Snom 4S NAT Filter User manual
snom 4S NAT Filter
Admin Manual
snom 4S
NAT Filter
Version 2.05
snom technology AG • 3
snom 4S NAT Filter Version 2.05
© 2004 snom technology Aktiengesellschaft. All Rights Reserved.
This document is supplied by snom technology AG for information purposes only to licensed
users of the snom 4S NAT lter and is supplied on an “AS IS” basis, that is, without any
warranties whatsoever, express or implied.
Information in this document is subject to change without notice and does not represent any
commitment on the part of snom technology AG. The software described in this document
is furnished under a license agreement and may be used only in accordance with the terms
of that license agreement. It is against the law to copy or use this software except as
specically allowed in the license. No part of this document may be reproduced, republished
or retransmitted in any form or by any means whatsoever, whether electronically or
mechanically, including, but not limited to, by way of photocopying, recording, information
recording or through retrieval systems, without the express written permission of snom
technology AG.
Legal Disclaimer
snom offers the software described in this manual for both open source operating systems
as well as licensed operating systems. Whenever software that has been used under GPL
or LGPL licensing conditions has been used by this product you can download the sources
from http://www.snom.com/downlad/gpl/snom_ossdk or purchase a disc from snom for a
nominal fee under the ordering code snom SDK CD.
snom technology AG • 3
Table of Contents
1 Overview ..........................................................5
1.1 Applications ...................................................................... 5
1.2 Features ........................................................................... 6
2 Architecture .....................................................7
2.1 The NAT Filter and SIP........................................................ 7
2.2 NAT ................................................................................. 8
2.2.1 How does NAT work?......................................................................................................................................................... 8
2.2.2 Symmetrical RTP ..................................................................................................................................................................... 9
2.2.3 Signalling SIP ............................................................................................................................................................................... 9
2.2.4 Media RTP...................................................................................................................................................................................... 10
2.2.5 Classication of User Agents.............................................................................................................................. 10
2.2.6 Probing Media Paths ....................................................................................................................................................... 11
2.2.7 The Role of the NAT Filter ...................................................................................................................................... 11
2.2.8 Optimizing the Media Path for Symmetrical NAT.................................................................. 12
2.3 Filter Behaviour ............................................................... 12
2.3.1 Registering without UA Support .................................................................................................................... 12
2.3.2 Registering with UA Support .............................................................................................................................. 14
2.3.3 RTP Relay ....................................................................................................................................................................................... 15
2.4 Scaling and Redundancy ................................................... 17
2.5 Detecting the right NAT Filter ............................................ 18
2.6 Requirements on User Agents............................................ 19
2.6.1 Non NAT-Aware User Agents ............................................................................................................................. 19
2.6.2 STUN/ICE-Aware User Agents.......................................................................................................................... 19
3 Installation.....................................................21
3.1 Windows......................................................................... 21
3.2 Linux ............................................................................. 29
4 Conguration..................................................31
4.1 Logging In ...................................................................... 31
4.2 Port Binding .................................................................... 31
4.3 System Settings .............................................................. 33
4 • Contents
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 5
4.4 Security Settings ............................................................. 35
4.5 System Information ......................................................... 36
4.6 Server Log...................................................................... 36
4.7 Trace.............................................................................. 37
4.8 Currently Ports ................................................................ 38
4.9 Currently Handled UA ....................................................... 38
4.10 Memory Statistics ............................................................ 39
5 Checklist for Installation ................................41
5.1 Linux ............................................................................. 41
5.2 Windows......................................................................... 41
4 • Contents
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 5
1 Overview
The snom 4S NAT Filter enables non-NAT aware devices to
operate in private networks. The lter operates typically on a public IP
address. Non-NAT aware devices are automatically refreshed; NAT-aware
devices that operate behind symmetrical NAT may self-refresh their
bindings using the built-in STUN server of the lter. Devices on public
Internet traverse the lter without changes or refreshes. By supporting
Interactive Communications Establishment (ICE), the number of calls that
must go through the lter can be minimized.
The operator version of the product also offers recording
capabilities. Through a separate management interface, operators
can dene numbers that are silently recorded. The lter records in
uncompressed PCAP format which is primary important for troubleshooting
and signalling recording. It also offers a compressed mode where only the
voice part of the conversation is recorded in highly-compressed audio
format (13.2 kBit/s).
