NAT and Firewall Traversal. VoIP and MultiMedia 2011 emil.ivov@jitsi.org 1/77

Similar documents

OSSIR, November /45

NAT Traversal in SIP. Baruch Sterman, Ph.D. Chief Scientist David Schwartz Director, Telephony Research

NAT Traversal for VoIP. Ai-Chun Pang Graduate Institute of Networking and Multimedia Dept. of Comp. Sci. and Info. Engr. National Taiwan University

Media Gateway Controller RTP

VoIP and NAT/Firewalls: Issues, Traversal Techniques, and a Real-World Solution

Voice over IP & Other Multimedia Protocols. SIP: Session Initiation Protocol. IETF service vision. Advanced Networking

NAT and Firewall Traversal with STUN / TURN / ICE

SIP OVER NAT. Pavel Segeč. University of Žilina, Faculty of Management Science and Informatics, Slovak Republic

NTP VoIP Platform: A SIP VoIP Platform and Its Services

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

Voice over IP (SIP) Milan Milinković

Adding Multi-Homing and Dual-Stack Support to the Session Initiation Protocol

VoIP LAB. 陳懷恩博士助理教授兼所長國立宜蘭大學資訊工程研究所 TEL: # 255

Three-Way Calling using the Conferencing-URI

NAT and Firewall Traversal with STUN / TURN / ICE

Adaptation of TURN protocol to SIP protocol

Internet Working 15th lecture (last but one) Chair of Communication Systems Department of Applied Sciences University of Freiburg 2005

TECHNICAL SUPPORT NOTE. 3-Way Call Conferencing with Broadsoft - TA900 Series

SIP: Protocol Overview

Multimedia & Protocols in the Internet - Introduction to SIP

Network Convergence and the NAT/Firewall Problems

3.1 SESSION INITIATION PROTOCOL (SIP) OVERVIEW

Mobile P2PSIP. Peer-to-Peer SIP Communication in Mobile Communities

Internet Voice, Video and Telepresence Harvard University, CSCI E-139. Lecture #5

TECHNICAL CHALLENGES OF VoIP BYPASS

Application Note. Firewall Requirements for the Onsight Mobile Collaboration System and Hosted Librestream SIP Service v5.0

Multimedia Communication in the Internet. SIP: Advanced Topics. Dorgham Sisalem, Sven Ehlert Mobile Integrated Services FhG FOKUS

EE4607 Session Initiation Protocol

SIP: NAT and FIREWALL TRAVERSAL Amit Bir Singh Department of Electrical Engineering George Washington University

Internet Engineering Task Force (IETF) Request for Comments: 7088 Category: Informational February 2014 ISSN:

Mobicents 2.0 The Open Source Communication Platform. DERUELLE Jean JBoss, by Red Hat 138

SIP and ENUM. Overview DENIC. Introduction to SIP. Addresses and Address Resolution in SIP ENUM & SIP

Application Note. Onsight Connect Network Requirements V6.1

SIP Security. ENUM-Tag am 28. September in Frankfurt. Prof. Dr. Andreas Steffen. Agenda.

Session Initiation Protocol (SIP)

Part II. Prof. Ai-Chun Pang Graduate Institute of Networking and Multimedia, Dept. of Comp. Sci. and Info. Engr., National Taiwan University

IP Office Technical Tip

SIP Basics. CSG VoIP Workshop. Dennis Baron January 5, Dennis Baron, January 5, 2005 Page 1. np119

internet technologies and standards

Technical Bulletin 25751

NAT TCP SIP ALG Support

Denial of Services on SIP VoIP infrastructures

Session Initiation Protocol

NTP VoIP Platform: A SIP VoIP Platform and Its Services 1

VoIP Security. Seminar: Cryptography and Security Michael Muncan

Overview of VoIP Systems

How to make free phone calls and influence people by the grugq

SIP Session Initiation Protocol Nicolas Montavont

This specification this document to get an official version of this User Network Interface Specification

WebSOCKET based Real time text (RTT) WebRTC gateway For WebRTC and SIP interop. Version 2.5a. Projet Sécuritas

A Comparative Study of Signalling Protocols Used In VoIP

Session Initiation Protocol (SIP) 陳懷恩博士助理教授兼計算機中心資訊網路組組長國立宜蘭大學資工系 TEL: # 340

VoIP. What s Voice over IP?

