diff options
Diffstat (limited to 'pjnath/docs/doc_nat.h')
-rw-r--r-- | pjnath/docs/doc_nat.h | 415 |
1 files changed, 415 insertions, 0 deletions
diff --git a/pjnath/docs/doc_nat.h b/pjnath/docs/doc_nat.h new file mode 100644 index 00000000..5440c14e --- /dev/null +++ b/pjnath/docs/doc_nat.h @@ -0,0 +1,415 @@ +/* $Id$ */ +/* + * Copyright (C) 2008-2009 Teluu Inc. (http://www.teluu.com) + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + + +/** + +@defgroup nat_intro Introduction to Network Address Translation (NAT) and NAT Traversal +@brief This page describes NAT and the problems caused by it and the solutions + + + +\section into Introduction to NAT + + +NAT (Network Address Translation) is a mechanism where a device performs +modifications to the TCP/IP address/port number of a packet and maps the +IP address from one realm to another (usually from private IP address to +public IP address and vice versa). This works by the NAT device allocating +a temporary port number on the public side of the NAT upon forwarding +outbound packet from the internal host towards the Internet, maintaining +this mapping for some predefined time, and forwarding the inbound packets +received from the Internet on this public port back to the internal host. + + +NAT devices are installed primarily to alleviate the exhaustion of IPv4 +address space by allowing multiple hosts to share a public/Internet address. +Also due to its mapping nature (i.e. a mapping can only be created by +a transmission from an internal host), NAT device is preferred to be +installed even when IPv4 address exhaustion is not a problem (for example +when there is only one host at home), to provide some sort of security/shield +for the internal hosts against threats from the Internet. + + +Despite the fact that NAT provides some shields for the internal network, +one must distinguish NAT solution from firewall solution. NAT is not +a firewall solution. A firewall is a security solution designed to enforce +the security policy of an organization, while NAT is a connectivity solution +to allow multiple hosts to use a single public IP address. Understandably +both functionalities are difficult to separate at times, since many +(typically consumer) products claims to do both with the same device and +simply label the device a “NAT box”. But we do want to make this distinction +rather clear, as PJNATH is a NAT traversal helper and not a firewall bypass +solution (yet). + + + +\section problems The NAT traversal problems + + +While NAT would work well for typical client server communications (such as +web and email), since it's always the client that initiates the conversation +and normally client doesn't need to maintain the connection for a long time, +installation of NAT would cause major problem for peer-to-peer communication, +such as (and especially) VoIP. These problems will be explained in more detail +below. + + +\subsection peer_addr Peer address problem + + +In VoIP, normally we want the media (audio, and video) to flow directly +between the clients, since relaying is costly (both in terms of bandwidth +cost for service provider, and additional latency introduced by relaying). +To do this, each client informs its media transport address to the other +client , by sending it via the VoIP signaling path, and the other side would +send its media to this transport address. + + +And there lies the problem. If the client software is not NAT aware, then +it would send its private IP address to the other client, and the other +client would not be able to send media to this address. + + +Traditionally this was solved by using STUN. With this mechanism, the client +first finds out its public IP address/port by querying a STUN server, then +send sthis public address instead of its private address to the other +client. When both sides are using this mechanism, they can then send media +packets to these addresses, thereby creating a mapping in the NAT (also +called opening a "hole", hence this mechanism is also popularly called +"hole punching") and both can then communicate with each other. + + +But this mechanism does not work in all cases, as will be explained below. + + + +\subsection hairpin Hairpinning behavior + + +Hairpin is a behavior where a NAT device forwards packets from a host in +internal network (lets call it host A) back to some other host (host B) in +the same internal network, when it detects that the (public IP address) +destination of the packet is actually a mapped IP address that was created +for the internal host (host B). This is a desirable behavior of a NAT, +but unfortunately not all NAT devices support this. + + +Lacking this behavior, two (internal) hosts behind the same NAT will not +be able to communicate