Snom 4S User Manual

snom 4S NAT Filter Admin Manual

snom 4S

NAT Filter

Version 2.11

snom 4S NAT Filter Version 2.11

This document is supplied by snom technology AG for information purposes only to licensed users of the snom 4S NAT ﬁlter and is supplied on an “AS IS” basis, that is, without any warranties whatsoever, express or implied.

Information in this document is subject to change without notice and does not represent any commitment on the part of snom technology AG. The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license agreement. It is against the law to copy or use this software except as speciﬁcally allowed in the license. No part of this document may be reproduced, republished or retransmitted in any form or by any means whatsoever, whether electronically or mechanically, including, but not limited to, by way of photocopying, recording, information recording or through retrieval systems, without the express written permission of snom technology AG.

snom® is a registered trademark in the United States of America, Germany and some other contries.

snom technology AG • 3

Table of Contents

1 Overview ..........................................................5

1.1 Applications ...................................................................... 6

1.2 Features ........................................................................... 6

2 Architecture .....................................................9

2.1 The NAT Filter and SIP ........................................................ 9

2.2 NAT ............................................................................... 10

2.2.1 How does NAT work?

..............................................................................................................................................

2.2.2 Symmetrical RTP

............................................................................................................................................................

2.2.3 Signalling SIP

.......................................................................................................................................................................

2.2.4 Media RTP

...................................................................................................................................................................................

2.2.5 Classiﬁcation of User Agents

....................................................................................................................

2.2.6 Probing Media Paths

.................................................................................................................................................

2.2.7 The Role of the NAT Filter

..............................................................................................................................

2.2.8 Optimizing the Media Path for Symmetrical NAT

..................................................

2.3 SBC Behaviour ................................................................ 15

2.3.1 Registering

................................................................................................................................................................................

2.3.3 RTP Relay

....................................................................................................................................................................................

2.4 Scaling and Redundancy ................................................... 18

2.5 Detecting the right NAT Filter ............................................ 19

2.6 Requirements on User Agents ............................................ 20

2.6.1 Non NAT-Aware User Agents

.....................................................................................................................

2.6.2 STUN/ICE-Aware User Agents

................................................................................................................

2.7 Deﬁning the Maximum Session Time .................................. 21

3 Installation .....................................................23

3.1 Windows ......................................................................... 23

3.2 Linux ............................................................................. 28

4 Conﬁguration ..................................................31

4.1 Logging In ...................................................................... 31

4.2 Port Binding .................................................................... 31

4.3 System Settings .............................................................. 33

4.3.1 Logging

...........................................................................................................................................................................................

4.3.2 Preparing Recovery

...................................................................................................................................................

4.3.3 General Outound Proxy

......................................................................................................................................

4 • Contents

[ S N O M 4 S N A T F I L T E R ]

4.3.4 Media Ports

..............................................................................................................................................................................

4.3.5 Port Budgets

........................................................................................................................................................................

4.3.6 Media Relay

.............................................................................................................................................................................

4.3.7 Controlling Routing

....................................................................................................................................................

4.3.8 Multiple 2xx Handling

............................................................................................................................................

4.3.9 Challenging

..............................................................................................................................................................................

4.3.10 Trusted Addresses

.......................................................................................................................................................

4.3.11 Maximum Packet Size

...........................................................................................................................................

4.3.12 Silence Suppression

.................................................................................................................................................

4.3.13 Connection Oriented Media

.........................................................................................................................

4.3.14 Removing Headers

......................................................................................................................................................

4.3.15 Codec Control

......................................................................................................................................................................

4.3.16 Web Server Integration

......................................................................................................................................

4.3.17 CLIR Addresses

.................................................................................................................................................................

4.4 Timeout Settings ............................................................. 40

4.4.1 Register Timeouts

........................................................................................................................................................

4.4.2 Call Timeouts

........................................................................................................................................................................

