Changes between Version 3 and Version 4 of NAT_Routers_Issues


Ignore:
Timestamp:
Nov 12, 2008 3:31:54 PM (11 years ago)
Author:
bennylp
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • NAT_Routers_Issues

    v3 v4  
    11= Issues with NAT/Routers = 
    22 
    3 Lets use this page to document peculiar things that NAT/routers do when it comes to processing SIP/STUN messages. 
     3Lets use this page to document ~~nasty~~peculiar things that NAT/routers do when it comes to processing SIP/STUN messages.  
    44 
    55== Behavior Classification == 
     
    2020=== Immediate binding remapping of SIP address === 
    2121 
    22 The router immediately changes the public map of an internal SIP UDP address after STUN resolution is performed on other client sockets. 
     22The router immediately changes the public map of an internal SIP UDP address after some STUN resolutions are performed on other client sockets. 
    2323 
    2424Scenario: 
     
    3131== Known Behavior of Some Router Brands == 
    3232 
     33This is not wall of shame! :) 
     34 
    3335=== Belkin Wireless ADSL Router === 
    3436 
    3537|| Reported in: || UK || 
     38|| Reported by: || Benny Prijono || 
    3639|| Version: || Firmware: 6.01.06 (Jun 7 2006 20:25:29), boot version: 0.70.2v6, hardware: 01 || 
    3740|| Base type: || Full cone || 
    3841 
    39  '''Inspects and modifies SIP/SDP messages''':: 
    40  This router inspects and modifies SIP/SDP messages if the outer address is UDP port 5060. It seems to do simple text search/replace against SIP/SDP message elements, replacing all occurrences of private IP address/port with the corresponding public/mapped IP address/port. It seems to recognize SIP and SDP message structure. 
     42 '''Inspects and modifies SIP messages''':: 
     43 When STUN is not used, the router modifies the (private) IP addresses/ports in Via and Contact headers of outgoing REGISTER request to the public address/port mapping of the SIP socket, and translates these addresses back to private IP addresses/ports in the REGISTER response. When STUN is used and public IP addresses are specified in Via/Contact headers of REGISTER request, there don't seem to be any modifications done by the router. 
    4144 
    42  This behavior can be stopped by changing the destination/public server port to port number other than 5060, or by using TCP. 
     45 '''Inspects and modifies SDP''':: 
     46 The router modifies the (private) IP addresses in SDP c= line, and port number in SDP m= line. In addition, it also modifies the private IP address in a=rtcp attribute to the public IP address, but it doesn't modify the port number on this attribute (the port number stays private). It also replaces the private IP addresses of the ICE host candidate in ICE a=candidate attribute to the public IP address, but as with a=rtcp attribute, it doesn't modify the port number of the host candidate. This will make ICE offer/answer negotiation fails with ice-mismatch. 
    4347 
     48 Interestingly, it doesn't seem to modify the private IP address in ICE host candidate when STUN is enabled. Perhaps the router has a heuristic to disable IP mangling when it sees the SDP contains parts with public IP address in it (which indicates that the client is NAT aware). 
     49 
     50 Below is the SDP as sent by client and as received by server, when STUN is '''not''' used: 
     51 
     52 {{{ 
     53v=0 
