements a data transfer mechanism that is able to handle the problems caused by mobility and vertical handovers. Our first approach made use of the universal proxy protocol SOCKSv5 (RFC 1928) to relay all data to a central proxy server using a handover-capable transport mechanism. Here, "socksified" applications were needed, which was not feasible in all possible scenarios [Evers, 2004]. This paper presents our latest enhancement that makes use of a Virtual Private Network (VPN) in combination with our handover capable transport mechanism.
Handover-aware SIP-based VoIP provided by a Roaming-Enabled Architecture (REACH) Authorized licensed use limited to: Jyvaskylan Ammattikorkeakoulu
  • F Evers
  • Y Yeryomin
  • J Seitz
F. Evers, Y. Yeryomin, and J. Seitz, “Handover-aware SIP-based VoIP provided by a Roaming-Enabled Architecture (REACH),” in IEEE Sarnoff Symposium 2008, Princeton, New Jersey, 2008, submitted. Authorized licensed use limited to: Jyvaskylan Ammattikorkeakoulu. Downloaded on October 16, 2008 at 05:16 from IEEE Xplore. Restrictions apply.
NAT Traversal for VoIP and Internet Communications using STUN, TURN and ICE
"NAT Traversal for VoIP and Internet Communications using STUN, TURN and ICE," Eyeball Networks Inc., Tech. Rep., 2007.
Asterisk: The Future of Telephony
  • J V Meggelen
  • J Smith
  • L Madsen
J. V. Meggelen, J. Smith, and L. Madsen, Asterisk: The Future of Telephony. O'Reilly, Sept. 2005.
Universal Enterprise FMC Solution
  • Y Yeryomin
  • J Seitz
Y. Yeryomin and J. Seitz, "Universal Enterprise FMC Solution," in ICEIS Doctoral Consortium (DCEIS 2007), Funchal, Madeira, Portugal, 2007.