with each other if they exchange their public +addresses (resolved by STUN above) to each other. + + + +\subsection symmetric Symmetric behavior + + +NAT devices don't behave uniformly and people have been trying to classify +their behavior into different classes. Traditionally NAT devices are +classified into Full Cone, Restricted Cone, Port Restricted Cone, and +Symmetric types, according to <A HREF="http://www.ietf.org/rfc/rfc3489.txt">RFC 3489</A> +section 5. A more recent method of classification, as explained by +<A HREF="http://www.ietf.org/rfc/rfc4787.txt">RFC 4787</A>, divides +the NAT behavioral types into two attributes: the mapping behavior +attribute and the filtering behavior attribute. Each attribute can be +one of three types: <i>Endpoint-Independent</i>, <i>Address-Dependent</i>, +or <i>Address and Port-Dependent</i>. With this new classification method, +a Symmetric NAT actually is an Address and Port-Dependent mapping NAT. + + +Among these types, the Symmetric type is the hardest one to work with. +The problem is because the NAT allocates different mapping (of the same +internal host) for the communication to the STUN server and the +communication to the other (external) hosts, so the IP address/port that +is informed by one host to the other is meaningless for the recipient +since this is not the actual IP address/port mapping that the NAT device +creates. The result is when the recipient host tries to send a packet to +this address, the NAT device would drop the packet since it does not +recognize the sender of the packet as the "authorized" hosts to send +to this address. + + +There are two solutions for this. The first, we could make the client +smarter by switching transmission of the media to the source address of +the media packets. This would work since normally clients uses a well +known trick called symmetric RTP, where they use one socket for both +transmitting and receiving RTP/media packets. We also use this +mechanism in PJMEDIA media transport. But this solution only works +if a client behind a symmetric NAT is not communicating with other +client behind either symmetric NAT or port-restricted NAT. + + +The second solution is to use media relay, but as have been mentioned +above, relaying is costly, both in terms of bandwidth cost for service +provider and additional latency introduced by relaying. + + + +\subsection binding_timeout Binding timeout + +When a NAT device creates a binding (a public-private IP address +mapping), it will associate a timer with it. The timer is used to +destroy the binding once there is no activity/traffic associated with +the binding. Because of this, a NAT aware application that wishes to +keep the binding open must periodically send outbound packets, +a mechanism known as keep-alive, or otherwise it will ultimately +loose the binding and unable to receive incoming packets from Internet. + + +\section solutions The NAT traversal solutions + + +\subsection stun Old STUN (RFC 3489) + +The original STUN (Simple Traversal of User Datagram Protocol (UDP) +Through Network Address Translators (NATs)) as defined by +<A HREF="http://www.ietf.org/rfc/rfc3489.txt">RFC 3489</A> +(published in 2003, but the work was started as early as 2001) was +meant to be a standalone, standard-based solution for the NAT +connectivity problems above. It is equipped with NAT type detection +algoritm and methods to hole-punch the NAT in order to let traffic +to get through and has been proven to be quite successful in +traversing many types of NATs, hence it has gained a lot of popularity + as a simple and effective NAT traversal solution. + +But since then the smart people at IETF has realized that STUN alone +is not going to be enough. Besides its nature that STUN solution cannot +solve the symmetric-to-symmetric or port-restricted connection, +people have also discovered that NAT behavior can change for different +traffic (or for the same traffic overtime) hence it was concluded that +NAT type detection could produce unreliable results hence one should not +rely too much on it. + +Because of this, STUN has since moved its efforts to different strategy. +Instead of attempting to provide a standalone solution, it's now providing +a part solution and framework to build other (STUN based) protocols +on top of it, such as TURN and ICE. + + +\subsection stunbis STUN/STUNbis (RFC 5389) + +The Session Traversal Utilities for NAT (STUN) is the further development +of the old STUN. While it still provides a mechanism for a client to +query its public/mapped address to a STUN server, it has deprecated +the use of NAT type detection, and now it serves as a framework to build +other protocols on top of it (such as TURN and ICE). + + +\subsection midcom_turn