Copyright Viagnie 2008

NAT and Firewall Traversal

with STUN / TURN / ICE
Simon Perreault
Viagnie
mailto!si"#$Simon%Perreault&viagenie%'a
htt"$//www%viagenie%'a
Copyright Viagnie 2008
Credentials

Consultant in IP networ(ing and VoIP at Viagnie%

)evelo"ed Num*+ a STUN / TURN server%

Ported FreeS,ITC- to IPv.%

Co/"orted Asteris( to IPv.%

)evelo"ed man0 'ustom VoIP a""li'ations%

Copyright Viagnie 2008
Plan

The "ro*lem o1 NAT and 1irewalls in VoIP

-ow STUN+ TURN+ and ICE solve it

,ireshar( tra'es
Copyright Viagnie 2008
The Pro*lem o1 NAT and
Firewalls in VoIP

Networ( address translators

2NATs3 are 'ommon devi'es
that 4hide5 "rivate networ(s
*ehind "u*li' IP addresses%

Conne'tions 'an *e initiated

1rom the "rivate networ( to the
Internet+ *ut not the other wa0
around%

The situation is made worse

*0 the 1a't that SIP 'ontrols
se"arate media streams and
thus trans"orts addresses%
Copyright Viagnie 2008
The Pro*lem o1 NAT and
Firewalls in VoIP

6an0 1irewalls onl0 allow 'onne'tions to *e initiated

1rom the "rivate networ(+ thus having the same e11e't
as NATs%

6oreover+ 1irewalls 'ommonl0 den0 a''ess to "ort

num*ers asso'iated with VoIP%

Some even ins"e't the "a'(et 'ontents to identi10 and

re7e't VoIP tra11i'%

Result$ VoIP users *ehind NATs and 1irewalls do not

*ene1it 1rom the end/to/end 'onne'tivit0 ne'essar0 1or
VoIP%
Copyright Viagnie 2008
Server/Re1le8ive Address

A NAT devi'e wor(s *0 asso'iating a "u*li' address

and "ort with a "rivate destination address and "ort%
Pu*li' Private
9:.%;9<%<;%.=$>>;9< ? ;@9%;.A%;%9$>:.:

The "u*li' address and "ort together are (nown as the

server-reflexive address%

This ma""ing is 'reated when a TCP SBN "a'(et is

sent 1rom inside the NAT or when a 1irst U)P "a'(et is
sent%

It is maintained 1or as long as the TCP 'onne'tion or

U)P 1low are 4alive%5 Flow timeout is im"lementation/
de"endent%
Copyright Viagnie 2008
Server/Re1le8ive Address

For the ma7orit0 o1 NAT devi'es 2mostl0 home routers3+

an0 devi'e on the Internet ma0 'onta't the NATed
"art0 *0 sending "a'(ets to the server/re1le8ive
address+ even i1 the0 are not the re'eiver o1 the
'onne'tion/initiating "a'(et%

A mean 1or dis'overing the server/re1le8ive address

and 'ommuni'ating it to the other "art0 is there1ore
needed%
Copyright Viagnie 2008
STUN

Session Traversal Utilities 1or NAT 2STUN3 is a sim"le

"roto'ol 1or dis'overing the server/re1le8ive address%

A STUN server is lo'ated in the "u*li' Internet or in an

ISPCs networ( when o11ered as a servi'e%

The NATed "eer initiates a 'onne'tion to the STUN

server+ thus 'reating a *inding in the NAT devi'e%

The STUN server re'eives the Duer0 and ins"e'ts the

sender address+ whi'h is the server/re1le8ive address%

It sends *a'( a re"l0 'ontaining the server/re1le8ive

address in its "a0load%

The 'lient thus learns its server/re1le8ive address%

Copyright Viagnie 2008
STUN Einding ReDuest
Sour'e$ ;@9%;.A%9:;%;9A$F>A@=
STUN Einding ReDuest
Sour'e$ 9:.%;9<%<;%.=$>.=A>
STUN Flow )iagram
STUN client
;@9%;.A%9:;%;9A
NAT
;@9%;.A%9:;%9 / 9:.%;9<%<;%.=
STUN server
.F%9>;%;F%;F
STUN Einding Res"onse
)estination$ 9:.%;9<%<;%.=$>.=A>
Pa0load$ 9:.%;9<%<;%.=$>.=A>
STUN Einding Res"onse
)estination$ ;@9%;.A%9:;%;9A$F>A@=
Pa0load$ 9:.%;9<%<;%.=$>.=A>
Copyright Viagnie 2008
STUN

