make the recipient of the successful RTP stream use the received IP address
and port number to send RTP, ignoring the IP address in the SDP (which is not
routable).
In addition to these SIP and RTP issues, there is the issue of the disclosure of
the private IP address, information that administrators like to see blocked by
the NAT. Although not significant from a signaling or media perspective, the
Call-IDalso leaks the private IP address of the UA. The complete solution to
this problem will be discussed after the other major obstacle to SIP (firewalls)
is discussed.
Firewalls
Afirewallis a device typically present where a private IP network intercon-
nects with the public Internet. A firewall acts like a one-way gate, allowing
requests to go from the private network into the Internet, and allowing only
responses to those requests to return, but blocking most requests originating in
the Internet destined for the private network.
Certain types of requests from the public Internet are typically allowed. For
example, HTTP requests to the corporate public web server will not be blocked
by the firewall, nor SMTP e-mail transfers, nor are DNS queries for the public
DNS server. These types of legitimate requests can be identified by the firewall
by examination of the destination IP address in the IP header and the destina-
tion port number in the UDP or TCP headers.
For example, a valid web browsing request will contain the destination IP
address of the public web server and port 80 (a well-known port number for
HTTP). A particularly diligent firewall may even parse the packet to ensure
that it contains a valid HTTP message.
The nature of the interaction between SIP and a firewall depends on the
transport protocol. If the UA uses UDP to initiate the session, the server out-
side the firewall will be able to receive the SIP messages, but responses sent
using UDP will be blocked by the firewall, since they are not associated with
an outgoing request, because they are sent over a TCP connection. Any result-
ing media stream also will be one-sided only. This scenario is shown in Fig-
ure 10.2.
If TCP is used, it is possible for a SIP UA to establish a SIP session with a
server on the outside of the firewall. This is because the SIP responses will be
sent in the TCP connection opened by the user behind the firewall and will not
be blocked. However, RTP media packets sent by the called party will be
blocked by the firewall. The resulting media session will be only one-way. This
is shown in Figure 10.3.
NAT and Firewall Traversal 177