IntSIP2003 - Intertex Data AB
Download
Report
Transcript IntSIP2003 - Intertex Data AB
Intertex Data AB, Sweden
Firewall and NAT Traversal
Bringing SIP the LAN
Prepared for:
International SIP 2003
By:
Karl Erik Ståhl
President Intertex Data AB
Chairman Ingate Systems AB
[email protected]
© 2003 Intertex Data AB
1
Is there a next big steps in Internet usage?
Email
World Wide Web
Will there be Real Time Communication
Person-to-Person?
© 2003 Intertex Data AB
2
VoIP as we have seen it…
Remember how it started in 95?
PC
Wanna talk
to me?
PC
Internet
Now it is coming back in a most useful form!
© 2003 Intertex Data AB
3
VoIP as we have seen it…
Then this service was offered to end users?
Gateway
Gateway
Internet
STO
LA
Nowdays long distance VoIP minutes are bought by
the established telcos.
Your normal international calls often run over the
public Internet!
© 2003 Intertex Data AB
4
VoIP as we have seen it…
PSTN
Internet
Europe Gateway
IP
VPN
Gateway
VPN
US
IP
VoIP between branch offices
- But NOT globally to others!
© 2003 Intertex Data AB
5
VoIP as we see it…
PSTN
SOFT
SWITCH
Internet
FW
MGCP often used to phones
Phones get locked to operator
© 2003 Intertex Data AB
6
Hmm, didn’t we pass this stage…
Organization 1
Email system 1
PSTN
fax
Organization 2
Email system 2
fax
fax
fax
printer
emai
l
emai
l
Paper was a very compatible media - So is POTS today…
But we need to move beyond!
© 2003 Intertex Data AB
7
What about universal connectivity?
RJ11
Black
Phone
PSTN
RJ45
LAN
Intranet
Internet
IP
Phone
Wouldn’t that be fine?
© 2003 Intertex Data AB
8
Is black telephony all we want?
“We need QoS of PSTN…”
3 kHz bandwith?
Video?
Presence?
draft-ietf-simple-presence-07.txt
Instant Messaging?
RFC3428, December 2002
And more…
© 2003 Intertex Data AB
9
Is the protocol part of the game?
SMTP Created Email
HTTP Created the Web
SIP Can Create IP Communication
Person-to-Person!
© 2003 Intertex Data AB
10
Microsoft is pushing – New RTC is SIP-based
Windows Messenger 4.6
and later has SIP-mode
Presence & IM
Voice & Video (XP)
Dial to phone
Rich SIP APIs
.NET Server will include
SIP server, with API (3Q2)
Applications will arise
10:s of millions of RTC
(SIP) users within a year
4255551212
Let SIP clients talk to each other!
Internet
SIP
Server
PSTN
SIP/PSTN
Gateway
PIM
XP
IP Phone
IP Phone
Home LAN
Business LAN
IP Phone
IAP
Connect to PSTN
when required!
IP Phone
But there is a problem…
SIP
Server
Internet
Status until recently:
SIP is the Protocol for IP Communication
Person-to-Person,
SIP/PSTN
Gateway
PIM
BUT IT DOES DSL
NOT REACH THE EDGE!
Cable
XP
MTU
PSTN
IP Phone
Operator network with NAT
Firewall
NAT
NAT
IP Phone
Home LAN
Business LAN
IP Phone
IAP
Firewall/NAT
problems!
IP Phone
What is the difference?
Typical Internet protocol (SMTP, HTTP…)
SERVER
HOST
Internet
SIP (and H.323…) connects person-to-person
PERSON
PERSON
Internet
Locate the person - Set up a session - Open real time media streams
© 2003 Intertex Data AB
14
SIP Firewall Problems
Firewall Problems:
Sessions initiated from outside
the firewall
- OK, open port 5060, but…
Media streams on dynamically
allocated port numbers
- Ooops… !
Even with public
IP addresses inside
© 2003 Intertex Data AB
15
SIP NAT/PAT Problems
NAT & PAT Problems:
Where is the device?