The operation of the lter is similar to a session border controller.
However, we do not like the term “session border”, because the lter
does not control sessions nor is it on the border of a call. It does also not
translate signalling, e.g. from SIP to H.323 or to MGCP. If all user agents
are fully NAT-compliant or on public Internet, the lter can transparently
be removed from the network without changing of the call ows or
functionality. Also, the lter does not interfere with unknown applications.
This is tremendous advantage against session borders controllers which
need software update for new applications.
1.1 Applications
The lter can be used in the following scenarios:
• Corporations. Corporations which operate their infrastructure be-
hind NAT and/or rewalls can talk to the public Internet through the
lter.
• Operators. Operators offer the NAT traversal feature to their cus-
1.
6 • Overview
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 7
tomers. Using the scalability feature of the lter, the operation of
large networks becomes possible.
• Record specic calls for legal purposes. In many countries, opera-
tors must provide the possibility to record certain calls on request.
The lter can perform this task.
• Recording can be used for legal proong (brokers, etc). The lter is
fully compliant with other SIP equipment and can for example put
between a PSTN gateway and SIP phones.
1.2 Features
The lter offers powerful features based on modern VoIP
technology:
• The built-in RFC3261-compliant SIP proxy makes additional exter-
nal SIP logic superuous and simplies the system setup.
• A built-in RFC3489-compatible STUN server for single IP addresses
allows client to self-refresh their bindings
• Support for instant messaging, presence and all other SIP-compli-
ant applications.
• Rich logging features allow easy maintenance.
• Recording functions based on number lists and expressions offer a
exible way of ltering out information.
• Recordings can be saved in PCAP and WAV le formats (6 MB/h).
• Almost stateless operation allows the lter to be used in server
farms. This offers a tremendous scalability and redundancy making
the product suitable for large operators.
• Both http and https as web interface for simple access from any-
where on the Internet.
• The lter supports Interactive Connectivity Establishment (ICE).
User agents that support this feature will optimize the media path
for the shortest possible delay.
1.
6 • Overview
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 7
2 Architecture
2.1 The NAT Filter and SIP
In the SIP architecture, the lter acts as the rst proxy that is
contacted by user agents. There are two ways to make sure that the
relevant trafc gets routed trough the lter:
• User agents can be set up to use the lter as outbound proxy. When
using this method, all SIP trafc will ow through the lter, weather
it is destined to the operator or not. That means that also service for
calls outside of the operator’s domain may be serviced by the lter.
However, by redirecting all outgoing trafc of the lter to a proxy
the operator can make sure that the authentication, authorization
and accounting (AAA) requirements for requiring the service are
fullled.
• User agents resolve the lter though the RFC3263 DNS resolving
process. That means that only the trafc that is destined to the
operator’s domain will use the service of the NAT Filter. However,
users might be annoyed if they place a call to a domain that does
not properly support NAT services. In this case, the lter can also
redirect the trafc to another proxy for AAA.
We recommend using the rst alternative and only choose the
second alternative if it is too difcult to provision the user agents with the
outbound proxy or there are concerns about providing service for foreign
operators.
Usually, the lter acts as stateless proxy. That means, by default
it just forwards the packets and does not change the content of the
attachments or the headers themselves. That means, the lter will not
interfere with applications (instant messaging, presence, weather report,
etc).
There are two exceptions to this rule:
• The rst exception is a REGISTER request. When a user agent tries
to register and needs the support of the lter, the lter will set up a
2.
8 • Architecture
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 9
[ S N O M 4S NAT FI L T E R ]
local data structure representing the user agents. It will make sure
that the connection to the user agents stays alive. It will also make
sure that requests that are destined to the user agents will be for-
warded properly. The same applies to SUBSCRIBE requests.
• The second exception is a SDP attachment. The lter checks if the
user agent needs support (or must be recorded) and will in that case
add a local contact to the SDP that can be used for media relay.
These two exceptions make sure that all user agents will work
behind NAT, no matter what NAT-type or how many NAT-levels are being
used. If user agents support ICE, they will automatically nd the shortest
path to the other party (peer-to-peer).
