Changes between Version 1 and Version 2 of NAT_Routers_Issues


Ignore:
Timestamp:
Nov 12, 2008 12:06:06 PM (15 years ago)
Author:
bennylp
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • NAT_Routers_Issues

    v1 v2  
    66=== Inspection and Modification of SIP/SDP Messages === 
    77 
    8 Some routers inspect and modify SIP/SDP message content in its naive attempt to assist NAT traversal. Parts of the SIP/SDP message elements that the router modifies include the Via and Contact header, and SDP c= and m= lines. Some router even goes further with doing what seems to be simple text search/replace, replacing all occurrences of private IP address/port in SIP/SDP message with the public IP address/port. 
     8Some routers inspect and modify SIP/SDP message content in its naive attempt to assist NAT traversal. Parts of the SIP/SDP message elements that the router modifies include the Via and Contact header, and SDP c= and m= lines. Some router goes even further with doing what seems to be simple text search/replace operation, replacing all occurrences of private IP address/ports in SIP/SDP message with the public IP address/port. 
    99 
    1010This behavior may break ICE offer/answer negotiation. If the router replaces the default candidate with IP address/port which is not listed in the candidate list in SDP, remote callee will reject ICE offer with ice-mismatch, and ICE negotiation will not take place. 
    1111 
    1212 
    13 == Known Router Brands == 
     13=== Wrong forwarding to internal address === 
     14 
     15Some routers are known to forward inbound UDP packet (from public interface) to wrong port number of the (internal) host. This could well be caused by multiple/simultaneous outgoing UDP packets confusing the NAT, causing it to forward the inbound response to the wrong port (not the port where the original outbound request was sent from). 
     16 
     17One sample scenario happened when the client is resolving multiple UDP sockets with STUN simultaneously. Each of these socket sent STUN Binding request to the STUN server, and although the STUN server has responded to each request correctly, some of the sockets did not get the STUN Binding response since the NAT router forwarded the response to wrong port number of the host (not the port number where the original STUN request was sent from). This caused STUN resolution to fail for these sockets. 
     18 
     19 
     20=== Immediate binding remapping of SIP address === 
     21 
     22The router immediately changes the public map of an internal SIP UDP address after STUN resolution is performed on other client sockets. 
     23 
     24Scenario: 
     25 1. SIP registration is done against the server, and this gets port number N. 
     26 1. Some STUN resolutions are done on other UDP ports, e.g. for the RTP/RTCP sockets. 
     27 1. Short moments later, when the client sends INVITE request to the server, the server will see the INVITE request coming from different port number than it previously saw (in one case, it's port number N+1). 
     28 
     29 
     30 
     31== Known Behavior of Some Router Brands == 
    1432 
    1533=== Belkin Wireless ADSL Router === 
     
    1735|| Reported in: || UK || 
    1836|| Version: || Firmware: 6.01.06 (Jun 7 2006 20:25:29), boot version: 0.70.2v6, hardware: 01 || 
     37|| Base type: || Full cone || 
    1938 
    2039 '''Inspects and modifies SIP/SDP messages''':: 
    21  This router inspects and modifies SIP/SDP messages if the outer address is port 5060. 
     40 This router inspects and modifies SIP/SDP messages if the outer address is UDP port 5060. 
    2241