How will the Migration from IPv4 to IPv6 Impact Voice and Visual Communication?

Identity based Authentication in Session Initiation. Session Initiation Protocol

IP-Telephony SIP & MEGACO

SIP ALG - Session Initiated Protocol Applications- Level Gateway

NAT Traversal for VoIP

Review: Lecture 1 - Internet History

White paper. SIP An introduction

Firewall Support for SIP

Session Initiation Protocol (SIP) The Emerging System in IP Telephony

Vesselin Tzvetkov, Holger Zuleger {vesselin.tzvetkov, Arcor AG&Co KG, Alfred-Herrhausen-Allee 1, Eschborn, Germany

Security Issues of SIP

SIP Session Initiation Protocol

Session Initiation Protocol and Services

VoIP some threats, security attacks and security mechanisms. Lars Strand RiskNet Open Workshop Oslo, 24. June 2009

802.11: Mobility Within Same Subnet

Session Border Controller

Advanced Networking Voice over IP & Other Multimedia Protocols

VoIP with SIP. Session Initiation Protocol RFC-3261/RFC

Application Notes for Avaya IP Office 7.0 Integration with Skype Connect R2.0 Issue 1.0

Application Notes for IDT Net2Phone SIP Trunking Service with Avaya IP Office Issue 1.0

SIP Trunking and Voice over IP

SIP: Session Initiation Protocol. Copyright by Elliot Eichen. All rights reserved.

Lehrstuhl für Informatik 4 Kommunikation und verteilte Systeme

Skype characteristics

SIP A Technology Deep Dive

Asymetrical keys. Alices computer generates a key pair. A public key: XYZ (Used to encrypt) A secret key: ABC98765 (Used to decrypt)

Session Initiation Protocol (SIP)

Anat Bremler-Barr Ronit Halachmi-Bekel Jussi Kangasharju Interdisciplinary center Herzliya Darmstadt University of Technology

ARCHITECTURES TO SUPPORT PSTN SIP VOIP INTERCONNECTION

Configuring SIP Support for SRTP

Chapter 10 Session Initiation Protocol. Prof. Yuh-Shyan Chen Department of Computer Science and Information Engineering National Taipei University

ENUM: Migrating to VoIP. P2P Voice Applications

Telecommunication Services Engineering (TSE) Lab. Chapter V. SIP Technology For Value Added Services (VAS) in NGNs

Transparent weaknesses in VoIP

MyIC setup and configuration (with sample configuration for Alcatel Lucent test environment)

Dial91 iphone User Guide

Authentication and Authorisation for Integrated SIP Services in Heterogeneous Environments 1

An outline of the security threats that face SIP based VoIP and other real-time applications

End-2-End QoS Provisioning in UMTS networks

Request for Comments: August 2006

Creating your own service profile for SJphone

District of Columbia Courts Attachment 1 Video Conference Bridge Infrastructure Equipment Performance Specification

Unit 23. RTP, VoIP. Shyam Parekh

Transcription:

and Firewall Traversal VoIP and MultiMedia 2011 emil.ivov@jitsi.org 1/77

Introduction Does anyone remember why we started working on IPv6? ICAN says IPv4 addresses will run out by 2011 XXXX says the same YYYY also confirms Oh, and MIT alone have more addresses than entire China! VoIP and MultiMedia 2011 emil.ivov@jitsi.org 2/77

Introduction well ok but who cares about IPv4 addresses? we have s right? VoIP and MultiMedia 2011 emil.ivov@jitsi.org 3/77

Standard usage VoIP and MultiMedia 2011 emil.ivov@jitsi.org 4/77

Less standard usage: End to end services? VoIP and MultiMedia 2011 emil.ivov@jitsi.org 5/77

Introduction We need public IPs because of e2e services such as VoIP for example. Right, so do you know of any production IPv6 VoIP deployments? I don t! Through the rest of this presentation I ll try to explain why I think this is the case. VoIP and MultiMedia 2011 emil.ivov@jitsi.org 6/77

The basics of IP telephony A sample call network core (registrars, proxies, ) Bob Address: B Port: Pb Alice Address: A Port: Pa VoIP and MultiMedia 2011 emil.ivov@jitsi.org 7/77