4.5 Security Settings ............................................................. 42

4.6 Outbound Proxy List ......................................................... 44

4.7 System Information ......................................................... 45

4.8 Server Log ...................................................................... 45

4.9 Trace .............................................................................. 46

4.10 Call History ..................................................................... 47

4.11 Current Ports .................................................................. 48

4.12 Currently Handled UA ....................................................... 49

4.13 Memory Statistics ............................................................ 49

5. Web Server Integration ..................................51

5.1 Interface to the Web Server .............................................. 52

5.2 Authentication ................................................................. 52

5.3 Registration .................................................................... 55

5.4 Call Initiation .................................................................. 56

5.5 Call Termination .............................................................. 58

6. SNMP ..............................................................61

6.1 Setup of the SBC ............................................................. 61

6.2 Setup of the Tools ............................................................ 61

6.3. Available OID .................................................................. 62

7 Checklist for Installation ................................65

6.1 Linux ............................................................................. 65

6.2 Windows ......................................................................... 65

snom technology AG • 5

1 Overview

Network address translation (NAT) is a reality today. There have been many discussions about the evil and the good of this network topology and the replacement by IP version 6. However, operators and business want to offer VoIP services today and therefore must address the problem.

The snom 4S NAT Filter is a SIP session border controller (SBC). It enables non-NAT aware devices to operate in private networks. It also allows operating the data center in a private network. It takes care about translation of SIP messages with private network identities into identities that can be addressed from the data center. When necessary or explicitly required, it forwards media and changes the SDP attachments in the SIP messages accordingly.

The SBC offers recording capabilities (depending on the licens

ing). Through a separate management interface, operators can deﬁne numbers and patterns that are silently recorded. Users may explicitly request the recording of a call by pressing a key on the phone; in this case the whole call will be recorded (even parts of the call before pressing the key). The ﬁlter records in a compressed format where only the voice part of the conversation is recorded in highly-compressed audio format (13.2 kBit/s). By using an appropriately conﬁgured web server, operators can manage very large numbers of calls and, for example, forward them per e-mail to users or authorities.

The SBC does not translate signaling, e.g., from SIP to H.323 or to MGCP. It is a semi-transparent SIP proxy that takes care only about known methods and leaves the rest unchanged. If all user agents are fully NAT-compliant or on public Internet, the ﬁlter can transparently be removed from the network without changing the call ﬂows or functional

ity. Also, the ﬁlter does not interfere with unknown applications. This is a advantage over back-to-back user agents (B2BUA) that operate on the application level.

6 • Overview

[ S N O M 4 S N A T F I L T E R ]

1.1 Applications

The ﬁlter can be used in the following scenarios:

• Corporations. Corporations which operate their infrastructure be

hind NAT and/or ﬁrewalls can talk to the public Internet through the ﬁlter.

• Operators. Operators offer the NAT traversal feature to their cus

tomers. Using the scalability feature of the ﬁlter, the operation of large networks becomes possible.

• Record speciﬁc calls for legal purposes. In many countries, opera

tors must provide the possibility to record certain calls on request. The ﬁlter can perform this task.

• Recording can be used for legal prooﬁng (brokers, etc). The ﬁlter is fully compliant with other SIP equipment and can, for example, put between a PSTN gateway and SIP phones.

1.2 Features

The ﬁlter offers powerful features based on modern VoIP technol-

ogy:

• The built-in RFC3261-compliant SIP proxy makes additional exter

nal SIP logic superﬂuous and simpliﬁes the system setup.

• A built-in RFC3489-compatible STUN server for single IP addresses allows clients to self-refresh their bindings

• Support for instant messaging, presence and all other SIP-compli

ant applications.

• Rich logging features allow easy maintenance.

• Recording functions based on number lists and expressions offer a ﬂexible way of ﬁltering out information.

• Recordings can be saved in WAV ﬁle format (the data rate is 6 MB per hour).