- Registration/location function
Private IP addresses and ports
in SIP messages
- Rewrite with globally routable
addresses
IP address and port of media
stream has to be modified
- NAT engine has to be
dynamically controlled
© 2003 Intertex Data AB
Worse with private
IP addresses inside
16
Suggested Solutions
Dynamically controlled Firewall/NATs
Midcom: By Firewall Control Proxy [Dynamicsoft…]
uPnP: By the client (Windows) [Microsoft]
SIP aware Firewall/NATs (SIP Proxy + Registrar)
[Intertex (SOHO), Ingate (enterprise), …]
SIP aware Firewall/NATs (SIP ALG)
[Cisco,… TLS not possible]
Making SIP NAT friendly - Drafts in progress:
• draft-ietf-sipping-nat-scenarios-00.txt
• draft-ietf-midcom-stun-02.txt
• draft-ietf-sip-nat-02.txt
• draft-ietf-sip-symmetric-response-00.txt
© 2003 Intertex Data AB
17
Adding SIP Support to a Firewall
Important components:
Firewall & NAT
Dynamic Firewall Engine
SIP Proxy Server,
controlling the firewall
Firewall
Control
Protocol
SIP Registrar, user location
information
Communication between
SIP Proxy and firewall
© 2003 Intertex Data AB
SIP
Proxy
User
Location
18
SIP Enabling the Private Networks
Internet
SIP
Server
PSTN
inGate
SIParator
DMZ
SIP/PSTN
Gateway
DSL
Cable
MTU
IP Phone
Operator network with NAT
SET
SELECT
SC
ADR CFG DHP RST
A U
I S
R B
E
T
1
IX66NAT
LQ
TX
RX
E W T
T A X
2 N D
R
X
D
ALT CFG
IP Phone
Office or home LAN
inGate
Firewall
NAT
Firewall
Enterprise LAN
Firewall/NAT
SIP
Firewall/NAT
transparency!
problems!
IP Phone
Phone
IP
IAP
IP Phone
Phone
IP
Just Another Internet Service…
Internet
IX66
Helsinki
Sweden
Home LAN
SIP/PSTN
Gateway
USA
Sweden
IX66
IAP
IX66
PSTN
Intertex Stockholm LAN
IX66
SOHO LAN
Home User
inGate
SIParator
XP
inGate
Firewall
Enterprise LAN
DMZ
DNS
SRV
Ingate Linköping LAN
XP
XP
IP Communications Using IP Networks
…other…
IM Conf Vmail
OSS
SIP Server
Global
IP Comm
SIP Phone
Firewall
Router
Intranet
IP Comm
SIP
Routing
WorldCom
Public
IP Network
Network GWY
IP VPN
Enterprise
Gateway
Managed
Services
WorldCom
PSTN
Customer
Premises
PBX
Many call routing options:
• Private/Public IP address
• DNS and DNS SRV records
• SIP aware NAT/PAT servers
Henry Sinnreich 4/10/2002
PSTN
Phone
PSTN
Phone
• Intranet IP VPN with IP communications
• Domestic and global IP communications
• PBX and PSTN – E.164 resolution
IN
Dialing
Plans
IP Communications Using IP Networks
…other…
IM Conf Vmail
OSS
No IP PBX Needed!
Enhanced Functionality
SIP Capable Firewall
Ingate and Intertex
First through SIT
SIP Phone
SIP Server
Global
IP Comm
Firewall
Router
Intranet
IP Comm
SIP
Routing
WorldCom
Public
IP Network
Network GWY
Enterprise LAN
Customer
Premises
IP VPN
Enterprise
Gateway
Managed
Services
WorldCom
PSTN
Integration with
existing phones
PBX
PSTN
Phone
PSTN
Phone
IN
Dialing
Plans
Product Examples – Ingate Systems AB
Enterprise Products
A Complete Firewall
An add-on to an Existing
Firewall
Existing
Firewall
Firewall 1400
SIParator 40
DMZ
Firewall & NAT/PAT
SIP Proxy
SIP Registrar
© 2003 Intertex Data AB
23
Product Examples – Intertex Data AB
SOHO Products
IX66 Internet Gate
with or without
ADSL modem
built-in
OEM as:
Telia SurfinBird Gate
PowerBit SafeGate
Review at: www.adslguide.org.uk/hardware/reviews/2002/q1/intertex_ix66-edflc.asp
© 2003 Intertex Data AB
24
The Intertex IX66 Internet Gate
A closer look
SET
SELECT
SC
ADR CFG DHP RST
LQ
TX
RX
A U
I S
R B
E
T
1
E W T
T A X
2 N D
R
X
D
ALT CFG
Firewall & NAT/PAT Router
Optional ADSL
SIP Proxy and Registrar
and Splitter
DHCP Server and Client
Built-in
WEB Server for configuration
Smart Card Reader for security applications
Optional 802.11b Wireless Lan
SIP Appliance Control, LAC via expansion port
© 2003 Intertex Data AB
25
SIP-capable firewalls!
Intertex Data AB
Ingate Systems AB
www.intertex.se
www.ingate.com
Rissneleden 45
SE-174 44 Sundbyberg, Sweden
VD Karl Erik Ståhl
[email protected]
Tel +46 8 6282828
Box 10013, Slakthusplan 4
SE-121 26 Stockholm, Sweden
VD Olle Westerberg
[email protected]
Tel +46 8 6007750
© 2003 Intertex Data AB
26