Transcript Intertex Data AB, Sweden

Intertex Data AB, Sweden
Firewall Traversal
Bringing SIP to the LAN
Prepared for: Session Initiation Protocol 2002
By:
Karl Erik Ståhl
President Intertex Data AB
Chairman Ingate Systems AB
[email protected]
© 2002 Intertex Data AB
1
VoIP as we have seen it…
Do we want the PC as a phone?
PC
Wanna talk
to me?
PC
Internet
Are cheaper phone bills all we want?
Gateway
Gateway
Internet
STO
LA
© 2002 Intertex Data AB
2
VoIP as we have seen it…
PSTN
Internet
Europe Gateway
IP
VPN
Gateway
VPN
US
IP
VoIP between branch offices
- But NOT globally to others!
© 2002 Intertex Data AB
3
Hmm, didn’t we pass this stage…
Organization 1
Email system 1
PSTN
fax
Organization 2
Email system 2
fax
fax
fax
printer
emai
l
emai
l
Paper was a very compatible media - So is POTS today…
But we need to move beyond!
© 2002 Intertex Data AB
4
What about universal connectivity?
RJ11
Black
Phone
PSTN
RJ45
LAN
Intranet
Internet
IP
Phone
Wouldn’t that be fine?
© 2002 Intertex Data AB
5
VoIP and SIP Services Out to the Edge
Internet
SIP
Server
PSTN
Status until now:
SIP is the Protocol for IP Communication
SIP/PSTN
Person-to-Person,
Gateway
PIM
DSL
BUT IT DOES Cable
NOT REACH THE EDGE!
XP
MTU
IP Phone
Operator network with NAT
Firewall
NAT
NAT
IP Phone
Home LAN
Business LAN
IP Phone
IAP
Firewall/NAT
problems!
IP Phone
Presence and Instant Messaging
An extension to SIP in progress
Used in Windows XP
See:
http://www.jdrosen.net/papers/draftrosenberg-impp-presence-00.txt
A single, extended standard instead
of today's players
• ICQ
• AOL Instant Messenger  SIP
• Yahoo! Messenger
• MSN Messenger  SIP
• And more
© 2002 Intertex Data AB
7
What Microsoft Has Done So Far
 Released Windows XP
 Windows Messenger
and rich APIs
 Progressed embedded
 End-to-end platform
 Announced update
 PC-to-phone
provider choice &
new UI
 10:s of miljons of RTC
(SIP) users within a year
4255551212
Windows XP: ECS (Exchange Conferencing Server)
SIP based whiteboard, chat, video, audio, app sharing…
© 2002 Intertex Data AB
9
SIP Firewall Problems
Firewall Problems:
Sessions initiated from outside
the firewall
- OK, open port 5060, but…
Media streams on dynamically
allocated port numbers
- Ooops…  !
Even with public
IP addresses inside
© 2002 Intertex Data AB
10
SIP NAT/PAT Problems
NAT & PAT Problems:
Where is the device?
- Registration/location function
Private IP addresses and ports
in SIP messages
- Rewrite with globally routable
addresses
IP address and port of media
stream has to be modified
- NAT engine has to be
dynamically controlled
© 2002 Intertex Data AB
Worse with private
IP addresses inside
11
Suggested Solutions
Dynamically controlled Firewall/NATs [Aravox, …]
Midcom: By Firewall Control Proxy [Dynamicsoft…]
uPnP: By the client (Windows) [Microsoft]
SIP aware Firewall/NATs (SIP Proxy + Registrar)
[Intertex (SOHO), Ingate (enterprise), …]
SIP aware Firewall/NATs (SIP ALG)
[Cisco,… TLS not possible]
Making SIP NAT friendly, Drafts in progress:
• draft-rosenberg-sipping-nat-scenarios-00.txt
• draft-rosenberg-midcom-stun-01.txt
• draft-ietf-sip-nat-01.txt
© 2002 Intertex Data AB
12
Adding SIP Support to a Firewall
Important components:
Firewall & NAT
 Dynamic Firewall Engine
 SIP Proxy Server,
controlling the firewall
Firewall
Control
Protocol
 SIP Registrar, user location
information
 Communication between
SIP Proxy and firewall
© 2002 Intertex Data AB
SIP
Proxy
User
Location
13
NAT Friendly SIP
SIP
Registrar
INTERNET
SIGNALLING
LAN
STUN
Server
RTP
Proxy
Mods to SIP,
SDP
RTP
SIP clients
need upgrade
NAT
IP Phone
New servers
 Use STUN to find out on the net
“looks” from outside
 Keep registrar NAT path
(TCP or UDP) always open
by frequent registrations
 Route new signalling
through this open path
© 2002 Intertex Data AB
Firewall
NAT
RTP
LAN
IP Phone
 RTP media streams always
start from inside + symmetric
 For some NATs, if both
parties are behind firewalls,
RTP streams must bounce
through a server
14
SIP Enabling the Private Networks
Internet
SIP
Server
PSTN
inGate
SIParator
DMZ
SIP/PSTN
Gateway
DSL
Cable
MTU
IP Phone
Operator network with NAT
SET
SELECT
SC
ADR CFG DHP RST
A U
I S
R B
E
T
1
IX66NAT
LQ
TX
RX
E W T
T A X
2 N D
R
X
D
ALT CFG
IP Phone
Home LAN
inGate
Firewall
NAT
Firewall
Business LAN
Firewall/NAT
SIP
Firewall/NAT
transparency!