2.2 NAT
Network Address Translation (NAT) is a reality in today’s networks.
Many operators save IP addresses by providing only one IP address for a
number of devices, sometimes companies. Firewall manufacturers make
NAT a feature by performing inspection of packets that go though NAT.
Even for IPv6 networks, the fundamental problem will remain as there will
also be a need for rewalls and private networks.
The Session Initiation Protocol (SIP) has neglected this problem
in the beginning. However, in some recent RFC there have been useful
proposals how to deal with the problem. This document shows how the
snom 4S lter can be used to solve the problems.
Although snom also makes user agents, the snom 4S lter works
with most SIP user agents from other companies. The requirements on
these user agents are described below.
If you want to use the lter just for recording purposes, you don’t
need to bother about NAT. The lter also works when no NAT is present.
2.2.1 How does NAT work?
NAT is essentially a translation table that maps public IP address
and ports combinations to private IP address and port combinations.
The translation table is implicitly set up when a packet is sent
from the private network to the public network. The association is kept
alive for a certain time and is refreshed every time a new packet is sent
2.
8 • Architecture
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 9
[ S N O M 4S NAT FI L T E R ]
from the same origin. This fact is used by STUN (RFC3489) to set up an
association between a public IP address and a private IP address.
In symmetrical NAT, the router stores the address where the
packet was sent. Only packets coming from this address are forwarded
back to the private address. This algorithm increases the security as it is
harder to guess the source IP and port for attackers. Full cone NAT does
not perform this check.
There are some mixed variants between full cone NAT and
symmetrical NAT. Restricted port NAT works similar like symmetrical NAT,
but uses only one port association.
Hairpinning is the ability of the NAT to route packets coming from
the private network addressed towards a public IP address binding back
to the private network. Not all routers are supporting this feature.
2.2.2 Symmetrical RTP
The real time protocol (RTP) is used to transport media.
Symmetrical RTP is a trick to extend the number of cases when
communication can be established. A SIP user agent that supports
symmetrical RTP waits for the rst RTP packet coming in and then sends
its media stream back to the IP address from which it received that packet.
Symmetrical RTP works always if the user agent that does symmetrical
RTP is on a globally routable address. However, this algorithm can easily
be cheated (port spraying) and therefore implies a certain security risk.
2.2.3 Signalling SIP
SIP trafc is relatively unproblematic because SIP typically is not
as time critical as media. Usually, it is ok to route SIP packets through a
longer path than media.
In SIP it is legal to send from a different port than the receiving
port. When this is being done, there is no way of supporting these devices
behind NAT. However, some phones offer an option that disables this
mechanism so that the sending port is the same as the receiving port.
Typically, the SIP proxy will run on a public IP address where it
is possible to deal with all kinds of NAT. Keep-Alive messages may keep
the NAT binding open (for example, short registration periods or non-SIP
messages).
2.
10 • Architecture
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 11
[ S N O M 4S NAT FI L T E R ]
2.2.4 Media RTP
Media is much more problematic than SIP because users are
sensitive to delay in a voice conversation. When the delay is too long, the
speakers need to be disciplined not to interrupt the other person when
starting to speak. Also, the ear is much more sensitive to echo when the
media delay becomes too long. The effect is known from intercontinental
calls where the speed of light increases the delay for voice transmission.
SIP was designed for peer-to-peer communication. That means
the user agents (telephones) send the media directly to the other user
agent. This approach is the best way to minimize the delay; however it
becomes a problem when NAT is involved.
2.2.5 Classication of User Agents
From a lter point of view, available user agents can be classied
into the following categories:
• Public IP devices. These devices operate on public IP addresses and
don’t need any specic support regarding NAT. The true location of
these devices may be in a private network, as they might have al-
located a public identity using mechanisms like UPnP™ [3]. These
devices are most welcome as they don’t cause any additional re-
quirements.
• STUN devices. Phones that operate behind full cone NAT and allo-
cate public IP addresses themselves fall into this category. The only
support that the proxy needs to give is a STUN server. Apart from
that they act like public IP devices.
