NSIS Working Group M. Martin
Internet-Draft M. Brunner
Expires: January 17, 2005 M. Stiemerling
NEC
July 19, 2004
SIP NSIS Interactions for NAT/Firewall Traversal
draft-martin-nsis-nslp-natfw-sip-01
Status of this Memo
This document is an Internet-Draft and is subject to all provisions
of section 3 of RFC 3667. By submitting this Internet-Draft, each
author represents that any applicable patent or other IPR claims of
which he or she is aware have been or will be disclosed, and any of
which he or she become aware will be disclosed, in accordance with
RFC 3668.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as
Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at http://
www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on January 17, 2005.
Copyright Notice
Copyright (C) The Internet Society (2004). All Rights Reserved.
Abstract
The NSIS NAT/FW NSLP provides traversal facilities for other
application layer protocols. This document describes the
interactions between SIP and NSIS signaling, to enable two NSIS aware
SIP end applications to communicate normally through a network of
NSIS Aware nodes, in a variety of NAT topologies.
Martin, et al. Expires January 17, 2005 [Page 1]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Problem Description . . . . . . . . . . . . . . . . . . . . . 4
3. NSIS Signaling for the Caller behind a NAT case . . . . . . . 6
4. NSIS Signaling for the Callee behind the NAT case . . . . . . 8
5. NSIS Signaling for the Caller and the Callee behind a NAT
case . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
6. Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . 13
7. Security Considerations . . . . . . . . . . . . . . . . . . . 14
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
8.1 Normative References . . . . . . . . . . . . . . . . . . . . 15
8.2 Informative References . . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . 15
Intellectual Property and Copyright Statements . . . . . . . . 17
Martin, et al. Expires January 17, 2005 [Page 2]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
1. Introduction
The NSIS NAT/FW NSLP allows other application layer protocols to
establish tunnels through aribtrarily complex NAT and Firewall
network deployments. This means the applications themselves have to
know NSIS and its abilities, in order to request such tunnels at the
appropiate time, for the appropiate flows.
In the case of SIP, several parameters are to be taken into
consideration. The nature of the SIP signaling flow results in
precise slots where NSIS signaling should take place. This good
timing will allow us to minimize the creation of useless pinholes and
reduce the waiting times, both before and after the receiver has
accepted the SIP call.
This draft discusses the necessary interleaving between the SIP and
NSIS Signaling messages, in a combination of network topologies,
based on the presence of Middleboxes along the data path.
The draft is meant as a usage recommendation. As such, it starts
with a description of the problems, and a case by case solution
analysis, ended with a comparison of the obtained results and a final
flow recommendation
Martin, et al. Expires January 17, 2005 [Page 3]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
2. Problem Description
Figure 1 shows a typical network scenario. The Caller, from now on,
A, sits behind a NAT, with private IP 1, and has NAT as a gateway,
through the private address 2. The NAT has a public interface, with
address 3, and B (from now on, the Callee) awaits the call using the
public IP 4. Note how addresses prefixed with * (*1, *2) denote
private addresses which can not be reached from the internet unless a
NAT binding state is installed in the NAT. CA represents the instant
in which B accepts the call.
A(*1) (*2)NAT(3) B(4)
| | |
| #1 SIP INVITE | |
+-------------------->| |
| |----------------->|
| | |
| | #2 SIP Ringing |
| |<-----------------+
|<--------------------| |
| | |
| | #3 SIP OK |<-CA
| |<-----------------+
|<--------------------| |
| | |
| #4 SIP ACK | |
+-------------------->| |
| |----------------->|
| | |
| | |
|=====================| #5 DATA A->B |
| |=================>|
| | |
| | #6 DATA B->A |
| | ?<=============|
| | |
Figure 1: SIP signaling without NSIS
The message flow is described now using the message numbers in the
figure. The syntax "(U:V->X:Y): message" denotes a message from
address U (or box U), port V, towards address X (or box X), port Y,
with the literarily translated meaning "message"
#1 SIP INVITE (A:? -> B:SIP): I await data on *1, port x
Martin, et al. Expires January 17, 2005 [Page 4]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
This packet contains the information regarding what ports A will
expect to receive data on. Notice that the packet is being sent to
B, a public IP, with listening information regarding *1, a private IP
address. Notice also that A sends a packet from *1 towards 4, but it
is intercepted by the NAT, which changes the original address *1 for
3, and remembers the connection to reroute returning packets.
