Scribd Logo
Upload

Welcome to Scribd!

  • Slides 13 Nat Traversal

    Uploaded by

    Edson Livongue
    38 views22 pages
    Firewall and NAT technologies are increasingly used in home and enterprise networks. They pose challenges for real-time communications like VoIP by blocking unsolicited incoming connections. STUN allows clients behind NATs to learn their public IP address and port for communications. Candidates from STUN, host, and TURN relay servers are exchanged to try direct peer-to-peer connections first before resorting to relays. Skype employs supernodes with public IPs to relay signaling and media for ordinary nodes behind NATs, providing reliable connectivity in most situations. Hole punching, STUN, and TURN servers aim for direct connections with minimal delay when possible.

    Original Description:

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Firewall and NAT technologies are increasingly used in home and enterprise networks. They pose challenges for real-time communications like VoIP by blocking unsolicited incoming connections. STUN allows clients behind NATs to learn their public IP address and port for communications. Candidates from STUN, host, and TURN relay servers are exchanged to try direct peer-to-peer connections first before resorting to relays. Skype employs supernodes with public IPs to relay signaling and media for ordinary nodes behind NATs, providing reliable connectivity in most situations. Hole punching, STUN, and TURN servers aim for direct connections with minimal delay when possible.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    38 views22 pages

    Slides 13 Nat Traversal

    Uploaded by

    Edson Livongue
    Firewall and NAT technologies are increasingly used in home and enterprise networks. They pose challenges for real-time communications like VoIP by blocking unsolicited incoming connections. STUN allows clients behind NATs to learn their public IP address and port for communications. Candidates from STUN, host, and TURN relay servers are exchanged to try direct peer-to-peer connections first before resorting to relays. Skype employs supernodes with public IPs to relay signaling and media for ordinary nodes behind NATs, providing reliable connectivity in most situations. Hole punching, STUN, and TURN servers aim for direct connections with minimal delay when possible.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 22

    - Filtering software,

    blocks many
    types of traffic
    - Increasingly used in
    home networks and Incoming traffic only
    even PCs allowed if session was
    Initiated by device in
    the private domain
    Client A initiates Firewall allows
    outgoing session to returned media
    Client Y from Client Y

    Client Z attempts
    Firewall blocks to initiate an
    unsolicited incoming session
    incoming stream to client B
    Most common
    NAT and the SIP Protocol
    NAT:
    a) connect several private
    IP addresses using a single
    public IP address (breaks
    e2e connectivity)

    b) responses routed through


    IP addresses in the via
    header

    c) NAT bindings timeout

    d) cascated NATs

    Firewall:
    - block inbound traffic (calls,
    RTP data with varying port)

    - easy to cfg firewall for SIP


    msgs (well-known port)
    - media is harder
    (RTP port varies)
    Reuse of
    IP,Port possible

    Reuse of
    IP,Port possible
    Reuse not possible
    Update SIP/SDP messages to external IP & port
    STUN: Session Traversal Utilities for NAT
    STUN server:
    - in the public address space (Internet)
    - client dynamically learns:
    . external IP addr & port 4 communication
    . type of NAT implementation (full-cone, restricted, …)

    Two STUN servers (IP1 and IP2), can respond from port 1 or 2
    – Limits transactions to client originated

    No reuse of IP&Port allowed


    (SPOF)
    1) gather transport candidates
    - host client
    - NAT public IP (STUN)
    - TURN server
    2) caller and callee exchange
    list of candidates
    3) connectivity checks (STUN
    msgs) for all pairs of candidates
    4) media is sent through the
    chosen candidate pair
    No modification on the client
    wrap unwrap
    (Extensive Messaging and Presence Protocol)

    NAT Traversal: Google Talk

    Candidates:
    - Local IP (c1)
    - NAT IP (c2) from STUN Server
    - Relay Server IP (c3)
    NAT Traversal in SKYPE
    - Ordinary nodes: skype client only
    - Supernodes:
    - skype client + other functions
    - public IP address
    - selected according to
    memory, bandwidth, uptime
    - Relay nodes:
    - outside the client network
    - dedicated
    - relay media and signaling info only
    The “SuperNode” can act as a relay

    Techniques for connecting ordinary nodes


    under firewall or NAT:

    a) Native firewall NAT traversal


    - hole punching / STUN
    - least delay

    - requires, among other things:


    - port preservation
    - same external IP for all sessions of internal IP
    - large number of connections
    The “SuperNode” can act as a relay
    b) SOCKS5/HTTPS proxy server
    - relay traffic from the inside netw to Internet
    - SOCKS5 support UDP

    c) TCP/UDP relays
    - TURN alike
    - most delay
    - almost always work

    You might also like