• Non NAT-aware devices. These devices don’t attempt to check the
NAT type or allocate a public IP address. Often, they are “legacy”
devices that have been designed without having NAT in mind. These
devices can register only for a short period of time, so that the REG-
ISTER messages keep the port association open (the SIP messages
are used to keep the port association). Also, these devices need a
NAT-aware media server or other device that forward the RTP pack-
ets of these devices.
• Symmetrical NAT devices. These devices may be NAT-aware; how-
ever, because they operate behind symmetrical NAT, there is little
that they can do. They essentially behave like non NAT-aware SIP
devices and hope for the support of the proxy.
2.
10 • Architecture
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 11
[ S N O M 4S NAT FI L T E R ]
2.2.6 Probing Media Paths
ICE is a method that has been proposed recently in the IETF [4].
The algorithm is simple: A user agent that supports ICE lists the possible
addresses where it could possibly be reached. These addresses may
include the private address, an address allocated via STUN, one or more
addresses allocated with the TURN protocol or an address allocated with
UPnP. Because practically it is hard to predict which of these addresses are
visible to the other user agent, all of the possible addresses are proposed
to the other user agent.
The other user agent sends test packets to the possible addresses.
Picking the rst reply on the test packet will establish a working media
path and it will also probably be the fastest connection. STUN is being
used for these test packets.
2.2.7 The Role of the NAT Filter
When a user agent is not able to allocate a globally routable
address or it is not sure if it found enough possible addresses, the NAT
Filter can help out.
Again, the way the NAT Filter works, is simple. For the signalling,
the NAT Filter keeps the NAT alive with bogus messages (which can be SIP
messages or other non-SIP message). It patches the messages in such a
way, that other user agents will address the NAT Filter instead of the user
agent when they want to deliver a message. The NAT Filter then forwards
the message to the user agent using the connection which is kept open
with the keep-alive messages.
When the NAT Filter sees a message that contains information
about sending media (session description protocol, SDP), it opens a local
globally routable port on behalf of the user agent and patches these
messages in a way that the destination will send media via this port.
The NAT Filter will relay the media to the user agent like it relays SIP
messages. Using symmetrical RTP, it can detect the user agent’s public
media identity and reroute the packets to this destination.
While this approach has the huge advantage that it does work
will all kinds of NAT, it has the disadvantage that it increases the media
path signicantly. For example, when a user A in Tokyo is registered
with a operator in New York and wants to call his colleague B (which is
registered to a service provider in Sydney and who is sitting in the same
2.
12 • Architecture
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 13
[ S N O M 4S NAT FI L T E R ]
ofce in a private network), the media would have to ow rst from Tokyo
via New York then via Sydney and then back to Tokyo. Considering the
speed of light, the delay would at least be around one second; practically
it would be much higher although the user agents are located in the same
network.
Unfortunately, it is not trivial to make the media path shorter.
There have been some attempts to reduce the problem, but it is much
easier to address the problem from the user agent. If the user agent uses
ICE, it will try all addresses listed in the SDP attachment, including the
port allocated by the NAT Filter. If there should be a shorter path, it will
switch to this shorter path. If there is no other way of if the other side
does not support ICE, it will fall back to the NAT Filter-allocated port which
will work in all cases.
2.2.8 Optimizing the Media Path for Symmetrical
NAT
In the case when both user agents are behind symmetrical NAT
the NAT Filter approach will ensure that media will ow between the
user agents. However, the Tokyo example shows that this might result in
intolerable media delay.
To address this problem, TURN [5] comes into play. The idea
behind this approach is to allocate identities on several places in the
Internet and to propose all of the allocated ports to the other user
agent. If the ports are allocated on all continents, the other user agent
will automatically pick the TURN server with the shortest delay. In the
Tokyo example, a TURN server located in Japan will reduce the delay
to a tolerable level (if there is not even a direct path between the user
agents).
2.3 Filter Behaviour
2.3.1 Registering without UA Support
When a user agent registers, it puts its IP address in the top
Via. If the user agent is on public Internet or properly supports NAT, this
Via will match the perceived IP address. In this case the lter does not
interfere with the registering process and just forwards this packet.
2.