#2 SIP Ringing (B:SIP -> 2:?): Ringing B's phone
The ringing simply inplies that there's something SIP aware on B, and
that it's ringing B's phone. Notice that, from B's point of view,
the packet came from 2, and not from *1, and so, that's where it will
send it's reply. Still, that's the IP layer. The SIP layer will
still think that the adta must be sent to *1. When the packet
reaches 2, the NAT will remember the binding and change the
destination address back to *1. It will then forward the packet back
to *1.
#3 SIP OK (B:SIP -> 2:?): Call accepted, I listen on 4:y
This OK means that the user accepted the call. It also informs A on
where to send his data: towards 4:y. Note that now 4 is a public
address, so both the ip header address (4) and the application layer
address (also 4) are reachable.
4# SIP ACK (A:? -> B:SIP): All is fine, start transmitting.
ACK means the ports are accepted and the call can start in the
slected data ports on both sides.
5# DATA (A:? -> B:y) and 6# DATA (B:? -> *1:x): Voice,image, video..
This is the actual data being transmited. It is sent to the
addresseses specified in packets numer #1 abd #3, which means B is
trying to connect to a private address in #6. Either #6 will not be
routable to its destination, or will be sent to the private address,
but in B's private network. Either way, #5 succeeds but #6 never
arrives.
This simple example shows how the presence of a NAT breaks the data
flow and prevents SIP initiated sessions to succeed. Had the NAT
been on the receiver's side, we would not have known where to send
#1, as we would not know B's public address withouth the mediation of
a proxy. Still, even in the case of using a proxy, SIP does not
currently cover this situation.
Martin, et al. Expires January 17, 2005 [Page 5]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
3. NSIS Signaling for the Caller behind a NAT case
This section shows how the NAT/FW traversal NSLP can be used to
enable communications in the problem scenario of Section 2.
The following message flow shows the SIP-NSIS Interactions:
A(*1) (*2)NAT(3) B(4)
| | |
| #1 NSIS REA | |
+-------------------->| |
| #2 NSIS RETADDR | |
|<--------------------+ |
| | |
| #3 SIP INVITE | |
+-------------------->| |
| +----------------->|
| | |
| | #4 SIP Ringing |
| |<-----------------+
|<--------------------+ |
| | #5 NSIS CREATE |<-CA
| |<-----------------+
|<--------------------+ #6 SIP OK |
| |<-----------------+
|<--------------------+ |
| | |
| #7 NSIS Create | |
|-------------------->| |
| |----------------->|
| #8 SIP ACK | |
+-------------------->| |
| +----------------->|
| | |
|====================>| #9 DATA A->B |
| |=================>|
| | |
| | #10 DATA NAT<-B |
| #10 DATA A<-B |<=================|
|<====================| |
| | |
Figure 2: Caller behind a NAT
Because A wants to call B, it first sends a RESERVE-EXTERNAL-ADDRESS
(REA) NSIS message. If there is a NAT, as is the case, it will
Martin, et al. Expires January 17, 2005 [Page 6]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
reply with the allocated public address, using am NSIS RETADDR
RESPONSE message. If there was no NAT, A continues its normal
operation after a timeout. Normal SIP behavior follows, except that
the source address in the SIP INVITE packet has been changed by the
one provided by the NSIS RETADDR packet.
When B receives the SIP INVITE message, it assumes there might be
middleboxes in the path, so it tries to open a path by sending an
NSIS Create message to the address provided in the SIP INVITE which
is were it will eventually send the voice stream.
The NSIS CREATE message reaches the NAT and activates the state that
the NSIS RESERVE previously provided, and the message is forwarded
inside, in case there where other middleboxes that needed to be open.
At this stage, B might or might not want to wait for the NSIS success
RESPONSE message, issued by A as a reply to the NSIS CREATE. This
message is not shown in the figure.
Once the path has been created, normal SIP behavior follows, and the
communication succeeds.
This scheme scales to several middleboxes, since the NSIS REA
messages reserve states in all the middleboxes until an edge NAT is
encountered.
