result, these STUN packets can create bindings in NATs and open pinholes in
firewalls, allowing packets to flow in the reverse direction. After a short period
of testing, the most favorable addresses that have completed the P2P STUN
exchange are selected and the RTP session begins. The ICE exchange can be
reinitiated later in the session if the media flows change, or the network topol-
ogy changes.
The techniques used in ICE are similar to techniques commonly used in P2P
file-sharing networks today to traverse firewalls and NATs, and have been
shown to be extremely effective. For a thorough discussion of the issues along
with call flows, refer to [9]. An important standard under development for
NAT traversal is the so called “SIP Outbound” Internet Draft [12].Application Layer Gateways
STUN, TURN, and ICE all require support in the UA to traverse NATs and fire-
walls. An alternative approach that does not require special protocol support
in the UA is known as an Application Layer Gateway (ALG). For firewall tra-
versal, an ALG is a SIP and RTP proxy that is trusted by the firewall. That is, all
SIP and RTP packets are directed at the ALG, which then performs authentica-
tion, validation, and so on, and enforces whatever policy the security adminis-
trator desires. ALGs are also sometimes known by their marketing name of
Session Border Controllers. The firewall only allows SIP and RTP packets to pass,
which originate or terminate on the ALG; all others are blocked. In this way,
communication is possible through the firewall. This ALG works with NAT
operation as well, because the IP addresses (which contain internal addresses)
are modified when the SIP message is proxied. A detailed call flow is shown in
the SIP Call Flow Examples [10]. The ALG may be connected to the firewall in
a secure subnet sometimes called the Demilitarized Zone(DMZ).
A call flow involving a SIP ALG is shown in Figure 10.4. This example
shows the ALG modifying the SDP so that the resulting RTP session is estab-
lished in two legs between user agent A and the ALG, and user agent B and the
ALG.
In this example, SIP Messages 2, 4, 6, and 9 (used to establish the session) are
passed by the firewall, since these packets were sent to or from the IP address
of the SIP ALG at port number 5060. The resulting RTP media packets also are
passed by the firewall, since they originate or terminate at the IP address of the
SIP ALG. In this way, the firewall needs only to open holes to allow SIP and
RTP packets to the ALG. No dynamic changes in firewall policy are needed.180 Chapter 10