12 • Architecture
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 13
[ S N O M 4S NAT FI L T E R ]
If the top Via does not contain the perceived address, the lter
will take care about the request. It will replace the provided contact with
a locally generated contact and forward the request to the registrar (see
below).
REGISTER sip:snomag.de SIP/2.0
Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bK-
abx3au3mxb01;rport
From: “denny” <sip:[email protected]>;tag=k9p6fmeg7h
To: “denny” <sip:[email protected]>
Call-ID: 3c26701d7cb9-pady07b5783t@203-145-183-113
CSeq: 14 REGISTER
Max-Forwards: 70
Contact: <sip:[email protected]:12975;line=lhynyb3y>;q=1.0
User-Agent: snom200-2.03w
Supported: gruu
Expires: 86400
Content-Length: 0
REGISTER sip:snomag.de SIP/2.0
Via: SIP/2.0/UDP 217.115.141.99:5082;branch=z9hG4bK-e8d1feb8138c3d85
0637ced821ef40a3;ua=c9b140ab598290e5bb491e9c3aaca440
Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bK-
abx3au3mxb01;rport=17401
From: “denny” <sip:[email protected]>;tag=k9p6fmeg7h
To: “denny” <sip:[email protected]>
Call-ID: 3c26701d7cb9-pady07b5783t@203-145-183-113
CSeq: 14 REGISTER
Max-Forwards: 69
Contact: <sip:217.115.141.99:5082;ua=c9b140ab59829bb491e9c3aaca440>
Supported: gruu
User-Agent: snom200-2.03w
Expires: 86400
Content-Length: 0
SIP/2.0 200 Ok
Via: SIP/2.0/UDP 217.115.141.99:5082;branch=z9hG4bK-e8d1feb8138c3d85
0637ced821ef40a3;ua=c9b140ab598290e5bb491e9c3aaca440
Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bK-
abx3au3mxb01;rport=17401
From: “denny” <sip:[email protected]>;tag=k9p6fmeg7h
To: “denny” <sip:[email protected]>;tag=epuy85kzm5
Call-ID: 3c26701d7cb9-pady07b5783t@203-145-183-113
CSeq: 14 REGISTER
Contact: <sip:217.115.141.99:5082;ua=c9b140ab598290e5bb491e9c3aaca44
2.
14 • Architecture
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 15
[ S N O M 4S NAT FI L T E R ]
0>;expires=3600;gruu=”sip:[email protected];gruu=hobiv52b”
Date: Wed, 26 May 2004 16:03:33 GMT
Server: snom proxy (Unix) 2.42.6
Content-Length: 0
SIP/2.0 200 Ok
Via: SIP/2.0/UDP 203.145.183.113:12975;branch=z9hG4bK-
abx3au3mxb01;rport=17401
From: “denny” <sip:[email protected]>;tag=k9p6fmeg7h
To: “denny” <sip:[email protected]>;tag=epuy85kzm5
Call-ID: 3c26701d7cb9-pady07b5783t@203-145-183-113
CSeq: 14 REGISTER
Contact: <sip:[email protected]:12975;line=lhynyb3y>;expires=360
0;gruu=”sip:[email protected];gruu=hobiv52b”
Server: snom proxy (Unix) 2.42.6
Date: Wed, 26 May 2004 16:03:33 GMT
Content-Length: 0
2.3.2 Registering with UA Support
Leaving the refreshing of the UDP binding to NAT Filter usually
will keep the connection alive. However, it is better if the user agent
refreshes the binding:
• When the user is taken off the network the NAT Filter does not gen-
erate unnecessary refreshes. The same happens when for example
the DSL router is turned off.
• When refresh packets cannot be delivered because of congestion
or other network problems, the NAT router will close the ports and
there is no way to open them again from the outside. If the user
agent refreshes the bindings, the port is opened automatically
again.
• User agents may send from time to STUN packets and process the
answer to check if the IP address has changed. In this case, the user
agent may refresh the SIP binding.
A user agent that supports this way of refreshing the bindings
includes a “P-NAT-Refresh” header in the REGISTER message:
REGISTER sip:snom.com SIP/2.0
Via: SIP/2.0/UDP 192.168.1.10:5060;branch=z9hG4bK-fozdn9kbolfw
From: “Karl Klammer” <sip:[email protected]>;tag=9e9mynnnwa
To: “ Karl Klammer” <sip:[email protected]>
Call-ID: 10f2c240790b-cj4sy7drgp6q@192-168-1-10
CSeq: 2 REGISTER
2.