• Almost stateless operation allows the ﬁlter to be used in server farms. This offers a tremendous scalability and redundancy making the product suitable for large operators.

snom technology AG • 7

[ S N O M 4 S N A T F I L T E R ]

• Both http and https as web interface for simple access from anywhere on the Internet.

• The ﬁlter supports Interactive Connectivity Establishment (ICE). User agents that support this feature will optimize the media path for the shortest possible delay.

• Media relay is established using connection-oriented media. Useragents that are not NAT-aware inherently support this feature. This makes the operation of the NAT ﬁlter backward-compatible.

• Call-alive polling. During calls, the ﬁlter checks if the call is still alive and terminates the call if this should not be the case. With this fea

ture, charging users for broken calls can be avoided.

• Reliable and unreliable transport layers. The ﬁlter supports both UDP and TCP transport layers. Full TLS support will be added soon.

• To and From headers may be changed for calls. The ﬁlter talks to a web application server to get this information.

• Application Server Integration. The web application server can also change the request-URI. This makes simple routing possible, which can be used for least cost routing, for example.

• Call Duration Limit. The web application server can deﬁne the du

ration of the call. This makes it possible to implement prepaid services.

• HTTP Registrar. The SBC may convert SIP register requests into HTTP requests and send the response back via SIP. This makes it possible to use the web server as registrar.

• Authentication. The SBC may authenticate incoming requests. It keeps a authentication cache updated by the web server. Trust rela

tionships deﬁned by IP address deﬁne exceptions.

• CLIR support. When a request leaves the data center, the SBC can change the From-header of the outgoing request and make it anon

ymous. This way, the caller ID can be hidden.

Usually, the ﬁlter acts as stateless proxy. That means, by default

it just forwards the packets and does not change the content of the at

tachments or the headers themselves. That means that the ﬁlter will not interfere with applications (instant messaging, presence, weather report, etc).

There are three exceptions to this rule:

8 • Overview

[ S N O M 4 S N A T F I L T E R ]

• The ﬁrst exception is a REGISTER request. When a user agent tries to register and needs the support of the ﬁlter, the ﬁlter will set up a local data structure representing the user agents. It will make sure that the connection to the user agents stays alive. It will also make sure that requests destined to the user agents will be forwarded properly.

• The second exception is an SDP attachment. The ﬁlter checks if the user agent needs support (or must be recorded) and will in that case add a local contact to the SDP that can be used for media relay.

• The third exception occurs when the ﬁlter queries a web server for routing information. In this case, it will send a provisional response to stop the UAC from repeating messages.

These three exceptions make sure that all user agents will work behind NAT, no matter what NAT-type or how many NAT-levels are being used. If user agents support ICE, they will automatically ﬁnd the shortest media path to the other party (peer-to-peer).

snom technology AG • 9

2 Architecture

2.1 The NAT Filter and SIP

In the SIP architecture, the SBC acts as the ﬁrst proxy that is contacted by user agents. There are two ways to make sure that the relevant trafﬁc gets routed trough the ﬁlter:

• User agents can be set up to use the ﬁlter as outbound proxy. When

using this method, all SIP trafﬁc will ﬂow through the SBC, whether it is destined to the operator or not. That means that service for calls outside of the operator’s domain may also be serviced by the SBC. However, by redirecting all outgoing trafﬁc of the SBC to a proxy the operator can make sure that the authentication, authorization and accounting (AAA) requirements for requiring the service are fulﬁlled. Alternatively, you can use the application server interface to do the job on the SBC itself.

• User agents resolve the SBC though the RFC3263 DNS resolving

process. That means that only the trafﬁc that is destined to the operator’s domain will use the service of the NAT Filter. However, users might be annoyed if they place a call to a domain that does not properly support NAT services. In this case, the SBC can also redirect the trafﬁc to another proxy.

We recommend using the ﬁrst alternative and to only choose the second alternative if it is too difﬁcult to provision user agents with the outbound proxy or when there are concerns about providing service for foreign operators.

