Download Presentation

458 views
419 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
458
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
15
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Sign6 (upper part)
  • Sign 6 lower part
  • LARS! Kolla och uppdatera länkar mm!!
  • Download Presentation

    1. 1. Intertex Data AB, Sweden <ul><li>Firewall Traversal </li></ul><ul><li>Bringing SIP to the LAN </li></ul><ul><li>Prepared for: Session Initiation Protocol 2002 </li></ul><ul><li>By: Karl Erik Ståhl </li></ul><ul><li>President Intertex Data AB </li></ul><ul><li>Chairman Ingate Systems AB </li></ul><ul><li>[email_address] </li></ul>© 2002 Intertex Data AB
    2. 2. VoIP as we have seen it… Internet PC PC Wanna talk to me? Do we want the PC as a phone? Gateway Internet Gateway STO LA Are cheaper phone bills all we want?
    3. 3. VoIP as we have seen it… <ul><li>VoIP between branch offices </li></ul>PSTN Europe IP - But NOT globally to others! Gateway Internet VPN VPN US Gateway IP
    4. 4. Hmm, didn’t we pass this stage… <ul><li>Paper was a very compatible media - So is POTS today… </li></ul><ul><li>But we need to move beyond! </li></ul>email printer fax Organization 1 Email system 1 email Organization 2 Email system 2 fax PSTN fax fax
    5. 5. What about universal connectivity? <ul><li>Wouldn’t that be fine? </li></ul>Black Phone RJ45 LAN Intranet Internet IP Phone PSTN RJ11
    6. 6. VoIP and SIP Services Out to the Edge Firewall/NAT problems! Status until now: SIP is the Protocol for IP Communication Person-to-Person, BUT IT DOES NOT REACH THE EDGE! IAP IP Phone IP Phone IP Phone IP Phone SIP Server PSTN SIP /PSTN Gateway Internet Home LAN Business LAN DSL Cable MTU Operator network with NAT NAT FirewallNAT XP PIM
    7. 7. <ul><li>An extension to SIP in progress </li></ul><ul><li>See: </li></ul><ul><li>http://www.jdrosen.net/papers/draft- </li></ul><ul><li>rosenberg-impp-presence-00.txt </li></ul><ul><li>A single, extended standard instead </li></ul><ul><li>of today's players </li></ul><ul><ul><li>ICQ </li></ul></ul><ul><ul><li>AOL Instant Messenger </li></ul></ul><ul><ul><li>Yahoo! Messenger </li></ul></ul><ul><ul><li>MSN Messenger </li></ul></ul><ul><ul><li>And more </li></ul></ul>Presence and Instant Messaging Used in Windows XP  SIP  SIP
    8. 8. What Microsoft Has Done So Far <ul><li>Progressed embedded </li></ul><ul><ul><li>End-to-end platform </li></ul></ul><ul><li>Announced update </li></ul><ul><ul><li>PC-to-phone provider choice & new UI </li></ul></ul><ul><li>Released Windows XP </li></ul><ul><ul><li>Windows Messenger and rich APIs </li></ul></ul><ul><li>10:s of miljons of RTC (SIP) users within a year </li></ul>4255551212
    9. 9. Windows XP: ECS (Exchange Conferencing Server) SIP based whiteboard, chat, video, audio, app sharing…
    10. 10. SIP Firewall Problems <ul><li>Firewall Problems: </li></ul><ul><li>Sessions initiated from outside the firewall </li></ul><ul><li>- OK, open port 5060, but… </li></ul><ul><li>Media streams on dynamically allocated port numbers </li></ul><ul><li>- Ooops…  ! </li></ul>Even with public IP addresses inside
    11. 11. SIP NAT/PAT Problems <ul><li>NAT & PAT Problems: </li></ul><ul><li>Where is the device? </li></ul><ul><li>- Registration/location function </li></ul><ul><li>Private IP addresses and ports in SIP messages </li></ul><ul><li>- Rewrite with globally routable addresses </li></ul><ul><li>IP address and port of media stream has to be modified </li></ul><ul><li>- NAT engine has to be dynamically controlled </li></ul>Worse with private IP addresses inside
    12. 12. Suggested Solutions <ul><li>Dynamically controlled Firewall/NATs [Aravox, …] </li></ul><ul><li>Midcom: By Firewall Control Proxy [Dynamicsoft…] </li></ul><ul><li>uPnP: By the client (Windows) [Microsoft] </li></ul><ul><li>SIP aware Firewall/NATs (SIP Proxy + Registrar) </li></ul><ul><li>[Intertex (SOHO), Ingate (enterprise), …] </li></ul><ul><li>SIP aware Firewall/NATs (SIP ALG) </li></ul><ul><li>[Cisco,… TLS not possible] </li></ul><ul><li>Making SIP NAT friendly , Drafts in progress: </li></ul><ul><ul><li>draft-rosenberg-sipping-nat-scenarios-00.txt </li></ul></ul><ul><ul><li>draft-rosenberg-midcom-stun-01.txt </li></ul></ul><ul><ul><li>draft-ietf-sip-nat-01.txt </li></ul></ul>