14 • Architecture
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 15
[ S N O M 4S NAT FI L T E R ]
Max-Forwards: 70
Contact: <sip:[email protected]:5060;line=5zy4hsui>;q=0.7
User-Agent: snom200-2.05h
P-NAT-Refresh: 15
Supported: gruu
Expires: 86400
Content-Length: 0
The NAT Filter will answer this request with a P-NAT-Header:
SIP/2.0 200 Ok
Via: SIP/2.0/UDP 192.168.1.10:5060;branch=z9hG4bK-iu90avx18fc6;rport
=34142;received=217.231.163.127
From: “Karl Klammer” <sip:[email protected]>;tag=9e9mynnnwa
To: “Karl Klammer” <sip:[email protected]>;tag=996wctfnen
Call-ID: 2605c340c91d-cj4sy7drgp6q@192-168-1-10
CSeq: 2 REGISTER
Contact: <sip:[email protected]:5060;line=5zy4hsui>;expires=3600;gruu=
”sip:[email protected];gruu=5npko91p”
Server: snom proxy (Unix) 2.42.7
Date: Sun, 06 Jun 2004 11:50:22 GMT
P-NAT-Refresh: 15
Content-Length: 0
2.3.3 RTP Relay
When initiating a call, user agents usually include a Session
Description Protocol (SDP) attachment that describes where they expect
media. If the user agent operates on a public Internet address, there is
no need to interfere in this process. In this case the lter will just forward
the request.
Operators should encourage customers to use equipment that
operates on a public Internet address or properly allocates a globally
routable Internet address. Because media relay is an expensive operation,
it reduces the overall load on the network and at the same time increases
the quality of the service.
However, when a user agent is behind NAT, it might not be able
to receive media directly. In some cases this is because the user agent is
simply not programmed to allocate an address properly or because it is
behind symmetrical NAT, which makes it impossible to properly allocate
this address. In this case, the help of the media lter will make sure that
media will always be delivered properly.
2.
16 • Architecture
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 17
[ S N O M 4S NAT FI L T E R ]
The media lter supports the “interactive connectivity
establishment” (ICE) method that has been published recently in the IETF.
Using this method, user agents may probe several addresses and decide
which address they use for communication. In this case, the lter will just
add another contact to the ICE list.
Table 1 shows the cases when the lter needs to interfere if
STUN and ICE support are available from the user agents. Only in cases
when both sides have symmetrical NAT and in the case when talking from
symmetrical NAT to restricted NAT the support of the lter is necessary.
If the user agents don’t support STUN and ICE, the number of cases goes
up signicantly.
To/From Public IP/
UPnP
Full Cone
NAT
Restricted
NAT
Symmetrical
NAT
Public IP/
UPnP
Always When STUN
support is
available
When STUN
and ICE are
available
When STUN
and ICE are
available
Full Cone
NAT
When STUN
is available
When STUN
and ICE are
available
When STUN
and ICE are
available
Restricted
NAT
When STUN
and ICE are
available
When STUN
and ICE are
available
and no port
checking
Symmetrical
NAT
Needs lter
If the user agent operates without NAT support, it will send a SDP
like the one below:
v=0
o=root 19387 19387 IN IP4 192.168.1.10
s=call
c=IN IP4 192.168.1.10
t=0 0
m=audio 58146 RTP/AVP 0 8 3 18 2 101
a=rtpmap:0 pcmu/8000
a=rtpmap:8 pcma/8000
a=rtpmap:3 gsm/8000
a=rtpmap:18 g729/8000
a=rtpmap:2 g726-32/8000
a=rtpmap:101 telephone-event/8000
2.