Usually, the SBC acts as stateless proxy. This means, that it just forwards the packets by default and that it does not change the content of the attachments or the headers themselves. The SBC will not interfere with applications (instant messaging, presence, weather report, etc).

There are three exceptions to this rule:

• The ﬁrst exception is a REGISTER request. When a user agent tries

10 • Architecture

[ S N O M 4 S N A T F I L T E R ]

to register and needs the support of the SBC, the SBC will set up a local data structure representing the user agents. It will make sure that the connection to the user agents stays alive. It will also make sure that requests destined to the user agents will be forwarded properly.

• The second exception is an SDP attachment. The SBC checks if the user agent needs support (or must be recorded) and, in that case, will add a local contact to the SDP that can be used for media re

lay.

• The third exception occurs when the SBC queries a web server for routing information. In this case, it will send a provisional response to stop the UAC from repeating messages.

2.2 NAT

Network Address Translation (NAT) is a reality in today’s networks. Many operators save IP addresses by providing only one IP address for a number of devices, sometimes companies. Firewall manufacturers make NAT a feature by performing inspection of packets that go though NAT. Even for IPv6 networks, the fundamental problem will remain as there will also be a need for ﬁrewalls and private networks.

The Session Initiation Protocol (SIP) has neglected this problem in the beginning. However, in some recent RFC there have been useful proposals on how to deal with the problem. This document shows how the snom 4S NAT Filter can be used to solve the problems.

Although snom also makes user agents, the snom 4S NAT Filter works with most SIP user agents from other companies. The require

ments on these user agents are described below.

If you want to use the SBC just for recording purposes, you don’t need to bother about NAT. The SBC also works when no NAT is present.

snom technology AG • 11

[ S N O M 4 S N A T F I L T E R ]

2.2.1 How does NAT work?

NAT is essentially a translation table that maps public IP address

and ports combinations to private IP address and port combinations.

The translation table is implicitly set up when a packet is sent from the private network to the public network. The association is kept alive for a certain time and is refreshed every time a new packet is sent from the same origin. This fact is used by STUN (RFC3489) to set up an association between a public IP address and a private IP address.

In symmetrical NAT, the router stores the address where the packet was sent. Only packets coming from this address are forwarded to the private address. This algorithm increases the security as it is harder to guess the source IP and port for attackers. Full cone NAT does not per

form this check.

There are some mixed variants between full cone NAT and sym

metrical NAT. Restricted port NAT works similar to symmetrical NAT, but uses only one port association.

Hairpinning is the ability of the NAT to route packets coming from the private network and addressed towards a public IP address binding back to the private network. Not all routers support this feature.

2.2.2 Symmetrical RTP

Real time protocol (RTP) is used to transport media. Symmetrical RTP is a trick to extend the number of cases when communication can be established. A SIP user agent supporting symmetrical RTP waits for the ﬁrst RTP packet coming in and then sends its media stream back to the IP address from which it received that packet. Symmetrical RTP always works when the user agent doing symmetrical RTP is on a globally routable address. However, this algorithm can easily be cheated (port spraying) and therefore implies a certain security risk.

2.2.3 Signalling SIP

SIP trafﬁc is relatively unproblematic because SIP typically is not as time critical as media. Usually, it is ok to route SIP packets through a longer path than media.

12 • Architecture

[ S N O M 4 S N A T F I L T E R ]

In SIP it is legal to send from a different port than the receiving port. When this is being done, there is no way of supporting these devices behind NAT. However, some phones offer an option that disables this mechanism so that the sending port is the same as the receiving port.

Typically, the SIP proxy will run on a public IP address where it is possible to deal with all kinds of NAT. Keep-Alive messages may keep the NAT binding open (for example, short registration periods or non-SIP messages).