The basics of IP telephony A sample call network core (registrars, proxies, ) Bob Address: B Port: Pb Alice Address: A Port: Pa VoIP and MultiMedia 2011 emil.ivov@jitsi.org 8/77

The basics of IP telephony. network core (registrars, proxies, ) MEDIA over (S)RTP Bob Address: B Port: Pb Alice Address: A Port: Pa VoIP and MultiMedia 2011 emil.ivov@jitsi.org 9/77

Session initialization with SIP and XMPP INVITE sip:barbara@b.com SIP/2.0 Via: SIP/2.0/UDP 10.43.122.3;branch=1 From: sip:alice@a.com;tag=4ad340f To: sip:barbara@b.com Contact: <sip:alice@10.43.122.3> Call-ID: 1874630@10.43.122.3 Cseq: 12442 INVITE v=0 o=user 14341433 14341433 IP4 10.43.122.3 s=. t=0 0 c=in IP4 10.43.122.3 m=audio 13222 RTP/AVP 0 a=rtpmap:0 PCMU/8000 <iq from='juliet@capulet.lit/balcony' id='hs81w639' to='romeo@montague.lit/orchard' type='set'> <jingle xmlns='urn:xmpp:jingle:1' action='session-accept' initiator='romeo@montague.lit/orchard' responder='juliet@capulet.lit/balcony' sid='a73sjjvkla37jfea'> <content creator='initiator' name='voice'> <description xmlns='urn:xmpp:jingle:apps:rtp:1' media='audio'> <payload-type id='18' name='g729'/> </description> <transport xmlns='urn:xmpp:jingle:transports:raw-udp:1'> <candidate component='1' generation='0' id='z7sdjb01hf' ip='208.68.163.214' port='9876'/> <candidate component='2' generation='0' id='hg92lsn10b' ip='208.68.163.214' port='9877'/> </transport> </content> </jingle> </iq> VoIP and MultiMedia 2011 emil.ivov@jitsi.org 10/77

And then s were born Call: To: B Media: Ap Call: To: B Media: Ap ERROR Alice Private Address: Ap /Firewall Address: F Bob Address: B VoIP and MultiMedia 2011 emil.ivov@jitsi.org 11/77

Internal host:port How do s work port 192.168.0.12 : 2368 8632 MSG: Dst: 130.79.200.22 : 80 Src: 192.168.0.12 : 2368 MSG: Dst: 130.79.200.22 : 80 Src: 212.50.2.18 : 8632 Alice 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 Server Address: 130.79.200.22 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 12/77

Internal host:port How do s work port 192.168.0.12 : 2368 8632 MSG: Dst: 192.168.0.12 : 2368 Src: 130.79.200.22 : 80 MSG: Dst: 212.50.4.18 : 8632 Src: 130.79.200.22 : 80 Alice 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 Server Address: 130.79.200.22 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 13/77

Internal host:port How do s work port 192.168.0.12 : 2368 8632 Endpoint-Independent Mapping Endpoint-Independent Filtering Bob Address: 60.55.68.53 MSG: Dst: 192.168.0.12 : 2368 Src: 60.55.68.53 : 9595 Alice 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 Server Address: 130.79.200.22 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 14/77

Basic Firewall and Traversal STUN What are my address and port? Address: F Port: Pf STUN Server Alice Address: Ap Port: Pa Address: F Bob Address: B Call: To: B Media: F:Pf STUN Server Alice Address: Ap Port: Pa Answer: To: A Media: B Bob Address: B VoIP and MultiMedia 2011 emil.ivov@jitsi.org 15/77

STUN Demystified RFC 5389 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 0 STUN Message Type Message Length +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Magic Cookie +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Transaction ID (96 bits) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Stun Attributes... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+" Format of STUN Message Header " VoIP and MultiMedia 2011 emil.ivov@jitsi.org 16/77

STUN Binding Request 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 0 0x0001 Message Length +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Magic Cookie +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Transaction ID (96 bits) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Format of STUN Message Header " VoIP and MultiMedia 2011 emil.ivov@jitsi.org 17/77

STUN Attributes RFC 5389 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Type Length +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (variable)... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Format of STUN Attributes" VoIP and MultiMedia 2011 emil.ivov@jitsi.org 18/77