It turns out that some NAT devi'es tr0 to *e 'lever *0

ins"e'ting the "a0loads and 'hanging all re1eren'es to
the server/re1le8ive address into the "rivate address%

To address that issue+ the new version o1 STUN

2(nown as STUN 9+ still an IETF dra1t3 o*1us'ates the
address *0 GHRing it with a (nown value%

TCP and U)P are su""orted over IPvF and IPv.%

Copyright Viagnie 2008
Server/Re1le8ive Address

A 'lient who (nows its server/re1le8ive address ma0

use it in "la'e o1 its "rivate address in the SIP
headers%

The same "ro'ess must *e 'arried out 1or the RTP

"orts in the S)P+ ea'h one having its own NAT *inding
and needing a se"arate STUN reDuest%
Copyright Viagnie 2008
S0mmetri' NATs

Some NAT devi'es onl0 allow "a'(ets 1rom the remote

"eer to rea'h the NATed "eer%

Thus a STUN reDuest is useless *e'ause onl0 the

STUN server 'ould rea'h the NATed "eer through the
server/re1le8ive address%

These NAT devi'es are 'alled symmetric NATs%

The0 are o1ten 4enter"rise5 NATs that hide more

devi'es on average%

Thus+ their "resen'e is signi1i'ant and must *e wor(ed

around%
Copyright Viagnie 2008
TURN

To *e rea'ha*le+ a devi'e *ehind a s0mmetri' NAT

needs to initiate and maintain a 'onne'tion to a rela0%

Traversal Using Rela0s around NAT 2TURN3 is a

"roto'ol 1or 'ommuni'ating with the rela0%

Euilt on to" o1 STUN%

The TURN server is lo'ated outside the NAT+ either on

the "u*li' Internet or in an ISPCs networ( when o11ered
as a servi'e *0 the ISP%

A NATed TURN 'lient as(s the server to allo'ate a

"u*li' address and "ort and rela0 "a'(ets to and 1rom
that address%
Copyright Viagnie 2008
TURN Flow )iagram
TURN client
;@9%;.A%9:;%;9A
NAT
TURN server
.F%9>;%;F%;F
SIP "eer
TURN Allo'ate
TURN Allo'ate
Allo'ate Res"onse
Rela0ed address$
.F%9>;%;F%;F$>;9@9
Allo'ate Res"onse
Rela0ed address$
.F%9>;%;F%;F$>;9@9
Iee"/alive
SIP Invite
S)P 'J line$
.F%9>;%;F%;F$>;9@9
SIP Invite
S)P 'J line$
.F%9>;%;F%;F$>;9@9
RTP "a'(et
TURN )ata Indi'ation
K RTP "a'(et
TURN )ata Indi'ation
K RTP "a'(et
Allo'ate a "ort
Copyright Viagnie 2008
Rela0ed Address

The address allo'ated *0 the TURN server is 'alled

the relayed address%

The TURN server 'ommuni'ates that address to the

TURN 'lient%

The TURN 'lient ma0 use it in the SIP headers%

Se"arate allo'ations must *e made 1or ea'h RTP "ort+

and the rela0ed addresses ma0 *e used in the S)P%

TURN guarantees 'ommuni'ation in all NAT 'ases

unless there is an e8"li'it 1irewall "oli'0 to "rohi*it its
use%
Copyright Viagnie 2008
)isadvantages o1 TURN

TURN server is in 1orwarding "ath%

ReDuires a lot o1 *andwidth%

Server must remain availa*le 1or the whole duration o1 the

allo'ation%

Triangle routing results in longer "ath%

En'a"sulation%

Lowers 6TU 2not so mu'h a "ro*lem 1or VoIP "a'(ets3%

Additional headers 'onsume a *it more *andwidth%

Firewall must ins"e't "a0load to dis'over real sender%

Allo'ation must *e (e"t alive%

Copyright Viagnie 2008
)isadvantages o1 TURN

IC6P not rela0ed%

No "ath 6TU dis'over0%

TTL not "ro"erl0 de'remented%

Possi*ilit0 o1 loo"s%

)i11Serv 2)S3 1ield not rela0ed%

As o1 now onl0 IPvF and U)P%

Copyright Viagnie 2008
6itigating 6e'hanisms

Availa*ilit0 and s'ala*ilit0 "rovided *0 an0'ast%

Hnl0 used 1or dis'over0+ server must remain u" 1or the
duration o1 the allo'ation%