2.2.4 Media RTP

Media is much more problematic than SIP because users are sensitive to delay in a voice conversation. When the delay is too long, the speakers need to be disciplined not to interrupt the other person when starting to speak. Also, the ear is much more sensitive to echo when the media delay becomes too long. The effect is known from intercontinental calls where the speed of light increases the delay for voice transmission.

SIP was designed for peer-to-peer communication. That means the user agents (telephones) send the media directly to the other user agent. This approach is the best way to minimize the delay; however, it becomes a problem when NAT is involved.

2.2.5 Classiﬁcation of User Agents

From a SBC point of view, available user agents can be classiﬁed into the following categories:

• Public IP devices. These devices operate on public IP addresses and

don’t need any speciﬁc support regarding NAT. The true location of these devices may be in a private network, as they might have al

located a public identity using mechanisms like UPnP™ [3]. These devices are most welcome as they don’t cause any additional requirements.

• STUN devices. Phones that operate behind full cone NAT and allo

cate public IP addresses themselves fall into this category. The only support that the proxy needs to give is a STUN server. Apart from that they act like public IP devices.

• Non NAT-aware devices. These devices don’t attempt to check the NAT type or to allocate a public IP address. Often, they are “legacy”

snom technology AG • 13

[ S N O M 4 S N A T F I L T E R ]

devices that have been designed without having NAT in mind. These devices can register only for a short period of time, so that the REGISTER messages keep the port association open (the SIP messages are used to keep the port association). Also, these devices need a NAT-aware media server or other device that forward the RTP packets of these devices.

• Symmetrical NAT devices. These devices may be NAT-aware; how

ever, because they operate behind symmetrical NAT, there is little that they can do. They essentially behave like non NAT-aware SIP devices and hope for the support of the proxy.

2.2.6 Probing Media Paths

ICE is a method that has been proposed recently in the IETF [4]. The algorithm is simple: A user agent that supports ICE lists the possible addresses where it could possibly be reached. These addresses may include the private address, an address allocated via STUN, one or more addresses allocated with the TURN protocol or an address allocated with UPnP. Because in practice it is hard to predict which of these addresses are visible to the other user agent, all of the possible addresses are proposed to the other user agent.

The other user agent sends test packets to the possible address

es. Picking the ﬁrst reply on the test packet will establish a working media path and it will also probably be the fastest connection. STUN is being used for these test packets.

2.2.7 The Role of the NAT Filter

When a user agent is not able to allocate a globally routable address or it is not sure if it found enough possible addresses, the NAT Filter can help out.

Again, the way the NAT Filter works is simple. For the signalling, the NAT Filter keeps the NAT alive with bogus messages (which can be SIP messages or other non-SIP message). It patches the messages in such a way that other user agents will address the NAT Filter instead of the user agent when they want to deliver a message. The NAT Filter then forwards the message to the user agent using the connection which is kept open with the keep-alive messages.

14 • Architecture

[ S N O M 4 S N A T F I L T E R ]

When the NAT Filter sees a message that contains information about sending media (session description protocol, SDP), it opens a local globally routable port on behalf of the user agent and patches these messages in a way that the destination will send media via this port. The NAT Filter will relay the media to the user agent like it relays SIP messages. Using symmetrical RTP, it can detect the user agent’s public media identity and reroute the packets to this destination.

While this approach has the huge advantage that it works with all kinds of NAT, it has the disadvantage that it increases the media path signiﬁcantly. For example, when a user A in Tokyo is registered with an operator in New York and wants to call his colleague B (who is registered with a service provider in Sydney and sitting in the same ofﬁce in a private network), the media would have to ﬂow ﬁrst from Tokyo to New York, then to Sydney and then back to Tokyo. The delay would at least be around one second even though the user agents are located in the same network.

Unfortunately, it is not trivial to make the media path shorter. There have been some attempts to reduce the problem, but it is much easier to address the problem starting at the user agent. If the user agent uses ICE, it will try all addresses listed in the SDP attachment, including the port allocated by the NAT Filter. If there is a shorter path, it will switch to this shorter path. If there is no other way or if the other side does not support ICE, it will fall back to the NAT Filter-allocated port which will work in all cases.