STUN Mapped Address 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0x0001 Length +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 0 0 0 0 0 0 0 Family Port +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Address (32 bits or 128 bits) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Format of MAPPED-ADDRESS Attribute" The address family can take on the following values: 0x01:IPv4 0x02:IPv6" VoIP and MultiMedia 2011 emil.ivov@jitsi.org 19/77

STUN XOR-MAPPED-ADDRESS 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0x0020 Length +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ x x x x x x x x Family X-Port +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ X-Address (Variable) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+" Format of XOR-MAPPED-ADDRESS Attribute " The address family can take on the following values: 0x01:IPv4 0x02:IPv6" VoIP and MultiMedia 2011 emil.ivov@jitsi.org 20/77

STUN User Name 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0x0006 Length +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Value (variable)... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Format of STUN User Name Attribute" VoIP and MultiMedia 2011 emil.ivov@jitsi.org 21/77

How do s work Address (and port) dependent filtering Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) MSG: Dst: 130.79.200.22 : 80 Src: 192.168.0.12 : 2368 MSG: Dst: 130.79.200.22 : 80 Src: 212.50.2.18 : 8632 Alice 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 22/77

How do s work Address (and port) dependent filtering Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) MSG: Dst: 192.168.0.12 : 2368 Src: 130.79.200.22 : 80 MSG: Dst: 212.50.4.18 : 8632 Src: 130.79.200.22 : 80 Alice 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 23/77

How do s work Address (and port) dependent filtering Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) Endpoint-Independent Mapping Endpoint-Dependent Filtering Bob Address: 60.55.68.53 STOP Alice 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 24/77

How do s work Address (and port) dependent filtering Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) 60.55.68.53 (: 80) Bob Address: 60.55.68.53 MSG: Dst: 60.55.68.53 : 80 Src: 192.168.0.12 : 2368 Alice 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 25/77

How do s work Address (and port) dependent filtering Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) Endpoint-Independent Mapping Endpoint-Dependent Filtering 60.55.68.53 (: 80) Bob Address: 60.55.68.53 MSG: Dst: 192.168.0.12 : 2368 Src: 60.55.68.53 : 80 Alice 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 26/77

How do s work Endpoint dependent mapping Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) MSG: Dst: 130.79.200.22 : 80 Src: 192.168.0.12 : 2368 MSG: Dst: 130.79.200.22 : 80 Src: 212.50.2.18 : 8632 Alice 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 27/77

How do s work Endpoint dependent mapping Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) MSG: Dst: 192.168.0.12 : 2368 Src: 130.79.200.22 : 80 MSG: Dst: 212.50.4.18 : 8632 Src: 130.79.200.22 : 80 Alice 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 28/77

How do s work Endpoint dependent mapping Internal host:port port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) 192.168.0.12 : 2368 9391 60.55.68.53 (: 80) Bob Address: 60.55.68.53 MSG: Dst: 60.55.68.53 : 80 Src: 192.168.0.12 : 2368 Alice 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 29/77

Internal host:port How do s work Endpoint dependent mapping port Active connections host:port 192.168.0.12 : 2368 8632 130.79.200.22 (: 80) 192.168.0.12 : 2368 9391 60.55.68.53 (: 80) Endpoint-Dependent Mapping Endpoint-Dependent Filtering MSG: Dst: 192.168.0.12 : 2368 Src: 60.55.68.53 : 80 Bob Address: 60.55.68.53 Alice 192.168.0.12 Internal Address: 192.168.0.254 Public Address: 212.50.4.18 STUN Server Address: 130.79.200.22 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 30/77

Universal Plug and Play (UPnP) Designed for zero-configuration networking and to allow devices to: dynamically join a network and obtain an IP address announce its name advertise capabilities discover other devices and their capabilities Makes it easy to: www.upnp.org Learn the external (public) address of an internet gateway Enumerate existing port mappings Add and remove port mappings Assign lease times to mappings Standardized as a 73-part International Standard, ISO/IEC 29341, in December, 2008. VoIP and MultiMedia 2011 emil.ivov@jitsi.org 31/77

Relaying Media Symmetric /Firewall F1:P1 TURN Server Address: T Port: Pt Alice Address: Ap Port: Pa Call: To: B Media: T:Pt Symmetric /Firewall F1:p2 Bob Address: B VoIP and MultiMedia 2011 emil.ivov@jitsi.org 32/77