     54o=- 3435482710 3435482710 IN IP4 192.168.0.15 
     55s=pjmedia 
     56c=IN IP4 192.168.0.15 
     57t=0 0 
     58a=X-nat:0 
     59m=audio 3160 RTP/AVP 118 0 8 119 120 101 
     60a=rtcp:3161 IN IP4 192.168.0.15 
     61a=rtpmap:118 iLBC/8000 
     62a=fmtp:118 mode=30 
     63a=rtpmap:0 PCMU/8000 
     64a=rtpmap:8 PCMA/8000 
     65a=rtpmap:119 AMR/8000 
     66a=rtpmap:120 AMR-WB/16000 
     67a=sendrecv 
     68a=rtpmap:101 telephone-event/8000 
     69a=fmtp:101 0-15 
     70a=ice-ufrag:4fdc3f4e 
     71a=ice-pwd:03476f5f 
     72a=candidate:H 1 UDP 39 192.168.0.15 3160 typ host 
     73a=candidate:H 2 UDP 38 192.168.0.15 3161 typ host 
     74 }}} 
     75 
     76 {{{ 
     77v=0 
     78o=- 3435482710 3435482710 IN IP4 81.178.58.134 
     79s=pjmedia 
     80c=IN IP4 81.178.58.134 
     81t=0 0 
     82a=X-nat:0 
     83m=audio 3176 RTP/AVP 118 0 8 119 120 101 
     84a=rtcp:3161 IN IP4 81.178.58.134 
     85a=rtpmap:118 iLBC/8000 
     86a=fmtp:118 mode=30 
     87a=rtpmap:0 PCMU/8000 
     88a=rtpmap:8 PCMA/8000 
     89a=rtpmap:119 AMR/8000 
     90a=rtpmap:120 AMR-WB/16000 
     91a=sendrecv 
     92a=rtpmap:101 telephone-event/8000 
     93a=fmtp:101 0-15 
     94a=ice-ufrag:4fdc3f4e 
     95a=ice-pwd:03476f5f 
     96a=candidate:H 1 UDP 39 81.178.58.134 3160 typ host 
     97a=candidate:H 2 UDP 38 81.178.58.134 3161 typ host 
     98 }}} 
     99 
     100 And below is the SDPs as sent by client and as received by server when STUN '''is''' used: 
     101 
     102 {{{ 
     103v=0 
     104o=- 3435482833 3435482833 IN IP4 81.178.58.134 
     105s=pjmedia 
     106c=IN IP4 81.178.58.134 
     107t=0 0 
     108a=X-nat:5 
     109m=audio 3174 RTP/AVP 118 0 8 119 120 101 
     110a=rtcp:3175 IN IP4 81.178.58.134 
     111a=rtpmap:118 iLBC/8000 
     112a=fmtp:118 mode=30 
     113a=rtpmap:0 PCMU/8000 
     114a=rtpmap:8 PCMA/8000 
     115a=rtpmap:119 AMR/8000 
     116a=rtpmap:120 AMR-WB/16000 
     117a=sendrecv 
     118a=rtpmap:101 telephone-event/8000 
     119a=fmtp:101 0-15 
     120a=ice-ufrag:7c334999 
     121a=ice-pwd:32960288 
     122a=candidate:S 1 UDP 31 81.178.58.134 3174 typ srflx raddr 192.168.0.15 rport 3174 
     123a=candidate:H 1 UDP 23 192.168.0.15 3174 typ host 
     124a=candidate:S 2 UDP 30 81.178.58.134 3175 typ srflx raddr 192.168.0.15 rport 3175 
     125a=candidate:H 2 UDP 22 192.168.0.15 3175 typ host 
     126 }}} 
     127 
     128 {{{ 
     129v=0 
     130o=- 3435482833 3435482833 IN IP4 81.178.58.134 
     131s=pjmedia 
     132c=IN IP4 81.178.58.134 
     133t=0 0 
     134a=X-nat:5 
     135m=audio 3174 RTP/AVP 118 0 8 119 120 101 
     136a=rtcp:3175 IN IP4 81.178.58.134 
     137a=rtpmap:118 iLBC/8000 
     138a=fmtp:118 mode=30 
     139a=rtpmap:0 PCMU/8000 
     140a=rtpmap:8 PCMA/8000 
     141a=rtpmap:119 AMR/8000 
     142a=rtpmap:120 AMR-WB/16000 
     143a=sendrecv 
     144a=rtpmap:101 telephone-event/8000 
     145a=fmtp:101 0-15 
     146a=ice-ufrag:7c334999 
     147a=ice-pwd:32960288 
     148a=candidate:S 1 UDP 31 81.178.58.134 3174 typ srflx raddr 192.168.0.15 rport 3174 
     149a=candidate:H 1 UDP 23 192.168.0.15 3174 typ host 
     150a=candidate:S 2 UDP 30 81.178.58.134 3175 typ srflx raddr 192.168.0.15 rport 3175 
     151a=candidate:H 2 UDP 22 192.168.0.15 3175 typ host 
     152 }}} 
     153 
     154 
     155This behavior can be bypassed by changing the destination/public server port to port number other than 5060, or by using TCP. 
     156