2.2.8 Optimizing the Media Path for Symmetrical

NAT

In the cases where both user agents are behind symmetrical NAT, the NAT Filter approach will ensure that media will ﬂow between the user agents. However, the Tokyo example shows that this might result in intolerable media delay.

To address this problem, TURN [5] comes into play. The idea be

hind this approach is to allocate identities on several places in the Internet and to propose all of the allocated ports to the other user agent. If the ports are allocated on all continents, the other user agent will automatically pick the TURN server with the shortest delay. In the Tokyo example, a TURN server located in Japan will reduce the delay to a tolerable level (even when there is no direct path between the user agents).

snom technology AG • 15

[ S N O M 4 S N A T F I L T E R ]

2.3 SBC Behaviour

2.3.1 Registering

When a user agent registers, it puts its IP address in the top Via. If the user agent is on public Internet or properly supports NAT, this Via will match the perceived IP address. In this case the SBC does not interfere with the registering process and just forwards this packet to the registrar.

If the top Via does not contain the perceived address, the SBC will take care of the request. It will replace the provided contact with a locally generated contact and forward the request to the registrar (see below).

REGISTER sip:snomag.de SIP/2.0 Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bKabx3au3mxb01;rport From: <sip:denny@snomag.de>;tag=k9p6fmeg7h To: <sip:denny@snomag.de> Call-ID: 3c26701d7cb9-pady07b5783t@203-145-183-113 CSeq: 14 REGISTER Max-Forwards: 70 Contact: <sip:denny@203.145.183.113:12975;line=lhynyb3y>;q=1.0 Supported: gruu Expires: 86400 Content-Length: 0

REGISTER sip:snomag.de SIP/2.0 Via: SIP/2.0/UDP 217.115.141.99:5082;branch=z9hG4bK-e8d1feb8138c3d85 0637ced821ef40a3;ua=c9b140ab598290e5bb491e9c3aaca440 Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bKabx3au3mxb01;rport=17401 From: <sip:denny@snomag.de>;tag=k9p6fmeg7h To: <sip:denny@snomag.de> Call-ID: 3c26701d7cb9-pady07b5783t@203-145-183-113 CSeq: 14 REGISTER Max-Forwards: 69 Contact: <sip:217.115.141.99:5082;ua=c9b140ab59829bb491e9c3aaca440> Supported: gruu Expires: 86400 Content-Length: 0

SIP/2.0 200 Ok Via: SIP/2.0/UDP 217.115.141.99:5082;branch=z9hG4bK-e8d1feb8138c3d85

16 • Architecture

[ S N O M 4 S N A T F I L T E R ]

0637ced821ef40a3;ua=c9b140ab598290e5bb491e9c3aaca440 Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bKabx3au3mxb01;rport=17401 From: <sip:denny@snomag.de>;tag=k9p6fmeg7h To: <sip:denny@snomag.de>;tag=epuy85kzm5 Call-ID: 3c26701d7cb9-pady07b5783t@203-145-183-113 CSeq: 14 REGISTER Contact: <sip:217.115.141.99:5082;ua=c9b140ab598290e5bb491e9c3aaca44 0>;expires=3600;gruu=”sip:denny@snomag.de;gruu=hobiv52b” Date: Wed, 26 May 2004 16:03:33 GMT Content-Length: 0

SIP/2.0 200 Ok Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bKabx3au3mxb01;rport=17401 From: “denny” <sip:denny@snomag.de>;tag=k9p6fmeg7h To: “denny” <sip:denny@snomag.de>;tag=epuy85kzm5 Call-ID: 3c26701d7cb9-pady07b5783t@203-145-183-113 CSeq: 14 REGISTER Contact: <sip:denny@203.145.183.113:12975;line=lhynyb3y>;expires=360 0;gruu=”sip:denny@snomag.de;gruu=hobiv52b” Date: Wed, 26 May 2004 16:03:33 GMT Content-Length: 0

The SBC will make the registration short enough to keep the connection alive. The UA will reregister shortly after. However, because the registration binding time in the registrar is longer, the SBC will not forward the request to the registrar and answer it locally.