Relaying Media Symmetric /Firewall F1:P1 TURN Server Address: T Port: Pt Bob Address: B Alice Address: Ap Port: Pa Symmetric /Firewall F1:p2 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 33/77

TURN Allocate Request 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 0 0 0x0003 Message Length +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Magic Cookie +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Transaction ID (96 bits) +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ VoIP and MultiMedia 2011 emil.ivov@jitsi.org 34/77

Relaying Media The SIP Way Latching /Firewall SIP Server Address: T Port: Pt Alice Address: Ap Port: Pa Bob Address: B VoIP and MultiMedia 2011 emil.ivov@jitsi.org 35/77

Relaying Media The SIP Way Latching /Firewall SIP Server Address: T Port: Pt Alice Address: Ap Port: Pa Bob Address: B VoIP and MultiMedia 2011 emil.ivov@jitsi.org 36/77

Relaying Media SIP clients behind a symmetric /firewall non-scalable expensive complex symmetric firewall Relay Server SIP clients behind a symmetric / firewall symmetric /firewall VoIP and MultiMedia 2011 emil.ivov@jitsi.org 37/77

Using P2P networks for Traversal p2p Custom P2P network p2p p2p symmetric firewall p2p p2p custom p2p relay clients p2p Skype among the first to implement the technique p2p P2PSIP set off to imitate Skype. No conclusive results after four years p2p symmetric firewall Jingle Nodes an interesting alternative that is worth keeping an eye on custom p2p clients VoIP and MultiMedia 2011 emil.ivov@jitsi.org 38/77

Could we please have IPv6 now? ok, it s probably high time we moved to IPv6 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 39/77

Could we please have IPv6 now? this should simplify VoIP shouldn t it? VoIP and MultiMedia 2011 emil.ivov@jitsi.org 40/77

VoIP and IPv6 demo version network core (registrars, proxies, ) Bob 2001:660::1 Alice 2001:660::2 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 41/77

VoIP and IPv6 demo version network core (registrars, proxies, ) Bob 2001:660::1 Alice 2001:660::2 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 42/77

VoIP and IPv6 demo version network core (registrars, proxies, ) MEDIA Bob 2001:660::1 Alice 2001:660::2 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 43/77

Reality check! Reality check! VoIP and MultiMedia 2011 emil.ivov@jitsi.org 44/77

Reality check! VPN Priv: 172.16.0.0 Pub: 64.233.187.99 Stun Relay Server 212.50.4.12 Alice 2001:660::2 192.168.0.6 130.79.12.64 SIP network Bob 216.109.112.135 Alice s list of addresses: 2001:660::2 192.168.0.6 172.16.0.9 130.79.12.64 64.233.187.99 VoIP 212.50.4.12 and MultiMedia 2011 emil.ivov@jitsi.org 45/77

How to avoid relaying? Interactive Connectivity Establishment (ICE) An IETF RFC brought to you by Skype s Jonathan Rosenberg VoIP and MultiMedia 2011 emil.ivov@jitsi.org 46/77

Address management with ICE VPN Priv: 172.16.0.0 Pub: 64.233.187.99 Stun Relay Server 212.50.4.12 Alice 192.168.0.6 130.79.12.64 SIP network Bob 216.109.112.135 Please try me on any of Alice s list of addresses: the following: 2001:660::2 2001:660::2 192.168.0.6 192.168.0.6 172.16.0.9 172.16.0.9 130.79.12.64 130.79.12.64 64.233.187.99 64.233.187.99 VoIP 212.50.4.12 and MultiMedia 2011 212.50.4.12 emil.ivov@jitsi.org 47/77

Address management with ICE ERROR ERROR VPN Priv: 172.16.0.0 Pub: 64.233.187.99 Stun Relay Server 212.50.4.12 172.16.0.9 Alice 192.168.0.6 130.79.12.64 SIP network Bob 216.109.112.135 ERROR Alice s list of addresses: 2001:660::2 192.168.0.6 ERROR 172.16.0.9 ERROR 130.79.12.64 64.233.187.99 2001:660::2 192.168.0.6 VoIP 212.50.4.12 and MultiMedia 2011 emil.ivov@jitsi.org 48/77