    13. 13. Adding SIP Support to a Firewall <ul><li>Important components: </li></ul>Firewall & NAT <ul><li>Dynamic Firewall Engine </li></ul>SIP Proxy <ul><li>SIP Proxy Server, controlling the firewall </li></ul>User Location <ul><li>SIP Registrar, user location information </li></ul>Firewall Control Protocol <ul><li>Communication between SIP Proxy and firewall </li></ul>
    14. 14. NAT Friendly SIP Mods to SIP, SDP SIP clients need upgrade New servers on the net SIGNALLING <ul><li>Route new signalling through this open path </li></ul><ul><li>For some NATs, if both parties are behind firewalls, RTP streams must bounce through a server </li></ul>LAN RTP IP Phone FirewallNAT RTP Proxy NAT IP Phone LAN SIP Registrar INTERNET <ul><li>Use STUN to find out “looks” from outside </li></ul>STUN Server <ul><li>Keep registrar NAT path (TCP or UDP) always open by frequent registration s </li></ul><ul><li>RTP media streams always start from insid e + symmetric </li></ul>RTP
    15. 15. SIP Enabling the Private Networks Firewall/NAT problems! Firewall/NAT SIP transparency! IAP IP Phone IP Phone IP Phone IP Phone SIP Server PSTN SIP /PSTN Gateway Operator network with NAT Internet Home LAN NAT FirewallNAT Business LAN DSL Cable MTU DMZ in G ate SIParator in G ate Firewall IP Phone IP Phone IP Phone IX66
    16. 16. Just Another Internet Service… Internet IX66 Home User USA Sweden IX66 IAP Home LAN Enterprise LAN XP in G ate Firewall SOHO LAN IX66 XP Helsinki PSTN SIP /PSTN Gateway DNS SRV DMZ in G ate SIParator XP Ingate Linköping LAN IX66 Intertex Stockholm LAN Sweden
    17. 17. IP Communications Using IP Networks <ul><li>Intranet IP VPN with IP communications </li></ul><ul><li>Domestic and global IP communications </li></ul><ul><li>PBX and PSTN – E.164 resolution </li></ul>Customer Premises PBX PSTN Phone Managed Services Router Vmail OSS SIP Phone WorldCom PSTN Dialing Plans Network GWY Conf PSTN Phone IM IN Enterprise Gateway SIP Routing Firewall SIP Server IP VPN Global IP Comm Intranet IP Comm … other… <ul><li>Many call routing options: </li></ul><ul><li>Private/Public IP address </li></ul><ul><li>DNS and DNS SRV records </li></ul><ul><li>SIP aware NAT/PAT servers </li></ul><ul><li>Henry Sinnreich 4/10/2002 </li></ul>WorldCom Public IP Network
    18. 18. IP Communications Using IP Networks PBX PSTN Phone Managed Services Router Vmail OSS SIP Phone WorldCom PSTN Dialing Plans Network GWY Conf PSTN Phone IM IN Enterprise Gateway SIP Routing Firewall SIP Server IP VPN Global IP Comm Intranet IP Comm … other… Customer Premises WorldCom Public IP Network Integration with existing phones SIP Capable Firewall Ingate and Intertex First through SIT No IP PBX Needed! Enhanced Functionality Enterprise LAN
    19. 19. Product Examples – Ingate Systems AB <ul><li>A Complete Firewall </li></ul><ul><li>An add-on to an Existing Firewall </li></ul><ul><li>Firewall & NAT/PAT </li></ul><ul><li>SIP Proxy </li></ul><ul><li>SIP Registrar </li></ul>Enterprise Products Firewall 1400 SIParator 40 DMZ Existing Firewall
    20. 20. The Ingate SIParator Internet IP Phone DMZ in G ate SIParator IP Phone Existing Firewall
    21. 21. The Ingate SIParator Existing Firewall Internet LAN Private IP Addresses SIP traffic (5060 UDP/TCP) RTP traffic (UDP port interval) SIParator RTP Proxy NAT/PAT Engine SIP Proxy DMZ SIP Registrar
    22. 22. Product Examples – Intertex Data AB <ul><li>OEM as: Telia SurfinBird Gate PowerBit SafeGate </li></ul><ul><li>Review at: www.adslguide.org.uk/hardware/reviews/2002/q1/intertex_ix66-edflc.asp </li></ul>IX66 Internet Gate with or without ADSL modem built-in SOHO Products
    23. 23. The Intertex IX66 Internet Gate <ul><li>A closer look </li></ul><ul><li>Firewall & NAT/PAT </li></ul><ul><li>SIP Proxy and Registrar </li></ul><ul><li>DHCP Server and Client </li></ul><ul><li>WEB Server for configuration </li></ul><ul><li>Smart Card Reader for security applications </li></ul><ul><li>SIP Appliance Control, LAC via expansion port </li></ul>Optional ADSL and Splitter Built-in
    24. 24. Internet Appliances Control http://www. research.telcordia.com/iapp/index.shtml
    25. 25. <ul><li>SIP Capable Firewalls! </li></ul>Ingate Systems AB www.ingate.com Box 10013, Slakthusplan 4 SE- 121 26 Stockholm , Sweden CEO Olle Westerberg olle.westerberg@ingate.com Tel +46 8 6007750 Intertex Data AB www. intertex.se Rissneleden 45 SE- 1 74 44 S undbyberg, Sweden President Karl Erik Ståhl karl.stahl @in tertex.se Tel +46 8 6282828

    ×