Martin, et al. Expires January 17, 2005 [Page 7]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
4. NSIS Signaling for the Callee behind the NAT case
For the callee to be able to receive calls, there has to be a SIP
Proxy that forwards the signaling messages from the public internet
into the private network. For this reason, it is a safe assumption
that A and B will be able to communicate signaling messages
independently of the scenario.
With that in mind, the scenario becomes practically symetrical to the
one with the caller behind a NAT. The message flow follows. Notice
that SIP messages ignore proxies, since they are routed through the
proxy, not shown in the diagram.
A(1) (2)NAT(*3) B(*4)
| | |
| #1 SIP INVITE | |
|---------------------o----------------->|
| | |
| | #2 SIP Ringing |
|<--------------------o------------------|
| | |<-CA
| | |
| | #3 NSIS REA |
| |<-----------------|
| | #4 NSIS RETADDR |
| |----------------->|
| | #5 NSIS CREATE |
| |<-----------------+
|<--------------------+ |
| | #6 SIP OK |
|<--------------------o------------------|
| | |
| #7 NSIS CREATE | |
|-------------------->| |
| |----------------->|
| | |
| #8 SIP ACK | |
|<--------------------o------------------|
| | |
| #9 DATA | |
|====================>| |
| |=================>|
| | |
| | #8 DATA |
| |<=================|
|<====================| |
| | |
Martin, et al. Expires January 17, 2005 [Page 8]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
Figure 3: Callee behind a NAT
Martin, et al. Expires January 17, 2005 [Page 9]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
5. NSIS Signaling for the Caller and the Callee behind a NAT case
Even though this case seems similar, or a simmple summation at least,
of the two previous cases, there are some specific issues that need
to be looked at carefully. We will start with the message flow, as a
prior step to the discussion. Again, notice that the SIP messages
reach A and B thanks to the SIP proxy that has to be installed at the
edge of the network. This proxy is not shown in the figure.
A(*1) (*2)NAT(3) (4)NAT(5*) B(*5)
| | | |
| #1 NSIS REA | | |
|-------------------->| | |
| #2 NSIS RETADDR | | |
|<--------------------| | |
| | | |
| #3 SIP INVITE | | |
|---------------------o------------------o---------------->|
| | | |
| | #4 SIP Ringing | |
|<--------------------o------------------o-----------------|
| | | |<-CA
| | | #5 NSIS REA |
| | |<----------------|
| | | #6 NSIS RETADDR |
| | |---------------->|
| | | #7 NSIS CREATE |
| | |<----------------|
| |<-----------------| |
|<--------------------| | |
| | | #9 SIP OK |
|<--------------------o------------------o-----------------|
| | | |
| #10 NSIS CREATE | | |
|-------------------->| | |
| |----------------->| |
| | |---------------->|
| #11 SIP ACK | | |
|---------------------o------------------o---------------->|
| | | |
| #12 DATA | | |
|====================>| | |
| |=================>| |
| | |================>|
| | | #13 DATA |
| | |<================|
Martin, et al. Expires January 17, 2005 [Page 10]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
| |<=================| |
|<====================| | |
| | | |
Figure 4: Caller and Callee behind a NAT
Everything works as expected, but there is a hidden pitfall in the
above diagram: When A first makes its reservation, it does not know
where to send that packet. If the objective is to get out of the
NAT, any public IP would do, but that might lead to route
optimization problems in certain scenarios
Let's consider the scenario in Figure 5, where A is in a multihomed
network that can access the internet through different NATs:
+--------------+
| Remote Proxy |
| Server |
+--------------+
| |
| |
******************* | | ********************
* Network A * | | * Network B *
* +-------+ | | +-------+ *
* /---->| Proxy |----/ \-->| Proxy |---\ *
+------+ +---+ +-------+ +-------+ +---+ *
| NAT2 | | A | * * | B | *
+------+ +---+ +-------+ +-------+ +---+ *
* \=====| NAT1 |<============| NAT1' |===/ *
* +-------+ +-------+ *
* * * *
******************* *********************
---- : SIP Signalization
==== : NSIS Signaling and Data transfer
Figure 5: Optimization scenario
The figure shows the route that the SIP packets will follow, through
the SIP proxies, and the optimal route for the DATA arriving at A,
which is from NAT1' to NAT. This would be the case if the NSIS REA
message had originally gone out NAT1, because the public address
would be allocated there.
