Title: NATALG
1NAT/ALG
Taken from SIP Illustrated Advanced Topics
Module
Start off your Journey
Make sure you run in a
slide show mode (F5)
Use the hyperlinks to dive deeper
Use the arrow keys below to navigate
Use QA links for follow up Q.
2Preface The home/office VoIP problem (Sound
alert!)
Jeng is sitting at home in front of her PC. She
has just installed a new (SIP-based) soft phone
(Xten) on the PC. She cant wait to use it to
call her professor at school (on his soft phone)
and tell him the good news She locates the
professors contact in her address book and
clicks on it... You can try it yourself by
clicking the red circle below. Looks like this
is going to work. Is that so...?
Home
Comcast
School
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Proxy
DNS
B
192.168.1.101
68.87.66.196
3NAT/ALG - Content
Note Voice Narrations appear in the SIP
Illustrated eLearning only in places where extra
emphasize or clarifications are needed! This
demo has no Voice Narrations.
play
stop
Intro
2-5 What NAT is
..... 4
Why we need ALG
....... 5 How ALG works
...... 6-7
ALG built in the phone a detailed example
8
Overview
.... 9 Step 1 - resolving the host name of
the web server . 10
Step 2 - receiving the IP address of the web
server ... 11
Step 3 - asking the web server for the NAT
address .. 12
Step 4 - receiving the NATTed IP address of
the PC . 13
Step 5 - Sending an INVITE req. to the outbound
SIP proxy .. 14
Step 6 - Forwarding the INVITE to user B
. 15
Step 7 - Stop (potential) retransmissions at A
(100 Trying) ..............................
16 Step 8 - user Bs phone is ringing
17 Step 9 - user As
phone plays a Ring Back Tone
.. 18 Step 10 - user B has picked up the pho
ne 19
Step 11 - user As phone receives an answer
indication 20
Step 12 - Completing the SIP signaling handshake
(ACK) .. 21 Step 13 - Forwardi
ng the ACK to user B ......
......... 22 Step 14 - Conversation time (first
RTP - Hello) .......................
............. 23
4Intro What NAT is
- NAT stands for "Network Address Translator". It
is a network layer creature whose job in life is
to "hide" hosts on a corporate or home private
sub network by granting them on-the-fly
"external" IP addresses when they send packets to
the external IP world. The motivation behind
this trick is to enable private networks reuse
expensive and rare IPV4 addresses, which might be
in "official" use by hosts on the public Internet
or on other private networks. The NAT
accomplishes the hiding task by mapping the
internal IP address of the host (and port) to a
public/routable one. In figure 1 below the NAT
server maps the private IP address of user-A
(10.1.1.1) to a public one, 157.55.0.1. User-B
will therefore see incoming IP packets (from A)
with the address 157.55.0.1. User-B will send IP
packets back to A by using destination address of
157.55.0.1. The NAT server (based on its internal
mapping/binding) will translate the IP address
157.55.0.1 back to the original private address,
10.1.1.1, and will then forward the packet to
user-A.
Private IP
Public IP
Public IP
Figure 1 A typical NAT server
NAT server
5Why we need ALG
- Seemingly, so far so good However NAT and
private IP domains introduce serious traversal
problem for SIP networks. For instance, SIP
endpoint, which hides in the private domain
behind a NAT, would naturally populate the
address related fields in a SIP message it
generates with private IP address values (e.g.
Contact SIPuser-A_at_10.1.1.15060)! Same for the
address fields in the SDP element (e.g. C IN
IP4 10.1.1.1). These values are not routable,
meaning both SIP messages and RTP packets sent
back to these addresses would not be able to
reach these destinations. The figure below
illustrates this problematic situation.
INVITE sipUser-B_at_there.edu SIP/2.0
Via SIP/2.0/UDP 10.1.1.1 branchz9hG4bK1
Max-Forwards 70 From BigGuy 10.1.1.15060 tagb66ks127ha
To LittleGuy
Call-ID 12345601_at_a.here.edu CSeq 1 INVITE Contact BigGuy Co
ntent-Type application/sdp
Content-Length 179 v 0 o User-A 2890844526
2890844526 IN IP4 a.here.edu s A simple SDP Se
ssion c IN IP4 10.1.1.1 m audio 49172 RTP/AV
P 0 98
Private IP-addressport embedded in the SIP/SDP
INVITE request.
