SIP 2012:: ICE - NAT traversal for media

9,133 views

Published on

SIP has changed since the publication of RFC 3261 in 2002 - ten years ago. One important addition to the SIP family of protocols is ICE. ICE assists in media setup over complicated networks, like NAT and with dual stack IPv4 and IPv6 interfaces.

This presentation is part of Edvina's SIP 2012 project, to help customers write better specifications when purchasing SIP solutions. Read more on http://edvina.net/sip2012

Published in: Technology
2 Comments
16 Likes
Statistics
Notes
No Downloads
Views
Total views
9,133
On SlideShare
0
From Embeds
0
Number of Embeds
754
Actions
Shares
0
Downloads
0
Comments
2
Likes
16
Embeds 0
No embeds

No notes for slide
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • \n
  • SIP 2012:: ICE - NAT traversal for media

    1. 1. ICE ICETaking us out of the NAT darkness. http://edvina.net/sip2012
    2. 2. ICE The goal • Find the best media path between two devices • Manage changes in a complex network • ICE depends on STUN (v2) • Discovery of public IP address + port • ICE depends on TURN • Allocation of public IP address + port for media relay© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    3. 3. ICE Ice: Show me yours, and I’ll show you mine. NATted network • All UAs find all their addresses, including using SIP SIP STUN Alice • May allocate an address using TURN • Sends all addresses as ”candidates” in SDP • Supports both IPv4 and IPv6 • IPv6 UAs allocate IPv4 Turn Turn address Bob NATted network Media relay RFC 5245 Cecilia© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    4. 4. ICE Ice: Show me yours, and I’ll show you mine. NATted network • All UAs find all their addresses, including using SIP SIP STUN Alice • May allocate an address using TURN • Sends all addresses as ”candidates” in SDP • Supports both IPv4 and IPv6 • IPv6 UAs allocate IPv4 Turn Turn address Bob NATted network Media relay RFC 5245 Cecilia© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    5. 5. ICE Ice: Show me yours, and I’ll show you mine. NATted network • All UAs find all their addresses, including using SIP SIP STUN Alice • May allocate an address using TURN • Sends all addresses as ”candidates” in SDP • Supports both IPv4 and IPv6 • IPv6 UAs allocate IPv4 Turn Turn address Bob NATted network Media relay RFC 5245 Cecilia© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    6. 6. ICE ICE candidate types Alice • HOST candidate: Address on the local network interface (VPN NAT and mobile IP included) • Server Reflexive Addresses: Addresses discovered with STUN (outside NAT) Turn • Relayed Candidates: TURN (RTP proxy) Server addresses© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    7. 7. ICE Indicating Ice support • SIP media tag ”sip.ice” can be included in registrations • SIP extension name ”ice” used in Require: header, not in Supported: • RFC 5768 Contact: 1200@192.168.50.23;ice© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    8. 8. ICE Passing the token • Each STUN check uses a unique SIP ”message authentication code” - MAC • One per candidate and per party involvedSTUN SIP • These are exchanged in the signalling layer • Prevention from unauthenticated media streams a=ice-pwd:asd88fgpdd777uzjYhagZg a=ice-ufrag:8hhY © C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    9. 9. ICE Role play ICEControlling agent • One agent (UA) is controlling, one is controlled agent SIP • The controlling agent decides which media streams to useSTUN SIP • The confirmation is done by sending a STUN request on the winning stream, with a flag set to indicate that this will be used • This cancels further ICE processing ICE Controlled agent • In most call setups, the CALLER is the controller © C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    10. 10. ICE Re-invite? ICEControlling agent • If the selected candidates do not match SIP the address in the C and M= lines in the STUN SDP, a reinivite with a new SDP offerRTP SIP should be sent • At any point during the call, ICE can be restarted by anyone sending a re-INVITE with a new offer ICE Controlled agent © C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    11. 11. ICE ICE Lite for hosts with public IPICE full SIP • Doesn’t send a list of candidates STUN • Doesn’t send STUN requests SIP • Answers to STUN requests • The full agent is the controlling party and selects media IP pair ICE lite on media server with public IP © C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    12. 12. ICE Producing an offer • 1. Gather candidates HOST 192.168.40.23 Server Reflexive • 2. Prioritize them 192.0.2.34:48712 • 3. Eliminate redundant candidates From STUN response Relayed • 4. Choose default candidates 198.51.100.23:52124 • 5. Formulate the SDP offer TURN allocation© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    13. 13. ICE Typical configuration PC Host address (Wifi) 192.168.0.23:6001 Host address (VPN) 10.7.17.123:6001 Reflexive address (Turn) 123.123.123.123:2343 Relay address (Turn) 123.123.123.127:7080 Four candidates© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    14. 14. ICE Dual stack PC 192.168.0.23:6001 Host address (Wifi) IPv6 Link local, GLOBAL Host address (VPN) 10.7.17.123:6001 IPv6 VPN Reflexive address (Turn) 123.123.123.123:2343 Relay address (Turn) 123.123.123.127:7080 Seven candidates© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    15. 