On the other hand, if the NSIS REA mesage went out NAT2, the
Martin, et al. Expires January 17, 2005 [Page 11]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
communication paths would become:
+--------------+
| Remote Proxy |
| Server |
+--------------+
| |
| |
******************** | | *********************
* * | | * *
* +-------+ | | +-------+ *
* /-----| Proxy |--/ \--->| Proxy |---\ *
+------+ +---+ +-------+ +-------+ +---+ +-------+
| NAT2 |---| A | * * | B | | NAT2' |
+------+ +---+ +-------+ +-------+ +---+ +-------+
= * \=====| NAT1 | ====| NAT1' |===/ *
= * +-------+ = +-------+ *
= * * = * *
= ******************** = **********************
= =
====================================
---- : SIP Signalization
==== : NSIS Signaling and Data transfer
Figure 6: Sub optimal route
This comes to show that the "Blind shot" that A performs when first
reserving the address has a severe impact on the choosen path in
multihomed scenarios, and might lead to longer or less efficient
routes.
If we assume that routers are able to calculate the most optimal
routes, then the solution is in sending the NSIS REA message on the
path to B, but that is unkown at that moment. Still, we do have the
SIP Proxy of B. Note that this would be the first Via Header in the
SIP OK message, since there is no way we can communicate with B if
there is not a SIP Proxy in its network.
Thus, by pointing the NSIS REA message towards B, we have a pretty
good assurance that the optimal path (as calculated by the routers)
will be chosen.
Martin, et al. Expires January 17, 2005 [Page 12]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
6. Conclusions
This draft proposes the mechanisms required to use SIP with NSIS, in
order to enable the communication through scenarios with obstructing
Middleboxes.
Although further analisys is still required to fine tune this
interactions, a first valuable result arises: the use of the SIP
Proxy as a target for NSIS REA messages is very likely to aid in the
coice of the optimal route in the multihomed scenario.
Martin, et al. Expires January 17, 2005 [Page 13]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
7. Security Considerations
The NAT/Firewall traversal NSLP deals with very security sensitive
issues, and a good security infrastructure is required. An
evaluation of the possible threads can be found in [1] and a securit
proposal is available at [3].
Martin, et al. Expires January 17, 2005 [Page 14]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
8. References
8.1 Normative References
[1] Tschofenig, H. and D. Kroeselberg, "Security Threats for NSIS",
DRAFT draft-ietf-nsis-threats-05.txt, June 2004.
8.2 Informative References
[2] Tschofenig, H., Buechli, M., Van den Bosch, S. and H.
Schulzrinne, "NSIS Authentication, Authorization and Accounting
Issues", draft-tschofenig-nsis-aaa-issues-01 (work in progress),
March 2003.
[3] Martin, M., Brunner, M., Stiemerling, M., Girao, J. and C. Aoun,
"A NAT/Firewall NSLP security infrastructure", DRAFT
draft-martin-nsis-nslp-natfw-security-01.txt, February 2004.
[4] Stiemerling, M., Tschofenig, H., Martin, M. and C. Aoun, "A NAT/
Firewall NSIS Signaling Layer Protocol (NSLP)", DRAFT
draft-ietf-nsis-nslp-natfw-03.txt, July 2004.
Authors' Addresses
Miquel Martin
Network Laboratories, NEC Europe Ltd.
Kurfuersten-Anlage 36
Heidelberg 69115
Germany
Phone: +49 (0) 6221 905 11 16
EMail: miquel.martin@netlab.nec.de
URI:
Marcus Brunner
Network Laboratories, NEC Europe Ltd.
Kurfuersten-Anlage 36
Heidelberg 69115
Germany
Phone: +49 (0) 6221 905 11 29
EMail: brunner@ccrle.nec.de
URI: http://www.brubers.org/marcus
Martin, et al. Expires January 17, 2005 [Page 15]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
Martin Stiemerling
Network Laboratories, NEC Europe Ltd.
Kurfuersten-Anlage 36
Heidelberg 69115
Germany
Phone: +49 (0) 6221 905 11 13
EMail: stiemerling@netlab.nec.de
URI:
Martin, et al. Expires January 17, 2005 [Page 16]
Internet-Draft NAT/FW NSLP SIP Operations July 2004
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2004). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Martin, et al. Expires January 17, 2005 [Page 17]