6How ALG works
- ALG (Application Layer Gateway) is one of the
offered solutions to that problem. It is a piece
of hardware or/and (application layer) software,
which works together with the NAT. It replaces
the private IPport addresses in an outgoing
SIP/SDP message with public ones. It then
instructs the NAT to create public-private
mapping accordingly. The incoming SIP and RTP
packets will thus carry public IP
addressesports, which will get mapped-back by
the NAT to the original private IP
addressesports of the SIP endpoint behind it. In
the example below the private IP address of
user-A, 10.1.1.1, is mapped to 157.55.0.1, and
the private ports 5060 (SIP) and 49172 (RTP) are
mapped to 2222 and 3333 respectively.
The Private IP-addressport, which is embedded in
the SIP/SDP INVITE request, gets translated by
the ALG to the NAT public ones.
INVITE sipUser-B_at_there.edu SIP/2.0
Via SIP/2.0/UDP 157.55.0.12222branchz9hG4bK1
Max-Forwards 70 From BigGuy 5.0.1 2222 tagb66ks127ha
To LittleGuy
Call-ID 12345601_at_a.here.edu CSeq 1 INVITE Contact BigGuy
Content-Type application/sdp Content-Len
gth 179 v 0 o User-A 2890844526 2890844526
IN IP4 a.here.edu s A simple SDP Session c
IN IP4 157.55.0.1 3333 m audio 49172 RTP/AVP 0
98
7How ALG works - continue
- ALG and NAT therefore can be viewed as two
components of the same solution. Normally they
would be implemented by two applications sharing
the same machine. The SIP signaling must always
go through the ALG component. This will ensure
it gets the right translation. The RTP media
does NOT have to go through the ALG component,
but can go directly through the NAT component.
The NAT will make sure it correctly
redirects/maps incoming RTP packets back to the
end point (e.g. user-A in our example). Same for
incoming SIP packets.
SIP RTP
ALG
Private IP
Public IP
Figure 4 A typical NAT server ALG
NAT server
8ALG Built in the phone a detailed example
- ALG may be also built-in a smart SIP phone.
The SIP phone in such a case can learn by various
means about being located behind a NAT. These
means include running the STUN protocol or other
proprietary solutions (e.g. obtaining the public
IP address of the NAT from a special web
server). What follows is a detailed example of a
SIP call initiated by such a smart phone. The
smart phone, A, is used by a student (Jeng)
from her home to call her Professor, who uses his
SIP phone, B, at school. As can be seen below
Jengs home is connected to the Internet via
cable modem. Her home router acts as a NAT
(since the IP addresses of the home devices are
allocated by it locally). She uses SIP Xten soft
phone on her PC (AKA CounterPath). The Call
(signaling) goes via SIP proxy, which is located
at the school domain.
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
9ALG Built in the phone a detailed example -
overview
- The example includes the following steps
- Steps 14 - NAT discovery
- Steps 513 - Call setup (INVITE transaction
utilizing the NAT info obtained in steps 1-4)
- Step 14 - Conversation (over RTP)
- Next is a detailed breakdown of each step.
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
10step 1 - resolving the host name of the web server
- Step 1 SIP phone, A, is configured with the Host
name of HTTP (web) server in the Internet
(brands.xten.net). It received via DHCP the IP
address of the DNS server (along with its own IP
address). It sends the DNS server a query for
resolving the Host name of the web server to an
IP address. (Note The IP packet below was
captured by a sniffer sitting on the LAN of the
DNS server. Thats why the source IP address is
the IP address of the NAT) - Click HERE to play the animation (and look
below)
MAC
IP Src add 24.15.254.243 Dst add 68.87.66
.196
UDP Src port 1026 Dst port 53
DNS (brands.xten.net IP address ?)
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
11step 2 - receiving the IP address of the web
server
- Step 2 The DNS server responds with the IP
address of the web server. (Note The DNS server
saw source address of 24.15.254.243. i.e. the IP
address of the home NAT. Thus it sends its
response there. It does not know neither care
that the source of the query sits behind a NAT.
