1 / 15

Controlling NAT Bindings using STUN

Learn how to control NAT bindings using STUN, embedded in SIP proxies, to enhance network security and efficiency. This method allows for optimal path discovery and NAT traversal, benefiting both wired and wireless networks.

sherrylk
Download Presentation

Controlling NAT Bindings using STUN

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Controlling NAT Bindings using STUN draft-wing-behave-nat-control-stun-usage-00 Dan WingJonathan Rosenberg

  2. IPR Notice • Cisco has claimed IPR on this technique

  3. Constant STUN traffic on the proxy CPU and I/O load Traffic on the network (bad for wireless) Mobile power consumption Even worse with SBCs of course REGISTER instead of STUN Motivation: SIP Outbound Proxy stun UAC

  4. ICE/STUN can’t discover server reflexive candidates on intermediate NATs Optimal path may not be found as a consequence Motivation: ICE and Multilayer NAT STUN Best that ICE can do NAT NAT Optimal NAT NAT NAT NAT UA A UA B

  5. Big Idea • Embed STUN servers in NAT to enable STUN to control the NAT • Severely limit the scope of controls to deal with security issues • Discover these embedded STUN servers by bootstrapping off of STUN servers on public addresses • Embedded in SIP proxies • On the public Internet

  6. Procedure

  7. Learn IP address of outer-most NAT STUN function in SIP proxy or ICE peer B NAT STUNServer Endpoint STUNServer

  8. Communicate to NAT’s embedded STUN Server • Adjust binding with REFRESH-INTERVAL • Can ONLY adjust binding matching the one for the STUN request itself • Response has same MAPPED-ADDRESS • Response also has MAPPED-INTERNAL-ADDRESS (address “A”) A B NAT STUNServer Endpoint Bindingtable STUNServer

  9. Nested NATs: step 1 • MAPPED-INTERNAL-ADDRESS points to address “B” A B C NAT NAT Endpoint STUNServer Bindingtable Bindingtable STUNServer STUNServer

  10. Nested NATs: step 2 • MAPPED-INTERNAL-ADDRESS points to address “A” • Matches Endpoint’s address: we’re done A B C NAT NAT Endpoint STUNServer Bindingtable Bindingtable STUNServer STUNServer

  11. Properties and Limitations

  12. Properties • Preserves STUN’s ability to work well with nested NATs • Superior to UPnP and NAT-PMP • Control NAT binding duration of all NATs along path • Completely eliminates keepalives • Limited functionality deals with security issues • Automatically learns NAT path topology • Allows ICE to better optimize media path

  13. Incremental Deployability • This is a major issue for NAT control technologies • STUN control is not necessary for baseline NAT traversal • That is provided by ICE, sip-outbound • Deployment of ICE and SIP-outbound puts STUN in clients and network elements • This gives incentives to add it to NAT, since once its there you can use it to optimize the network performance

  14. Limitations • Address-Dependent Mapping NAT on path • “Symmetric NAT” • Address-Dependent Filtering • Discussion: Is this really a problem? • Overlapping NAT’ed address space prematurely breaks the ‘done’ procedure STUNServer Endpoint NAT “A” NAT “B” 10.1.1.x 10.1.1.x

  15. Questions draft-wing-behave-nat-control-stun-usage-00

More Related