Old TURN (draft-rosenberg-midcom-turn) + +Traversal Using Relay NAT (TURN), a standard-based effort started as early +as in November 2001, was meant to be the complementary method for the +(old) STUN to complete the solution. The original idea was the host to use +STUN to detect the NAT type, and when it has found that the NAT type is +symmetric it would use TURN to relay the traffic. But as stated above, +this approach was deemed to be unreliable, and now the prefered way to use +TURN (and it's a new TURN specification as well) is to combine it with ICE. + + +\subsection turn TURN (draft-ietf-behave-turn) + +Traversal Using Relays around NAT (TURN) is the latest development of TURN. +While the protocol details have changed a lot, the objective is still +the same, that is to provide relaying control for the application. +As mentioned above, preferably TURN should be used with ICE since relaying +is costly in terms of both bandwidth and latency, hence it should be used +as the last resort. + + +\subsection b2bua B2BUA approach + +A SIP Back to Back User Agents (B2BUA) is a SIP entity that sits in the +middle of SIP traffic and acts as SIP user agents on both call legs. +The primary motivations to have a B2BUA are to be able to provision +the call (e.g. billing, enforcing policy) and to help with NAT traversal +for the clients. Normally a B2BUA would be equipped with media relaying +or otherwise it wouldn't be very useful. + +Products that fall into this category include SIP Session Border +Controllers (SBC), and PBXs such as Asterisk are technically a B2BUA +as well. + +The benefit of B2BUA with regard to helping NAT traversal is it does not +require any modifications to the client to make it go through NATs. +And since basically it is a relay, it should be able to traverse +symmetric NAT successfully. + +However, since it is a relay, the usual relaying drawbacks apply, +namely the bandwidth and latency issue. More over, since a B2BUA acts +as user agent in either call-legs (i.e. it terminates the SIP +signaling/call on one leg, albeit it creates another call on the other +leg), it may also introduce serious issues with end-to-end SIP signaling. + + +\subsection alg ALG approach + +Nowdays many NAT devices (such as consumer ADSL routers) are equipped +with intelligence to inspect and fix VoIP traffic in its effort to help +it with the NAT traversal. This feature is called Application Layer +Gateway (ALG) intelligence. The idea is since the NAT device knows about +the mapping, it might as well try to fix the application traffic so that +the traffic could better traverse the NAT. Some tricks that are +performed include for example replacing the private IP addresses/ports +in the SIP/SDP packet with the mapped public address/port of the host +that sends the packet. + +Despite many claims about its usefullness, in reality this has given us +more problems than the fix. Too many devices such as these break the +SIP signaling, and in more advanced case, ICE negotiation. Some +examples of bad situations that we have encountered in the past: + + - NAT device alters the Via address/port fields in the SIP response + message, making the response fail to pass SIP response verification + as defined by SIP RFC. + - In other case, the modifications in the Via headers of the SIP + response hides the important information from the SIP server, + nameny the actual IP address/port of the client as seen by the SIP + server. + - Modifications in the Contact URI of REGISTER request/response makes + the client unable to detect it's registered binding. + - Modifications in the IP addresses/ports in SDP causes ICE + negotiation to fail with ice-mismatch status. + - The complexity of the ALG processing in itself seems to have caused + the device to behave erraticly with managing the address bindings + (e.g. it creates a new binding for the second packet sent by the + client, even when the previous packet was sent just second ago, or + it just sends inbound packet to the wrong host). + + +Many man-months efforts have been spent just to troubleshoot issues +caused by these ALG (mal)functioning, and as it adds complexity to +the problem rather than solving it, in general we do not like this +approach at all and would prefer it to go away. + + +\subsection upnp UPnP + +The Universal Plug and Play (UPnP) is a set of protocol specifications +to control network appliances and one of its specification is to +control NAT device. With this protocol, a client can instruct the +NAT device to open a port in the NAT's public side and use this port +for its communication. UPnP has gained popularity due to its +simplicity, and one can expect it to be available on majority of +NAT devices. + +The drawback of UPnP is since it uses