Channel me'hanism 1or minimiMing header siMe%

F *0tes onl0%

Permission me'hanism en1or'ed *0 TURN server%

Hnl0 "eers "reviousl0 'onta'ted *0 'lient ma0 send data to

rela0ed address%

Firewall ma0 4trust5 the TURN server+ no "a0load ins"e'tion%

Iee" TURN server 'lose to NAT devi'e%

H11ered as a servi'e *0 ISPs%

Copyright Viagnie 2008
IPvF and IPv.
Intero"era*ilit0

TURN will also *e used to rela0 "a'(ets *etween IPvF

and IPv.%

Alleviates load 1rom the E9EUA%

)esigned 1or rela0ing "er1orman'e%

An0'ast ensures s'ala*ilit0 and relia*ilit0%

TURNv. dra1t still in "rogress%

Copyright Viagnie 2008
Num*

Num* is a STUN and TURN server develo"ed *0

Viagnie%

Su""orts IPvF and IPv. in mi8ed s'enarios%

Su""orts an0'ast%

Free a''ess at htt"$//num*%viagenie%'a

To install it in 0our own networ(+ 'onta't us$

in1o&viagenie%'a
Copyright Viagnie 2008
Conne'tivit0 Esta*lishment

6an0 addresses ma0 *e availa*le$

-ost addresses%

Server/re1le8ive address%

Rela0ed address%

Ea'h in IPvF and IPv. 1lavourN

Ea'h in U)P and TCP 1lavourN

,hi'h one to 'hooseO

Need 1or an automati' connectivity establishment

me'hanism%
Copyright Viagnie 2008
Intera'tive Conne'tivit0
Esta*lishment 2ICE3

Con'e"tuall0 sim"le%

Pather all candidates 2using STUN/TURN3%

Hrder them *0 "riorit0%

Communi'ate them to the 'allee in the S)P%

)o 'onne'tivit0 'he'(s%

Sto" when 'onne'tivit0 is esta*lished%

Pnarl0 details$

Iee" 'andidates alive%

Agree on "riorit0%

Redu'e dela0s and limit "a'(ets%

Copyright Viagnie 2008
Peer/Re1le8ive Address

Server/re1le8ive address useless with s0mmetri' NAT%

Address as seen 1rom "eer 2instead o1 STUN server3

is peer-reflexive address and does wor( even with
s0mmetri' NAT%

)uring ICE 'onne'tivit0 'he'(s+ "eer/re1le8ive

'andidates are gathered and "re"ended to 'he'( list%

TURN rela0 still ne'essar0 when *oth "eers are

*ehind s0mmetri' NATs%

STUN reDuests need to *e multi"le8ed with RTP%

In1ormation reuse *etween ICE instan'es%

Copyright Viagnie 2008
E8am"les
STUN server
.F%9>;%;F%;F
.F%9>;%99%;F@
9:.%;9<%<;%.=
9.9:$:$9<:$':::$.=
;@9%;.A%9:;%9
;@9%;.A%9:;%;9A
NAT K )NS server
)NS server
9:.%;9<%<;%9
9.9:$:$9<:$A:::$9
SIP registrar
9:.%;9<%<;%@A
9.9:$:$9<:$':::$@A
Copyright Viagnie 2008
)e"lo0ment

ISPs are de"lo0ing STUN / TURN servers within their

networ(%

TURN a "art o1 the IPv. migration%

SIP 'lient vendors are im"lementing ICE%

E9EUAs also should im"lement ICE%

Copyright Viagnie 2008
Con'lusion

)is'ussed

The "ro*lem o1 NAT and 1irewalls in VoIP

-ow STUN+ TURN+ and ICE solve it

H*taining a server re1le8ive address via STUN

H*taining a rela0ed address via TURN

Telling the other "art0 a*out these addresses via ICE

6a(ing 'onne'tivit0 'he'(s

H*taining "eer re1le8ive addresses

STUN / TURN / ICE sta'( too thi'(O Use IPv.N

Copyright Viagnie 2008
QuestionsO
Simon%Perreault&viagenie%'a
This "resentation$ htt"$//www%viagenie%'a/"u*li'ations/
STUN / TURN server$ htt"$//num*%viagenie%'a
Re1eren'es$
STUNv; RFC$ htt"$//tools%iet1%org/html/r1'<FA@
STUNv9 dra1t$ htt"$//tools%iet1%org/html/dra1t/iet1/*ehave/r1'<FA@*is
TURN dra1t$ htt"$//tools%iet1%org/html/dra1t/iet1/*ehave/turn
ICE dra1t$ htt"$//tools%iet1%org/html/dra1t/iet1/mmusi'/i'e