Make no assumptions on: Network topologies behaviors location or presence ICE Design Goals High reliability is essential 90% is not good enough Simple topologies yield simple flows and faster establishment, complex topologies yield complex flows and slower establishment Try to minimize length of the path between clients VoIP and MultiMedia 2011 emil.ivov@jitsi.org 49/77

The ICE 9-Step Program to Recovery Step 1: Allocation Step 2: Prioritization Step 3: Initiation Step 4: Allocation Step 5: Information Step 6: Verification Step 7: Coordination Step 8: Communication Step 9: Confirmation VoIP and MultiMedia 2011 emil.ivov@jitsi.org 50/77

ICE Step 1: Allocation Before initiating the session, the Client Gathers Candidates Relay Relayed candidates reside on a host acting as a relay towards the agent Each candidate is a potential address for receiving traffic Three different types of candidates Host Candidates Server Reflexive Candidates Relayed Candidates Host Candidates reside on the agent itself Server Reflexive candidates are addresses residing on a VoIP and MultiMedia 2011 emil.ivov@jitsi.org 51/77

Using TURN to Obtain Candidates Server reflexive and relayed candidates are learned jointly by talking to a TURN server Client sends query to TURN server TURN Server 12.13.14.15:8200 Query passes through, creates bindings TURN server allocates a relayed address and also reports back source address of request to client This will be the server reflexive address Allocate Request Allocate Response reflexive=1.2.3.4:1000 relayed=12.13.14.15:8200 1.2.3.4:1000 10.0.1.1:500 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 52/77

Pacing of Allocations If a client has Multiple interfaces Multiple IP address versions Multiple STUN servers Multiple media streams Multiple components This can produce a lot of allocation traffic Overload has been reported in the wild s fail to maintain bindings when created too fast For this reason, ICE paces allocations Tries to align with media rate Two problems Network congestion Overload VoIP and MultiMedia 2011 emil.ivov@jitsi.org 53/77

ICE Step 2: Prioritization priority = (2^24)*(type preference) +(2^8)*(local preference) +(2^0)*(256 - component ID) Type Preference Local Preference Component ID 32 bits Type-Preference: Preference for type (host, server reflexive, relayed) Usually 0 for relayed, 126 for host Local Preference: Amongst candidates of same type, preference for them If host is multihomed, preference by interface If host has multiple STUN or TURN servers, preference for that server Component ID for grouping candidates that all must work as an atomic unit This algorithm is only SHOULD strength VoIP and MultiMedia 2011 emil.ivov@jitsi.org 54/77

Visualization: Priority Space 65535 Interface 1 Component 1 Component 2 Host Candidates Interface 2 Server Reflexive Candidates VoIP and MultiMedia 2011 emil.ivov@jitsi.org 55/77

ICE Step 3: Initiation Originator sends an offer message to recipient through rendezvous server i.e., SDP offer in SIP INVITE Offer contains, for each candidate: IP address and port Component ID Foundation Transport Protocol Priority Type Related Address Username fragment and Password Offer RVz Srvr VoIP and MultiMedia 2011 emil.ivov@jitsi.org 56/77

v=0 o=user 14341433 14341433 IP4 10.43.122.3 s=. t=0 0 c=in IP4 10.43.122.3 m=audio 13222 RTP/AVP 0 a=rtpmap:0 PCMU/8000 M=video 13224 RTP/AVP 99 a=rtpmap:99 H264/90000 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 57/77