problems!
IP Phone
IAP
IP Phone
Phone
IP
Just Another Internet Service…
Internet
IX66
Helsinki
Sweden
Home LAN
SIP/PSTN
Gateway
USA
Sweden
IX66
IAP
IX66
PSTN
Intertex Stockholm LAN
IX66
SOHO LAN
Home User
inGate
SIParator
XP
inGate
Firewall
Enterprise LAN
DMZ
DNS
SRV
Ingate Linköping LAN
XP
XP
IP Communications Using IP Networks
…other…
IM Conf Vmail
OSS
SIP Server
Global
IP Comm
SIP Phone
Firewall
Router
Intranet
IP Comm
SIP
Routing
WorldCom
Public
IP Network
Network GWY
IP VPN
Enterprise
Gateway
Managed
Services
WorldCom
PSTN
Customer
Premises
PBX
Many call routing options:
• Private/Public IP address
• DNS and DNS SRV records
• SIP aware NAT/PAT servers
Henry Sinnreich 4/10/2002
PSTN
Phone
PSTN
Phone
• Intranet IP VPN with IP communications
• Domestic and global IP communications
• PBX and PSTN – E.164 resolution
IN
Dialing
Plans
IP Communications Using IP Networks
…other…
IM Conf Vmail
OSS
No IP PBX Needed!
Enhanced Functionality
SIP Capable Firewall
Ingate and Intertex
First through SIT
SIP Phone
SIP Server
Global
IP Comm
Firewall
Router
Intranet
IP Comm
SIP
Routing
WorldCom
Public
IP Network
Network GWY
Enterprise LAN
Customer
Premises
IP VPN
Enterprise
Gateway
Managed
Services
WorldCom
PSTN
Integration with
existing phones
PBX
PSTN
Phone
PSTN
Phone
IN
Dialing
Plans
Product Examples – Ingate Systems AB
Enterprise Products
A Complete Firewall
An add-on to an Existing
Firewall
Existing
Firewall
Firewall 1400
SIParator 40
DMZ
 Firewall & NAT/PAT
 SIP Proxy
 SIP Registrar
© 2002 Intertex Data AB
19
The Ingate SIParator
Internet
Existing
Firewall
inGate
SIParator
DMZ
IP Phone
© 2002 Intertex Data AB
20
The Ingate SIParator
LAN
Existing Firewall
Private IP
Addresses
Internet
RTP traffic
(UDP port interval)
SIP traffic
(5060 UDP/TCP)
DMZ
RTP Proxy
NAT/PAT
Engine
SIP Proxy
SIP Registrar
SIParator
© 2002 Intertex Data AB
21
Product Examples – Intertex Data AB
SOHO Products
IX66 Internet Gate
with or without
ADSL modem
built-in
OEM as:
Telia SurfinBird Gate
PowerBit SafeGate
Review at: www.adslguide.org.uk/hardware/reviews/2002/q1/intertex_ix66-edflc.asp
© 2002 Intertex Data AB
22
The Intertex IX66 Internet Gate
A closer look
SET






SELECT
SC
ADR CFG DHP RST
LQ
TX
RX
A U
I S
R B
E
T
1
E W T
T A X
2 N D
R
X
D
ALT CFG
Firewall & NAT/PAT
Optional ADSL
and Splitter
SIP Proxy and Registrar
Built-in
DHCP Server and Client
WEB Server for configuration
Smart Card Reader for security applications
SIP Appliance Control, LAC via expansion port
© 2002 Intertex Data AB
23
Internet Appliances Control
http://www. research.telcordia.com/iapp/index.shtml
SIP Capable Firewalls!
Intertex Data AB
Ingate Systems AB
www.intertex.se
www.ingate.com
Rissneleden 45
SE-174 44 Sundbyberg, Sweden
President Karl Erik Ståhl
[email protected]
Tel +46 8 6282828
Box 10013, Slakthusplan 4
SE-121 26 Stockholm, Sweden
CEO Olle Westerberg
[email protected]
Tel +46 8 6007750
© 2002 Intertex Data AB
25