15. ICE Single stack IPv6 PC Host address (Wifi) IPv6 Link local, ULA, GLOBAL Host address (VPN) IPv6 VPN Reflexive address (Turn) Relay address (Turn) 123.123.123.127:7080 Five candidates© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    16. 16. ICE INVITE and ICE INVITE with SDP Alice Bob 200 OK with SDP STUN request STUN response STUN request STUN response STUN request + selected flag STUN response Media starts© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    17. 17. ICE ICE and PRACK • Using ICE; there’s a need to start selection and media a.s.a.p. • If SDP answer is in 183, it has to be sent reliably in order to not miss the oppurtunity to start the ICE selection process • Using PRACK is one way. Another solution is to retransmit the 18x message with SDP until a STUN Bind request is received.© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    18. 18. ICE 18x+sdp speeds up the process • With a 18x-response with SDP, the ICE selection process starts before the user answers. He/She may not answer at all - but it does help the user experience to have media ready when the user answers.© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    19. 19. ICE STUN success • Verification of the response: • The response must be addressed to our sender’s IP and port • The response must be sent from our destination IP and port • The credentials must be correct • Otherwise STUN FAILS© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    20. 20. ICE ICE failure • If there are no selected ICE candidate pairs in any media stream, then the controlling agent needs to terminate the dialog • If there are at least one successful stream, the dialog continues. Failed streams should be disabled in a new offer© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    21. 21. ICE ICE SDP using STUN v=0 o=jdoe 2890844526 2890842807 IN IP4 10.0.1.1 s= c=IN IP4 192.0.2.3 The UA suggests using the STUN address t=0 0 a=ice-pwd:asd88fgpdd777uzjYhagZg a=ice-ufrag:8hhY m=audio 45664 RTP/AVP 0 b=RS:0 b=RR:0 a=rtpmap:0 PCMU/8000 a=candidate:1 1 UDP 2130706431 10.0.1.1 8998 typ host a=candidate:2 1 UDP 1694498815 192.0.2.3 45664 typ srflx raddr 10.0.1.1 rport 8998© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    22. 22. ICE Two selection processes Aggressive Regular • Faster conclusion • Slower • May find low-latency media path An implementation could set up the call with aggressive nomination procedures, then re-invite and restart ICE with regular selection to find the best media path.© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    23. 23. ICE Aggressive ICE Alice Bob STUN request + selected flag STUN response STUN request STUN response The controller does not wait. The first request that reaches Bob is selected.© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    24. 24. ICE Regular ICE nomination Alice Bob STUN request STUN response STUN request STUN response STUN request + selected flag STUN response The controller waits for results until making a selection© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    25. 25. ICE ICE delay • If there are many candidates and media streams, a noticeable delay will happen after user ”answers” the call until media starts flowing • With a b2bua in the call path that use ICE, this will happen twice in the same call, which is not good • b2bua could speed up process by sending 183 with a=inactive then re-inviting quickly after 200 OK with a=sendrecv. This restarts ICE, but media is flowing.© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    26. 26. ICE ICE changes to STUN • ICE added new request Attributes types and a new attribute • Adding a new response ICE Priority • Stun username is peer Use-Candidate username plus local username separated by : Ice-Controlling • Username and password are random per session Ice-Controlled • Controller sends local username and password in the SDP© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    27. 27. ICE RTP keepalives • Activates after 15 secs of no RTP • All agents MUST send NAT keepalives in every media stream • STUN binding requests if the other side supports ice • otherwise RTP no-op, RTP CNG or RTP with incorrect version number (just dropped)© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    28. 28. ICE IPv4 and IPv6 • Candidates for both address families can be presented • Priority may be discussed, relates to O/S configuration (RFC 6724)© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    29. 29. ICE New SDP attributes a=candidate a=ice-ufrag a=remote-candidates a=ice-passwd a=ice-lite a=ice-options a=ice-mismatch© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    30. 30. ICE ICE • Finds the best media path • Takes time at call between two nodes setup • Supports IPv4 and IPv6 • Hard for b2bua’s to deployments support • Binds SIP+SDP to actual • Complex for media developers • Used by Microsoft, Apple (FaceTime), Google + - Hangouts© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
    31. 31. This material is part of the Edvina Learn more about SIP Master Classes SIP2012 at http://edvina.net/sip2012© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d . The SIP Master Class

    ×