A Sample ICE Offer v=0 o=ice4j.org 0 0 IN IP4 88.165.90.188 s=c=in IP4 88.165.90.188 t=0 0 a=ice-pwd:3mic8j25sf8m7e583kcr15d860 a=ice-ufrag:34d7g m=audio 1029 RTP/AVP 0 a=candidate:4 1 udp 2113939711 2a01:e35:8a55:abc0:21e:c2ff:fe1b:2fe 2020 typ host a=candidate:2 1 udp 2113937151 fe80:0:0:0:21e:52ff:fec6:c65c 2020 typ host a=candidate:5 1 udp 2113937151 fe80:0:0:0:21e:c2ff:fe1b:2fe 2020 typ host a=candidate:1 1 udp 2113932031 78.251.128.2 2020 typ host a=candidate:3 1 udp 2113932031 192.168.0.54 2020 typ host a=candidate:6 1 udp 1677724415 88.165.90.188 1029 typ srflx raddr 192.168.0.54 rport 2020 a=candidate:4 2 udp 2113939710 2a01:e35:8a55:abc0:21e:c2ff:fe1b:2fe 2021 typ host a=candidate:2 2 udp 2113937150 fe80:0:0:0:21e:52ff:fec6:c65c 2021 typ host a=candidate:5 2 udp 2113937150 fe80:0:0:0:21e:c2ff:fe1b:2fe 2021 typ host a=candidate:1 2 udp 2113932030 78.251.128.2 2021 typ host a=candidate:3 2 udp 2113932030 192.168.0.54 2021 typ host a=candidate:6 2 udp 1677724414 88.165.90.188 1030 typ srflx raddr 192.168.0.54 rport 2021 m=video 1031 RTP/AVP 0 a=candidate:4 1 udp 2113939711 2a01:e35:8a55:abc0:21e:c2ff:fe1b:2fe 2022 typ host a=candidate:2 1 udp 2113937151 fe80:0:0:0:21e:52ff:fec6:c65c 2022 typ host a=candidate:5 1 udp 2113937151 fe80:0:0:0:21e:c2ff:fe1b:2fe 2022 typ host a=candidate:1 1 udp 2113932031 78.251.128.2 2022 typ host a=candidate:3 1 udp 2113932031 192.168.0.54 2022 typ host a=candidate:6 1 udp 1677724415 88.165.90.188 1031 typ srflx raddr 192.168.0.54 rport 2022 a=candidate:4 2 udp 2113939710 2a01:e35:8a55:abc0:21e:c2ff:fe1b:2fe 2023 typ host a=candidate:2 2 udp 2113937150 fe80:0:0:0:21e:52ff:fec6:c65c 2023 typ host a=candidate:5 2 udp 2113937150 fe80:0:0:0:21e:c2ff:fe1b:2fe 2023 typ host a=candidate:1 2 udp 2113932030 78.251.128.2 2023 typ host a=candidate:3 2 udp 2113932030 192.168.0.54 2023 typ host VoIP and MultiMedia 2011 emil.ivov@jitsi.org 58/77 a=candidate:6 2 udp 1677724414 88.165.90.188 1032 typ srflx raddr 192.168.0.54 rport 2023

ICE Step 4: Allocation Recipient party does exactly same processing as originator and obtains its candidates Recommended to not yet ring the phone (for SIP)! Allocate Request TURN Server Allocate Response VoIP and MultiMedia 2011 emil.ivov@jitsi.org 59/77

ICE Step 5: Information Recipient sends response containing an answer Answer contains same information as offer did Rvz Srvr answer VoIP and MultiMedia 2011 emil.ivov@jitsi.org 60/77

ICE Step 6: Verification Each agent pairs up its candidates (local) with its peers (remote) to form candidate pairs Each agent sends a connectivity check at media pacing, in pair priority order Binding Request from the local candidate to the remote candidate TURN Server 5 TURN Server 4 Upon receipt of the request the peer agent generates a response 2 Contains a mapped address indicating the source IP and port seen in the request 3 If the response is received the check has succeeded 1 VoIP and MultiMedia 2011 emil.ivov@jitsi.org 61/77

Authenticating STUN STUN Connectivity checks are authenticated and integrity protected Authentication is based on a username and password Offer Ufrag: AUF Password:APASS Rvz Srvr Answer Ufrag: BUF Password:BPASS Username is constructed by combining username fragments exchanged in offer and answer separated by colon Password is exchanged in offer/ answer Username and password are same for all candidates in a media stream Username: BUF:AUF Password: BPASS Stun requests Username: AUF:BUF Password: APASS VoIP and MultiMedia 2011 emil.ivov@jitsi.org 62/77

Pairing up Candidates O-P: Offerers Priority A-P: Answerers Priority pair priority = 2^32*MIN(O-P,A-P) + 2*MAX(O-P,A-P) + (O-P>A-P?1:0) Minimum Priority Maximum Priority 64 bits Pairs are sorted in order of decreasing pair priority Each agent will end up with the same list Last term serves as a tie breaker Min/Max results in highest priority for pair with two host RTP candidates, lowest for pair with two relayed RTCP VoIP and MultiMedia 2011 emil.ivov@jitsi.org 63/77