multicast in its communication, +it will only allow client to control one NAT device that is in the +same multicast domain. While this normally is not a problem in +household installations (where people normally only have one NAT +router), it will not work if the client is behind cascaded routers +installation. More over uPnP has serious issues with security due to +its lack of authentication, it's probably not the prefered solution +for organizations. + +\subsection other Other solutions + +Other solutions to NAT traversal includes: + + - SOCKS, which supports UDP protocol since SOCKS5. + + + +\section ice ICE Solution - The Protocol that Works Harder + +A new protocol is being standardized (it's in Work Group Last Call/WGLC +stage at the time this article was written) by the IETF, called +Interactive Connectivity Establishment (ICE). ICE is the ultimate +weapon a client can have in its NAT traversal solution arsenals, +as it promises that if there is indeed one path for two clients +to communicate, then ICE will find this path. And if there are +more than one paths which the clients can communicate, ICE will +use the best/most efficient one. + +ICE works by combining several protocols (such as STUN and TURN) +altogether and offering several candidate paths for the communication, +thereby maximising the chance of success, but at the same time also +has the capability to prioritize the candidates, so that the more +expensive alternative (namely relay) will only be used as the last +resort when else fails. ICE negotiation process involves several +stages: + + - candidate gathering, where the client finds out all the possible + addresses that it can use for the communication. It may find + three types of candidates: host candidate to represent its + physical NICs, server reflexive candidate for the address that + has been resolved from STUN, and relay candidate for the address + that the client has allocated from a TURN relay. + - prioritizing these candidates. Typically the relay candidate will + have the lowest priority to use since it's the most expensive. + - encoding these candidates, sending it to remote peer, and + negotiating it with offer-answer. + - pairing the candidates, where it pairs every local candidates + with every remote candidates that it receives from the remote peer. + - checking the connectivity for each candidate pairs. + - concluding the result. Since every possible path combinations are + checked, if there is a path to communicate ICE will find it. + + +There are many benetifs of ICE: + + - it's standard based. + - it works where STUN works (and more) + - unlike standalone STUN solution, it solves the hairpinning issue, + since it also offers host candidates. + - just as relaying solutions, it works with symmetric NATs. But unlike + plain relaying, relay is only used as the last resort, thereby + minimizing the bandwidth and latency issue of relaying. + - it offers a generic framework for offering and checking address + candidates. While the ICE core standard only talks about using STUN + and TURN, implementors can add more types of candidates in the ICE + offer, for example UDP over TCP or HTTP relays, or even uPnP + candidates, and this could be done transparently for the remote + peer hence it's compatible and usable even when the remote peer + does not support these. + - it also adds some kind of security particularly against DoS attacks, + since media address must be acknowledged before it can be used. + + +Having said that, ICE is a complex protocol to implement, making +interoperability an issue, and at this time of writing we don't see +many implementations of it yet. Fortunately, PJNATH has been one of +the first hence more mature ICE implementation, being first released +on mid-2007, and we have been testing our implementation at +<A HREF="http://www.sipit.net">SIP Interoperability Test (SIPit)</A> +events regularly, so hopefully we are one of the most stable as well. + + +\section pjnath PJNATH - The building blocks for effective NAT traversal solution + +PJSIP NAT Helper (PJNATH) is a library which contains the implementation +of standard based NAT traversal solutions. PJNATH can be used as a +stand-alone library for your software, or you may use PJSUA-LIB library, +a very high level library integrating PJSIP, PJMEDIA, and PJNATH into +simple to use APIs. + +PJNATH has the following features: + + - STUNbis implementation, providing both ready to use STUN-aware socket + and framework to implement higher level STUN based protocols such as + TURN and ICE. + - NAT type detection, useful for troubleshooting purposes. + - TURN implementation. + - ICE implementation. + + +More protocols will be implemented in the future. + +Go back to \ref index. + + */ |