The NAT forwards the IP packet, which
encapsulates the DNS response back to the PC,
based on the mapping it created between the PC IP
address (192.168.1.101) and the IP address of the
DNS server (68.87.66.196)) Click HERE to play
the animation (and look below)
MAC
IP Src add 68.87.66.196 Dst add 24.15.254
.243
UDP Src port 53 Dst port 1026
DNS (IP address is 64.69.76.10)
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
12step 3 - asking the web server for the NAT address
- Step 3 The SIP client, A, establishes a TCP
connection with the web server and sends over it
an HTTP GET request. (Note This is a
non-standard trick used by Xten to implement the
STUN idea.) - Click HERE to play the animation (and look
below)
MAC
IP Src add 24.15.254.243 Dst add 64.69.76
.10
TCP Src port 1082 Dst port 80
HTTP GET (My NATTed IP address)
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
13step 4 - receiving the NATTed IP address of the
PC
- Step 4 The web server responds with the IP
address of the NAT. (Note next the PC will use
this information to set up correctly the address
related fields in the SIP INVITE and its SDP
payload (and by doing so it practically
implements ALG functionality!)) - Click HERE to play the animation (and look
below)
MAC
IP Src add 64.69.76.10 Dst add 24.15.254.
243
TCP Src port 80 Dst port 1082
DNS (NAT IP address is 24.15.154.243)
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
14step 5 Sending an INVITE req. to the outbound
SIP proxy
- Step 5 The Xten SIP client sends an INVITE
request destined to the SIP proxy (Note The PC
Xten client is configured with the IP address of
the SIP proxy (located at school). Every outgoing
SIP request will be sent therefore to the proxy
on/to the well known port) - Click HERE to play the animation (and look
below)
MAC
IP Src add 24.15.254.243 Dst add 129.119.
110.17
UDP Src port 5060 Dst port 5060
SIP INVITE (user B)
SIP Request-URI sipprof_at_129.119.110.17 Via
SIP/2.0/UDP 24.15.254.2435060
ContactSDP c IN
IP4 24.15.254.243 media port8000
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
15step 6 Forwarding the INVITE to user B (Sound
alert!)
- Step 6 The SIP proxy (looks up user B in its
registry table and based on that) forwards the
INVITE to endpoint B (Note The school IP network
is in the public domain (129.119.x.x)) - Click HERE to play the animation (and look
below)
MAC
IP Src add 129.119.110.17 Dst add 129.119
.110.19
UDP Src port 1039 Dst port 5060
SIP INVITE (user B)
SIP Request-URI sipprof_at_129.119.110.19 Via
SIP/2.0/UDP 129.119.110.175060
Via SIP/2.0/UDP 24.15.254.2435060 Record
Route
ContactSDP c IN
IP4 24.15.254.243 media port8000
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
16step 7 Stop (potential) retransmissions at A
(100 Trying)
- Step 7 The SIP proxy sends 100 Trying back to
A, (so A can now advance its state machine to the
next state and halts potential retransmissions of
the INVITE) - Click HERE to play the animation (and look
below)
MAC
IP Src add 129.119.110.17 Dst add 24.15.2
54.243
UDP Src port 1039 Dst port 5060
SIP 100 Trying
SIP SIP/2.0 100 Trying Via SIP/2.0/UDP 24.15.25
4.2435060
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
17step 8 Letting user A know that user Bs phone
is ringing
- Step 8 B sends 180 Ringing back (to indicate
that is has alerted the user) to the proxy (based
on the top most Via header)
- Click HERE to play the animation (and look
below)
MAC
IP Src add 129.119.110.19 Dst add 129.119
.110.17
UDP Src port 5060 Dst port 5060
SIP 180 Ringing
SIP SIP/2.0 180 Ringing Via SIP/2.0/UDP 129.1
19.110.175060Via SIP/2.0/UDP
24.15.254.2435060 Record-Route 10.175060 Contact
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
18step 9 - user As phone plays a Ring Back Tone
(Sound alert!)
