SIPPING Working Group S. Sen
Internet Draft F. Audet
F Meijer
C. Aoun
Category: Informational Nortel Networks
Expires on March 2003 Sept 2002
Identifying Intra-realm Calls using STUN
<draft-sen-sipping-intrarealm-stun-00.txt>
Status of this Memo
This document is an Internet-Draft and is in full conformance
with all provisions of Section 10 of RFC2026.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
Abstract
This draft proposes the use of STUN to determine whether two communicating
endpoints are in the same realm. This draft describes the use of STUN in a peer-
to-peer fashion between endpoints during call set-up. The call set-up may proceed
in parallel with the STUN messaging, allowing the peers to initially exchange
media using their public IP addresses. If the peers are in the same realm, then
the media is switched to the private IP addresses using a SIP UPDATE or a SIP
reINVITE SDP offer-answer exchange. With this proposal, media flows are kept
within the same addressing realm whenever possible, thus avoiding certain network
intermediaries and reducing bandwidth requirements on external links into the
realm.
1 Introduction
This draft proposes the use of [STUN] to identify if two communicating endpoints
are in the same realm. Using this proposal, media flows are kept within the same
Sen [Page 1]
Internet Draft draft-sen-sipping-intrarealm-00.txt Sept 2002
addressing realm whenever possible, thus avoiding usage of certain network
intermediaries and reducing bandwidth requirements on external links into the
realm. In a typical usage of STUN without the implementation of this proposal, two
endpoints behind a NAT would send their media through the NAT even in the scenario
where there is a direct path. This requires that the NAT loop back the media
packets. This loop back approach is an inefficient use of resources and it may not
be supported by all types of NATs. Thus, a simple, scalable and secure mechanism
at the endpoints to detect this direct connectivity is required. This draft
describes how STUN can be used in a peer-to-peer fashion along with the SIP session
setup to detect intra-realm sessions.
1.1 Applicability
The solution applies to the simple topology where there are one or more
NATs between the endpoints that do not share a common root NAT. A more
general case, typical of many cable service providers, is when the clients
are behind NATs that are all connected to a NAT in the service provider
network. The solution for this general case is NOT addressed by this memo.
2 Conventions used in this document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC-2119.
3 Terminology Used
Middle Box - refer to the terminology used in [FRMWRK]
Tromboning: The NAT loops back packets sent from a client addressed to the
public address of another client in the same realm behind the NAT
4 Motivation
Figure 1 shows a complex partitioned intranet in a large Enterprise. Users at
finance.us.x.com and finance.europe.x1.com are connected through the intranet
and does not have to traverse the NATÆs (MB1 and MB4 in Fig 1). Similarly,
calls between eng.europe.x.com and finance.europe.x1.com can be routed
directly, instead of going through MB4 and MB3. In a more traditional use of
STUN, users in finance.us.x.com would contact an external STUN server and
receive a public address at the NAT MB1. The users in finance.europe.x1.com
will similarly receive its public address on NAT MB4. The packets will be
exchanged using these public addresses through the Internet although there is
a direct path between the endpoints. This will generally lead to QoS
degradation, unnecessarily overload the middleboxes and/or involve an
intermediary when one is not required.
+++++++++++++++++++ ++++++++++++++++ +++++++
+finance.us.x.com + + +
+ + + Internet +----STUN Server 1
Sen Informational - Expires March 2003 [Page 2]
Internet Draft draft-sen-sipping-intrarealm-00.txt Sept 2002
+ ++++++ + +
+ +MB1 +-----+ +
+ ++++++ + +
+++++++++++++++++++ + +-----STUN server n
| ++++++++++++++++ +++++++
| / |
| / |
| ++++++++++++++++++ |
| + +MB3+ + |
| + +++++ + |
| +eng.europe.x.com+ |
| + + |
| ++++++++++++++++++ |
| | | |
+++++++++++++ ++++++++++++++++++++++++++++
+ x.com + + +MB4+ +
+ Intranet + + +++++ +
+ +---+ +
+++++++++++++ + finance.europe.x1.com +
+++++++++++++++++++++++++++
Figure 1.
In case of a session between users behind the same Middlebox, the packets
exchanged between the two endpoints need to be looped back by the
Middlebox. This feature is called ætromboningÆ and is not supported by all
types of NATÆs. Therefore, if the Middlebox does not support tromboning, a
Middlebox traversal solution based on STUN will fail.
It is of advantage, in the above scenarios, for the media endpoints to
automatically detect whether there is any direct connectivity between them.
5 Solution
The solution requires the endpoints to support both STUN client and server.
The STUN server at the endpoints need to listen at address and port that is
bound to its publicly advertised media address and port. The endpoints will
exchange STUN probes in a peer-to-peer fashion before the media session is
established to discover if there is any direct connectivity between them.
