VoIP Blog

NAT/Firewall issues in sip telephony

Aug 11 2008

NAT/Firewall issues in SIP telephony

The SIP protocol is very tricky regarding this topic
Let me explain how mizuphone works behind NAT

The first problem with NAT is to properly detect external ip address and port.
Mizu Sofphone is using STUN, UPnP and SIP technologies to detect its external address properly in the following manner:
-if it has received a valid stun answer (two round) with the same ip/port, than we are using this address
-otherwise the external address is determined from the answers received to requests with via: received and rport
-if we don't get the answer from the above items, than we assign external port with UpnP and use that
-if UpNp fails, than mizuphone will be using the best ethernet interface address

Ok, now we have done our best to give our really usable address for other sip devices, but how about contacting sipservers and user agents at their correct address?
The SIP protocol is very tricky regarding this topic.
Mizuphone is using ICE technology and some proper tricks to do this tricky work correctly.
We can extract the transport address from multiple sources:
 -the peer address  where we are receiving its messages from or
 -from the signaling (sent us in different sip header)
  this can be present in multiple headers (via,route,contact,sdp media,from,etc) and when you have finished reading the sip RFC's the third time, you will realize the order and the importance of them
 -we can even store the peer address(es) and use it when there are no better sources.
 -or it can be entered explicitly by the user.
  Even in this case there are complications if an outbound proxy is configured.
 -and on top of this, the signaling address can change in the session (it is possibile to send the INVITE and BYE to different address)
When we are not sure what address to use, we can use forked calls and choose the best answer.
Forking the media is not a bandwidth saver thing, but sometimes this can be the best thing we can do.
There are sip devices, which are very inconsistent in their signaling, and are using different port to send and to receive messages ...to pick the correct address in this case is impossibile without forking the requests.

Good luck in choosing your best peer address! :)