16 • Architecture
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 17
[ S N O M 4S NAT FI L T E R ]
a=fmtp:101 0-15
a=sendrecv
The NAT Filter will detect that the user agents needs help and
allocates local ports for relaying media. It will forward the request with
changed SDP:
v=0
o=root 19387 19387 IN IP4 217.115.141.99
s=call
c=IN IP4 217.115.141.99
t=0 0
m=audio 49170 RTP/AVP 0 8 3 18 2 101
a=rtpmap:0 pcmu/8000
a=rtpmap:8 pcma/8000
a=rtpmap:3 gsm/8000
a=rtpmap:18 g729/8000
a=rtpmap:2 g726-32/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=sendrecv
a=silenceSupp:off - - - -
The NAT Filter changes the private address to a globally routable
address and inserts the local port. It also inserts a hint that tells the other
user agent that it should not do silence suppression. This reduces the risk
that the connection is closed during a talk spurt of one of the parties.
2.4 Scaling and Redundancy
The NAT Filter product was designed to support distributed server
farms. That means that the servers act stateless in principle; user agents
may randomly pick a server in a server farm. This feature allows operators
to set up very large and robust networks.
The distribution of user agents to a server is performed using
DNS SRV (RFC 2782). That means, you need to list the available servers
on DNS level; the user agents must perform DNS SRV look ups and pick
one of the servers (possible using the detection algorithms described
below).
2.
18 • Architecture
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 19
[ S N O M 4S NAT FI L T E R ]
The following table shows an example conguration for Linux
named(8):
_sip._udp IN SRV 3 5 5082 frankfurt1
_sip._udp IN SRV 3 5 5082 newyork1
_sip._udp IN SRV 3 5 5082 newyork2
_sip._udp IN SRV 3 5 5082 newyork3
_sip._udp IN SRV 3 5 5082 tokyo2
_sip._udp IN SRV 3 5 5082 tokyo1
If one of the servers should become unavailable, the SRV algorithm
will make sure that the other servers will be contacted. The user agents
that are refreshed by that particular server will become unreachable until
the user agents initiate a new REGISTER request. Therefore, you should
make sure that you servers have a high uptime probability and that the
registration period is not too long. We think that registration periods of
thirty minutes up to one hour are a good balance between service failure
time and performance.
2.5 Detecting the right NAT Filter
User agents must detect which server in the server farm is
nearest to the user agent. This is an important feature for a company or
operator that has user agents scattered around the globe. Example: A
company has ofces in Berlin, Tokyo and Dallas and locally operates NAT
Filter servers. When a user agents is located in Tokyo, it should use the
Tokyo server. This could be set up manually; however it is also possible to
automatically pick the best server.
To detect the nearest server the user agent sends STUN packets
to all possible servers (the servers with the lowest priority in the SRV list).
The user agent picks the server that responds rst. Alternatively, the user
agent could send more test packets and take the mean response time for
making the decision.
The snom 4S NAT Filter includes a STUN server that operates on
the SIP UDP port. User agents should send their test packets to the SIP
port.
2.
18 • Architecture
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 19
[ S N O M 4S NAT FI L T E R ]
2.6 Requirements on User Agents
Generally, there are two categories of user agents: The non NAT
aware user agents and the STUN/ICE capable user agents.
2.6.1 Non NAT-Aware User Agents
Non-NAT aware user agents must at least fulll the following
features:
1. Must send SIP UDP packets from the port where they receive SIP
trafc
2. Must start sending media immediately after receiving SDP
Requirement 1 is not fullled by the default conguration of the
Cisco 7960; however there is a setting that enables this feature. Most
known user agents support this feature, however.
Requirement 2 gives sometimes problems with user agents that
don’t send media during silent periods. In this case, users have to start
speaking before two-way audio can be established.
In any case, customers are asked to contact their vendor in case
of problems and explanations. As a general remark, snom recommends to
use NAT-aware user agents to reduce the network overhead and support
overhead.
2.6.2 STUN/ICE-Aware User Agents
STUN/ICE-Aware User Agents must implement the two IETF
standards. It is ok if the user agents use the built-in STUN server for
refreshing the bindings and learning the public IP address.
snom phones fall into this category starting with version 2.05a.
snom phones starting with version 2.05g support the self-refresh feature
using the P-NAT-Refresh header.
2.
20 • Architecture
[ S N O M 4S NAT FI L T E R ]
snom technology AG • 21
2.
Other manuals for 4S NAT Filter
4
Table of contents
Other Snom VoIP manuals