- Step 9 The SIP proxy forwards the 180 Ringing
back to A, (so based on that A knows it can play
now a Ring Back Tone (RBT) to the user) Note The
NAT doesnt touch the UDP header. - Click HERE to play the animation (and look
below)
MAC
IP Src add 129.119.110.17 Dst add 24.15.2
54.243
UDP Src port 1039 Dst port 5060
SIP 180 Ringing
SIP SIP/2.0 180 Ringing Via SIP/2.0/UDP
24.15.254.2435060 Record-Route 10.175060 Contact
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
19step 10 - user B has picked up the phone
- Step 10 B sends 200 OK back (to indicate that
the user has picked up the phone) to the proxy
(based on the top most Via header)
- Click HERE to play the animation (and look
below)
MAC
IP Src add 129.119.110.19 Dst add 129.119
.110.17
UDP Src port 5060 Dst port 5060
SIP 200 OK
SIP SIP/2.0 200 OK Via SIP/2.0/UDP
129.119.110.175060 Via SIP/2.0/UDP 24.15.254.24
35060 Record-Route
Contact SDP c IN IP4
129.119.110.19 media port 8386
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
20step 11 - user As phone receives an answer
indication
- Step 9 The SIP proxy forwards the 200 OK back
to A, (so based on that A knows it can
display/sound an answer indication to the user)
Note The NAT doesnt touch the UDP header. - Click HERE to play the animation (and look
below)
MAC
IP Src add 129.119.110.17 Dst add 24.15.2
54.243
UDP Src port 1039 Dst port 5060
SIP 200 OK
SIP SIP/2.0 200 OK Via SIP/2.0/UDP
24.15.254.2435060 Record-Route 10.175060 Contact
SDP c IN IP4 129.119.110.19 media port 8386
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
21step 12 - Completing the SIP signaling handshake
(ACK)
- Step 12 The Xten SIP client sends an ACK request
destined to the SIP proxy (Note The proxy has
Record Routed itself, so now by definition every
request got to go via it regardless of the
initial configuration) - Click HERE to play the animation (and look
below)
MAC
IP Src add 24.15.254.243 Dst add 129.119.
110.17
UDP Src port 5060 Dst port 5060
SIP ACK (user B)
SIP Request-URI sipprof_at_129.119.110.17 Via
SIP/2.0/UDP 24.15.254.2435060
ContactRoute
sip129.119.110.17, sipprof_at_129.119.110.19
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
22step 13 Forwarding the ACK to user B
- Step 13 The SIP proxy forwards the ACK to
endpoint B (Note this can be done either based
on the Route header or based on registry table
lookup) - Click HERE to play the animation (and look
below)
MAC
IP Src add 129.119.110.17 Dst add 129.119
.110.19
UDP Src port 1039 Dst port 5060
SIP ACK (user B)
SIP Request-URI sipprof_at_129.119.110.19 Via
SIP/2.0/UDP 129.119.110.175060
Via SIP/2.0/UDP 24.15.254.2435060 Route
Contact254.2435060
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
23step 14 - Conversation time (first RTP -
Hello) (Sound alert!)
- Step 14 User B says hello. SIP client B
encapsulates the bits, which represent the users
voice in G.711 over RTP, and sends it directly to
A (i.e. the proxy is not in the media loop)
(Note check out the port numbers below. Compare
them with the ones, which were advertised in the
SDP payloads!) - Click HERE to play the animation (and look
below)
MAC
IP Src add 129.119.110.19 Dst add 24.15.2
54.243
UDP Src port 8386 Dst port 8000
RTP Hello
Home
Comcast
School
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
24Post mortem a surprise!
- Taking the approach of do not confuse me with
the facts we cheated a little bit
- In our Lab experiment the first RTP packet was
really sent by B right after step 12. i.e. before
receiving the ACK. Commercial SIP clients have a
tendency of doing that. The idea is to reduce
call setup time. This phenomena is known as
early media. The draw back is the possibility
of running into an embarrassing case when the
200 OK gets lost, and client A has no way yet
to send media back (nor RTCP receiver reports) to
B (as the SDP is part of the 200 OK). However
in general things seem to work.
Please, do not confuse me with the facts
Xten.com domain
192.168.1.1/24.15.254.243
IP
NAT/ Router
129.119.110.17
129.119.110.19
A
Web server
Proxy
DNS
B
brands.xten.net
192.168.1.101
68.87.66.196
64.69.76.10
25Help/about
return to last page viewed
Edition 3.0 By sipknowledge.
Web www.sipknowledge.com
Mail contact_at_sipknowledge.com
Last Page Viewed
Next Page
Prev Page
Last Page
First Page
HELP (In case you havent noticed how you got
here -))