Transcript Intertex Data AB, Sweden

Intertex Data AB, Sweden
Talking NATs & Firewalls
Prepared for: Voice On the Net, Spring 2002
By:
Karl Erik Ståhl
President Intertex Data AB
Chairman Ingate Systems AB
[email protected]
© 2002 Intertex Data AB
Moderator Scott Wharton 1
VoIP as we have seen it…
Do we want the PC as a phone?
PC
Wanna talk
to me?
PC
Internet
Are cheaper phone bills all we want?
Gateway
Gateway
Internet
STO
LA
© 2002 Intertex Data AB
Moderator Scott Wharton
2
VoIP as we have seen it…
PSTN
Internet
Europe Gateway
IP
VPN
Gateway
VPN
US
IP
VoIP between branch offices
- But NOT globally to others!
© 2002 Intertex Data AB
Moderator Scott Wharton
3
Hmm, didn’t we pass this stage…
Organization 1
Email system 1
PSTN
fax
Organization 2
Email system 2
fax
fax
fax
printer
emai
l
emai
l
Paper was a very compatible media - So is POTS today…
But we need to move beyond!
© 2002 Intertex Data AB
Moderator Scott Wharton
4
VoIP and SIP Services Out to the Edge
Internet
SIP
Server
PSTN
Status until now:
SIP is the Protocol for IP Communication
SIP/PSTN
Person-to-Person,
Gateway
PIM
DSL
BUT IT DOES Cable
NOT REACH THE EDGE!
XP
MTU
IP Phone
Operator network with NAT
Firewall
NAT
NAT
IP Phone
Home LAN
Business LAN
IP Phone
IAP
Firewall/NAT
problems!
IP Phone
SIP Firewall Problems
Firewall Problems:
Sessions initiated from outside
the firewall
- OK, open port 5060, but…
Media streams on dynamically
allocated port numbers
- Ooops…  !
Even with public
IP addresses inside
© 2002 Intertex Data AB
Moderator Scott Wharton
6
SIP NAT/PAT Problems
NAT & PAT Problems:
Where is the device?
- Registration/location function
Private IP addresses and ports
in SIP messages
- Rewrite with globally routable
addresses
IP address and port of media
stream has to be modified
- NAT engine has to be
dynamically controlled
© 2002 Intertex Data AB
Worse with private
IP addresses inside
Moderator Scott Wharton
7
Suggested Solutions
Dynamically controlled Firewall/NATs [Aravox, …]
Midcom: By Firewall Control Proxy [Dynamicsoft…]
uPnP: By the client (Windows) [Microsoft]
SIP aware Firewall/NATs (SIP Proxy + Registrar)
[Intertex (SOHO), Ingate (enterprise), …]
SIP aware Firewall/NATs (SIP ALG)
[Cisco,…: client location?, TLS not possible]
Modifying the SIP protocol, Drafts in progress:
• draft-rosenberg-sipping-nat-scenarios-00.txt
• draft-rosenberg-midcom-stun-01.txt
• draft-ietf-sip-nat-01.txt
© 2002 Intertex Data AB
Moderator Scott Wharton
8
Adding SIP Support to a Firewall
Important components:
Firewall & NAT
 Dynamic Firewall Engine
 SIP Proxy Server,
controlling the firewall
Firewall
Control
Protocol
 SIP Registrar, user location
information
 Communication between
SIP Proxy and firewall
© 2002 Intertex Data AB
SIP
Proxy
User
Location
Moderator Scott Wharton
9
NAT Friendly SIP Draft
SIP
Registrar
INTERNET
SIGNALLING
LAN
STUN
Server
RTP
Proxy
Mods to SIP,
SDP
RTP
SIP clients
need upgrade
NAT
IP Phone
New servers
 Use STUN to find out on the net
“looks” from outside
 Keep registrar NAT path
(TCP or UDP) always open
by frequent registrations
 Route new signalling
through this open path
© 2002 Intertex Data AB
Firewall
NAT
RTP
LAN
IP Phone
 RTP media streams always
start from inside + symmetric
 For some NATs, if both
parties are behind firewalls,
RTP streams must bounce
through a server
Moderator Scott Wharton
10
SIP Enabling the Private Networks
Internet
SIP
Server
PSTN
inGate
SIParator
DMZ
SIP/PSTN
Gateway
DSL
Cable
MTU
IP Phone
Operator network with NAT
SET
SELECT
SC
ADR CFG DHP RST
A U
I S
R B
E
T
1
IX66NAT
LQ
TX
RX
E W T
T A X
2 N D
R
X
D
ALT CFG
IP Phone
Home LAN
inGate
Firewall
NAT
Firewall
Business LAN
Firewall/NAT
SIP
Firewall/NAT
transparency!
problems!
IP Phone
IAP
IP Phone
Phone
IP
IP Communications Using IP Networks
…other…
IM Conf Vmail
OSS
SIP Server
Global
IP Comm
SIP Phone
Firewall
Router
Intranet
IP Comm
SIP
Routing
WorldCom
Public
IP Network
Network GWY
IP VPN
Enterprise
Gateway
Managed
Services
WorldCom
PSTN
Customer
Premises
PBX
Many call routing options:
• Private/Public IP address
• DNS and DNS SRV records
• SIP aware NAT/PAT servers
Henry Sinnreich 4/10/2002
PSTN
Phone
PSTN
Phone
• Intranet IP VPN with IP communications
• Domestic and global IP communications
• PBX and PSTN – E.164 resolution
IN
Dialing
Plans
IP Communications Using IP Networks
…other…
IM Conf Vmail
OSS
No IP PBX Needed!
Enhanced Functionality
SIP Capable Firewall
Ingate and Intertex
First through SIT
SIP Phone
SIP Server
Global
IP Comm
Firewall
Router
Intranet
IP Comm
SIP
Routing
WorldCom
Public
IP Network
Network GWY
Enterprise LAN
Customer
Premises
IP VPN
Enterprise
Gateway
Managed
Services
WorldCom
PSTN
Integration with
existing phones
PBX
PSTN
Phone
PSTN
Phone
IN
Dialing
Plans
Product Examples – Ingate Systems AB
Enterprise Products
A Complete Firewall
An add-on to an Existing
Firewall
Existing
Firewall
Firewall 1400
SIParator 40
DMZ
 Firewall & NAT/PAT
 SIP Proxy
 SIP Registrar
© 2002 Intertex Data AB
Moderator Scott Wharton
14
Product Examples – Intertex Data AB
SOHO Products
IX66 Internet Gate
with or without
ADSL modem
built-in
OEM as:
Telia SurfinBird Gate
PowerBit SafeGate
Review at: www.adslguide.org.uk/hardware/reviews/2002/q1/intertex_ix66-edflc.asp
© 2002 Intertex Data AB
Moderator Scott Wharton
15
See Intertex and inGate!
Booth #400
Booth #400
SIP Capable Firewalls!
Intertex Data AB
Ingate Systems AB
www.intertex.se
www.ingate.com
Rissneleden 45
SE-174 44 Sundbyberg, Sweden
President Karl Erik Ståhl
[email protected]
Tel +46 8 6282828
Box 10013, Slakthusplan 4
SE-121 26 Stockholm, Sweden
CEO Olle Westerberg
[email protected]
Tel +46 8 6007750
© 2002 Intertex Data AB
Moderator Scott Wharton
16