The mechanism is illustrated with an example for user A establishing a
session with user B using SIP (please refer to Fig 2 for an example flow).
The same methodology could be done with other application protocols.
1) User A sends a SIP INVITE [Fig 2-(1)] with a Require: header with a new
option tag ôconndetect-stunö. It is assumed that the INVITE contains an SDP
carrying the public address and port (Pub-A) at which A wants to receive
media.
2) Upon receipt of AÆs SDP, B sends two STUN BINDING_REQUEST messages to
Pub-A. One of the BINDING_REQUEST messages will have its RESPONSE-ADDRESS
Sen Informational - Expires March 2003 [Page 3]
Internet Draft draft-sen-sipping-intrarealm-00.txt Sept 2002
attribute set to the private IP address and port at B (Pvt-B) [Fig 2-(3)].
This is the private address/port at which B wishes to receive media. The
other BINDING_REQUEST message MUST NOT contain a RESPONSE-ADDRESS attribute
[Fig 2-(2)]. The two messages MUST contain different transaction IDs.
3) User A will respond to both the BINDING_REQUEST messages in the order
that they are received [Fig 2-(4), Fig 2-(5)]. The BINDING_RESPONSE message
in response to the request containing the RESPONSE_ADDRESS will be sent to
the address Pvt-B [Fig 2-(5)].
4) Based on the network connectivity between the two users, user B receives
either (a) 2 BINDING_RESPONSES, or (b) 1 BINDING_RESPONSE, or (c) no
BINDING_RESPONSE.
Case (a) will happen when both users A and B are behind the same NAT and
the NAT supports tromboning.
Case (b) will happen when the users are in different realms (behind
different NATÆs).
Case (c) can happen only if the two users are behind the same NAT and the
NAT does not support tromboning.
If user B does not receive any BINDING_RESPONSE message then the
retransmission mechanism in [STUN] is invoked. If no BINDING_RESPONSE is
received, client B concludes that A and B are in the same realm.
ISSUE: The real-time implication for this procedure needs to be further
evaluated based on real network deployments. Are there any scenarios
where this conclusion may not be correct?
If the first BINDING_RESPONSE is received and it matches the transaction id
of the BINDING_REQUEST that carried the RESPONSE-ADDRESS parameter, then B
concludes that A and B are in the same realm and goes to step 5. If the
transaction id of the first received BINDING_RESPONSE message matches that
of the request not carrying the RESPONSE-ADDRESS parameter, client B waits
for a timer period TNEXT (TBD) for the second BINDING_RESPONSE message. If
B receives the second BINDING_RESPONSE message within this period, it
concludes that the peer is in the same realm. If TNEXT expires, then it
concludes that A and B are in different realms (behind different NATÆs).
ISSUE: In case the endpoints are behind the same NAT and the NAT doesnÆt
support tromboning, then media packets will be lost until the direct
connectivity is detected and the endpoint addresses are updated. The
value of TNEXT will be motivated, in this scenario, by how long the users
will typically wait before they decide to terminate the session.
5) If user B determines (using the procedures in step 4) that its peer
(user A) is in the same realm, then it sends an UPDATE [Fig 2-(8)] message
(or a reINVITE, as appropriate) containing the private IP address and port
at which it wants to receive media
6) User A, on receiving an SDP from B (e.g., either in 18x or 200 OK
response to INVITE) [Fig 2-(6)], performs the exact same procedures [Fig 2-
(7)] as B does in steps 2 to 5 to determine direct connectivity. If user A
Sen Informational - Expires March 2003 [Page 4]
Internet Draft draft-sen-sipping-intrarealm-00.txt Sept 2002
determines that B and A are in the same realm, then it responds differently
based on whether it has received an UPDATE (or reINVITE) from B, as
follows:
I) If A has received an UPDATE (or reINVITE) from B, then it
responds with 200 OK [Fig 2-(9)] specifying its private IP
address/port in the same m= line and c= line in the SDP where it
had originally specified a public address/port. A continues to
listen to its private address/port for the media.
II) If A have not received an UPDATE (or reINVITE) from B, then it
sends an UPDATE (or reINVITE) to B specifying its private IP
address/port in the same m= line and c= line in the SDP where it
had originally specified a public address/port. A continues to
listen to its private address/port for the media.
When any of the users receives an SDP offer (or SDP answer) with a new
address/port for the media, it MUST start sending media to this updated
address/port.
7) The original INVITE transaction is ended by an ACK [Fig 2-(10)] and
media transmission begins.
NOTES-1) All the steps described above are not sequential. For example, A
can begin its intra-realm determination right after it receives a 200OK or
18x message containing an SDP from B, almost simultaneously to BÆs
determination of the same (step 4).