2.3.3 RTP Relay

When initiating a call, user agents usually include a Session Description Protocol (SDP) attachment that describes where they expect media. If the user agent operates on a public Internet address, there is no need to interfere in this process. In this case the SBC will just forward the request.

Operators should encourage customers to use equipment that operates on a public Internet address or properly allocates a globally routable Internet address. Because media relay is an expensive opera

tion, it reduces the overall load on the network and at the same time increases the quality of the service.

However, when a user agent is behind NAT, it might not be able

to receive media directly. In some cases this is because the user agent is

snom technology AG • 17

[ S N O M 4 S N A T F I L T E R ]

simply not programmed to allocate an address properly or because it is behind symmetrical NAT, which makes it impossible to properly allocate this address. In this case, the help of the media SBC will make sure that media will always be delivered properly.

The media ﬁlter supports the “interactive connectivity establish

ment” (ICE) method that has been published recently in the IETF. Using this method, user agents may probe several addresses and decide which address they use for communication. In this case, the SBC will just add another contact to the ICE list.

Table 1 shows the cases when the SBC needs to interfere if STUN and ICE support are available from the user agents. The support of the SBC is necessary only in cases when both sides have symmetrical NAT and in the case when talking from symmetrical NAT to restricted NAT. If the user agents don’t support STUN and ICE, the number of cases goes up signiﬁcantly.

If the user agent operates without NAT support, it will send a SDP like the one below:n

v=0 o=root 19387 19387 IN IP4 192.168.1.10 s=call c=IN IP4 192.168.1.10 t=0 0 m=audio 58146 RTP/AVP 0 8 3 18 2 101 a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:3 gsm/8000 a=rtpmap:18 g729/8000 a=rtpmap:2 g726-32/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=sendrecv

The NAT Filter will detect that the user agents needs help and allocates local ports for relaying media. It will forward the request with changed SDP:

v=0 o=root 19387 19387 IN IP4 217.115.141.99 s=call c=IN IP4 217.115.141.99 t=0 0 m=audio 49170 RTP/AVP 0 8 3 18 2 101

18 • Architecture

[ S N O M 4 S N A T F I L T E R ]

a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:3 gsm/8000 a=rtpmap:18 g729/8000 a=rtpmap:2 g726-32/8000 a=rtpmap:101 telephone-event/8000 a=fmtp:101 0-15 a=sendrecv a=silenceSupp:off - - - -

The NAT Filter changes the private address to a globally routable address and inserts the local port. It also inserts a hint that tells the other user agent that it should not do silence suppression. This reduces the risk that the connection is closed during a talk spurt of one of the parties.

2.4 Scaling and Redundancy

The NAT Filter product was designed to support distributed server farms. That means that the servers act stateless in principle; user agents may randomly pick a server in a server farm. This feature allows operators to set up very large and robust networks.

Table 1: NAT conbimations

To/From Public IP Full Cone

NAT

Restricted NAT

Symmetrical NAT

Public IP Always When

STUN support is available

When STUN and ICE are available

Full Cone NAT When

STUN is available

When STUN and ICE are available

Restricted NAT

When STUN and ICE are available

When STUN and ICE are available and no port checking

Symmetrical NAT

Needs ﬁlter

snom technology AG • 19

[ S N O M 4 S N A T F I L T E R ]

The distribution of user agents to a server is performed using DNS SRV (RFC 2782). This means that you need to list the available servers on DNS level; the user agents must perform DNS SRV look ups and pick one of the servers (possible using the detection algorithms described below).