Frozen Algorithm ICE provides an optimization called the Frozen algorithm Applicable when checks need to be done for multiple components or sessions Main idea is to use the results of a previous check to predict the likelihood of a future one working Basic algorithm First, check the candidate pairs for first component of the first session Once one succeeds, then check the other components for the first session that are similar Once those are done, check all other components for all other media streams that are similar Candidates are similar when they are of the same type and obtained from the same interface and STUN or TURN server Same foundation VoIP and MultiMedia 2011 emil.ivov@jitsi.org 64/77

Visualizing Frozen Algorithm 9999 Host Candidates Interface 1 Component 1 Component 2 Interface 2 8999 Server Reflexive Candidates Pairs containing the red candidate pairs Will be Waiting, all others Frozen VoIP and MultiMedia 2011 emil.ivov@jitsi.org 65/77

Visualizing Frozen Algorithm 9999 Host Candidates Interface 1 Component 1 Component 2 Interface 2 8999 Server Reflexive Candidates Check on interface succeeds (in Green). Component 2 for same foundation is now Waiting to go and will be done next VoIP and MultiMedia 2011 emil.ivov@jitsi.org 66/77

Peer Reflexive Candidates Connectivity checks can produce additional candidates Peer reflexive candidates Typically happens when there is a symmetric between users Peer reflexive candidate will be discovered by both users For user A, from the Response For user B, from the Request Allows direct media even in the presence of symmetric! allocates new binding towards B A STUN Request A learns a new local candidate towards B! Sym STUN Response B informs A of new binding B VoIP and MultiMedia 2011 emil.ivov@jitsi.org 67/77

ICE Step 7: Coordination ICE needs to finalize on a candidate pair for each component of each media stream More than one may work Each agent needs to conclude on the same set of pairs Finalization takes place without signaling through rendezvous server all through STUN VoIP and MultiMedia 2011 emil.ivov@jitsi.org 68/77

Agent Roles One agent acts as the controlling agent, the other as the controlled agent Controlling agent is normally the offerer, unless offerer signals it is an ICE lite implementation Controlling agent responsible for Deciding when STUN checks should finish Deciding which pairs to use once it is finished VoIP and MultiMedia 2011 emil.ivov@jitsi.org 69/77

Why not just use the first pair? ICE checks proceed in priority order So why not just stop once the first check succeeds, and use that? Several reasons Packet loss on a higher priority check may delay it from finishing giving checks more time may produce better results An agent may have other criteria for choosing pairs (for example RTT estimates!) VoIP and MultiMedia 2011 emil.ivov@jitsi.org 70/77

Signaling Completion When controlling agent is done, it inserts a flag into a STUN check If controlled agent had successfully completed a check in reverse direction, it stops checks for that component of that stream Both agents use the pair generated by the check that included the flag STUN Request STUN Response STUN Request+ flag STUN Response done Controlling Controlled VoIP and MultiMedia 2011 emil.ivov@jitsi.org 71/77

ICE Lite ICE Supports an implementation level called ICE lite Used for endpoints that always have public IP PSTN gateways Media servers Conference servers These endpoints need to run ICE for ICE to be used, but don t themselves have a problem An agent signals its lite in offer or answer If both agents are lite no checks or state machinery is used A lite agent has a single v4 candidate (host only) and only needs to Receive a STUN check and send a response Process offers and answers Use the candidate pair based on done flag in STUN VoIP and MultiMedia 2011 emil.ivov@jitsi.org 72/77

ICE Step 8: Communication Media can flow in each direction once pairs have been selected by the controlling agent for each component Allows early media in both directions STUN Server STUN Server VoIP and MultiMedia 2011 emil.ivov@jitsi.org 73/77

ICE Step 9: SIP-specific fix-up If m/c-line in original INVITE didn t match candidate pairs selected by ICE, controlling agent does a re-invite to place them in m/c-line Re-INVITE ensures that middleboxes have the correct media address QoS installation (i.e., IMS or Packetcable) Diagnostic tools Monitoring applications Firewalls Re-INVITE 200 OK ACK Offerer Answerer VoIP and MultiMedia 2011 emil.ivov@jitsi.org 74/77

and Firewall Traversal VoIP and MultiMedia 2011 emil.ivov@jitsi.org 75/77