NOTES-2) The endpoints can start exchanging media through their publicly
addressed IP address/port after the dialog (or early dialog) is established
(e.g., after the INVITE/200OK or INVITE/18x exchange). After the
connectivity detection takes place, the endpoints are expected switch to
the new destination addresses.
6 An Example Call Flow
Scenario: The users are in the same realm and NAT supports tromboning
UAC / UAS / NAT
STUN client/server STUN client/server
private=10.0.1.1 private=10.0.2.2
public=1.2.3.4 public=1.2.4.5
| | |
|(1) INVITE | |
|Require:conndetect-stun |
|rtp=1.2.3.4:5679 | |
| | |
|------------------>| |
| | |
| |(2) STUN Bind Req |
| |src=10.0.2.2:5306 |
| |dest=1.2.3.4:5679 |
| |------------------>|
| |(2) STUN Bind Req |
| |src=1.2.4.5:5300 |
| |dest=10.0.1.1:5600 |
Sen Informational - Expires March 2003 [Page 5]
Internet Draft draft-sen-sipping-intrarealm-00.txt Sept 2002
|<--------------------------------------|
| | |
| | |
| |(3) STUN Bind Req |
| |src=10.0.2.2:5306 |
| |dest=1.2.3.4:5679 |
| |Response_addr=10.0.2.2:5306
| |------------------>|
| |(3) STUN Bind Req |
| |src=1.2.4.5:5300 |
| |dest=10.0.1.1:5600 |
| |Response_addr=10.0.2.2:5306
|<--------------------------------------|
| | |
| | |
| (4) STUN Resp. | |
| src=10.0.1.1:5600 | |
| dst=1.2.4.5:5300 | |
| Mapped_Addr=1.2.4.5:5300 |
|-------------------------------------->|
| | |
| |(4) STUN Resp. |
| | src=1.2.3.4:5679 |
| | dst=10.0.2.2:5306 |
| | Mapped_Addr=1.2.4.5:5300
| |<------------------|
| | |
| (5) STUN Resp. | |
| src=10.0.1.1:5600 | |
| dst=10.0.2.2:5306 | |
| Mapped_Addr=1.2.4.5:5300 |
|------------------>| |
| | |
|(6) 200 OK | |
|rtp=1.2.4.5:6000 | |
|<------------------| |
| | |
|----> (7) | |
| | |
| (8) UPDATE | |
| rtp=10.0.2.2:5306 |
|<------------------| |
| | |
| (9) 200 OK | |
| rtp=10.0.1.1:5600 |
|------------------>| |
|(10) ACK | |
|------------------>| |
| | |
|<=================>| |
media
Sen Informational - Expires March 2003 [Page 6]
Internet Draft draft-sen-sipping-intrarealm-00.txt Sept 2002
Figure 2.
7 References
[FRMWRK] Srisuresh, Kuthan, Rosenberg, Molitor, Rayhan,
"MIDCOM Architecture & Framework",
RFC 3303
[STUN] Rosenberg,Weinberger,Huitema,Mahy,
"STUN - Simple Traversal of UDP Through NATs",
Internet draft, draft-rosenberg-midcom-stun-02.txt
[OA] RFC 3264, ôAn Offer/Answer Model with SDPö
8 Acknowledgments
The author would like to thank the following people for their useful
comments and suggestions related to this draft:
9 Authors' Address
{sanjoy, audet, meijer, aoun}@nortelnetworks.com
10 Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
intellectual property or other rights that might be claimed to pertain to
the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; neither does it represent that it
has made any effort to identify any such rights. Information on the
IETF's procedures with respect to rights in standards-track and
standards-related documentation can be found in BCP-11. Copies of
claims of rights made available for publication and any assurances
of licenses to be made available, or the result of an attempt made
to obtain a general license or permission for the use of such
proprietary rights by implementors or users of this specification
can be obtained from the IETF Secretariat.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights which may cover technology that may be required to practice
this standard. Please address the information to the IETF Executive
Director.
11 Full Copyright Statement
Copyright (C) The Internet Society (2000). All Rights Reserved.
Sen Informational - Expires March 2003 [Page 7]
Internet Draft draft-sen-sipping-intrarealm-00.txt Sept 2002
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it
or assist in its implementation may be prepared, copied, published
and distributed, in whole or in part, without restriction of any
kind, provided that the above copyright notice and this paragraph
are included on all such copies and derivative works. However, this
document itself may not be modified in any way, such as by removing
the copyright notice or references to the Internet Society or other
Internet organizations, except as needed for the purpose of
developing Internet standards in which case the procedures for
copyrights defined in the Internet Standards process must be
followed, or as required to translate it into languages other than
English. The limited permissions granted above are perpetual and
will not be revoked by the Internet Society or its successors or
assigns. This document and the information contained
herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT
THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR PURPOSE."
Sen Informational - Expires March 2003 [Page 8]