The following table shows an example conﬁguration for Linux named(8):

_sip._udp IN SRV 3 5 5082 frankfurt1 _sip._udp IN SRV 3 5 5082 newyork1 _sip._udp IN SRV 3 5 5082 newyork2 _sip._udp IN SRV 3 5 5082 newyork3 _sip._udp IN SRV 3 5 5082 tokyo2 _sip._udp IN SRV 3 5 5082 tokyo1

If one of the servers should become unavailable, the SRV algorithm will make sure that the other servers will be contacted. The user agents that are refreshed by that particular server will become unreachable until the user agents initiate a new REGISTER request. Therefore, you should make sure that your servers have a high uptime probability and that the registration period is not too long. We think that registration periods of thirty minutes up to one hour are a good balance between service failure time and performance.

2.5 Detecting the right NAT Filter

User agents must detect which server in the server farm is nearest to the user agent. This is an important feature for a company or operator that has user agents scattered around the globe. Example: A company has ofﬁces in Berlin, Tokyo and Dallas and locally operates NAT Filter servers. When a user agent is located in Tokyo, it should use the Tokyo server. This could be set up manually; howeve, it is also possible to automatically pick the best server.

To detect the nearest server, the user agent sends STUN packets to all possible servers (the servers with the lowest priority in the SRV list). The user agent picks the server that responds ﬁrst. Alternatively, the user agent could send more test packets and take the mean response time for making the decision.

20 • Architecture

[ S N O M 4 S N A T F I L T E R ]

The snom 4S NAT Filter includes a STUN server that operates on the SIP UDP port. User agents should send their test packets to the SIP port.

2.6 Requirements on User Agents

Generally, there are two categories of user agents: The non NAT aware user agents and the STUN/ICE capable user agents.

2.6.1 Non NAT-Aware User Agents

Non-NAT aware user agents must have at least the following features:

1. Must send SIP UDP packets from the port where they receive SIP

trafﬁc

2. Must start sending media immediately after receiving SDP

Requirement 1 is not fulﬁlled by the default conﬁguration of the Cisco 7960; however there is a setting that enables this feature. Most known user agents support this feature, however.

Requirement 2 sometimes creates problems with user agents who don’t send media during silent periods. In this case, users have to start speaking before two-way audio can be established.

In any case, customers are asked to contact their vendor in case of problems and explanations. In general, snom recommends using NATaware user agents to reduce the network and support overhead.

2.6.2 STUN/ICE-Aware User Agents

STUN/ICE-Aware User Agents must implement the two IETF standards. It is ok if the user agents use the built-in STUN server for refreshing the bindings and learning the public IP address.

snom phones starting with version 2.05a fall into this category.

snom technology AG • 21

[ S N O M 4 S N A T F I L T E R ]

2.7 Deﬁning the Maximum Session Time

There are a couple of timeout-related settings that terminate a call when certain events ﬁre (see below). However, when prepaid cards are being used, operators want to limit the call duration to a certain time.

The SBC has a mechanism to terminate calls anyway. It does not only send BYE messages to both sides of the call, it also cuts media relaying which in practice will be used in most cases when the call is ter

minated via PSTN. This feature can be used to tear down calls when a card expires.

The remaining call duration depends not on a static setting, but

on a dynamically provisioned parameter. This parameter is usually pro

vided in the AAA procedure in the proxy. The proxy needs a simple way to tell the SBC how many seconds this call can stay up.

We decided to add a proprietary header called “P-Session-Time

out” to the SBC. When this SBC is detected in a message that belongs to an existing call, the SBC sets the timeout for this call to the value provided in the header (in seconds). After this time the SBC will terminate the call with the reason “Maximum Session Duration” (see below, Call History). Additionally, this parameter can be passed from the application server.

With the setting for trusted IP addresses, the SBC will accept these headers only from explicitly listed addresses. After the header has been used, the SBC removes it from the packet so that the user agent will not see this header.

If the proxy wants to provide information about how long the call can stay up, it should use AOC information.

+ 47 hidden pages