NAT traversal for SIP services

Introduction

One of the key functions of Session Border Controllers is the ability to provide SIP services across NAT and Firewalls devices with may either be located at a customer / residential premise or within the network. The problem is actually twofold:

Thus, incoming calls that are essential in any service that is intended to replace the PSTN are not possible with existing NAT/Firewalls.

The Newport Networks 1460 solves these problems by enabling secure traversal of ALL corporate NAT/Firewalls. This solution does not require additional customer premise equipment, nor does it require the replacement of existing Firewalls and NATs. This removes the necessity to visit customer premises to install new equipment, reduces the cost of connecting new subscribers and significantly simplifies the subscriber registration process.

Newport Networks 1460 - NAT traversal

The Newport Networks 1460 session border controller is specifically designed to meet the needs of Service Providers for scalability, performance and resilience. It is a situated at the edge of the carrier network to control signalling and media streams as they enter and exit the network.

The Newport Networks 1460 is configured as a transit point for the signalling and media associated with each call - behaving as a proxy endpoint in both the control and media planes. This provides the Service Provider with complete control of user activity.

The signalling proxy is configured as a transit point for SIP signalling messages between the User Agent and the Call Agent, and vice versa. In this way, it acts as a proxy for both client and server - ensuring that all signalling messages pass through it. This provides complete visibility and control of call establishment.

The media proxy operates under the control of the signalling proxy to provide a transit point for RTP and RTCP media streams between User Agents. All media is directed to the media proxy ensuring that the Service Provider has full visibility and control of the media stream to ensure service quality and security.

Newport Networks 1460 - firewall traversal

Solving the 'Firewall problem' means allowing secure incoming, unsolicited media from unknown IP addresses and ports. This is in clear conflict with sensible security policies. In the Newport Networks solution, the MediaProxy™ acts as a transit point (or meeting point) for all media sessions. Media sessions are always initiated from inside the Firewall - sent to a specified IP address and port on the MediaProxy that has been dynamically allocated for that session. The MediaProxy learns the originating public address from this in order to return the incoming stream to the same address and port.

Thus, receiving an incoming call is achieved through always establishing outgoing paths first, complying with typical Firewall security policies.

For more information on the Newport Networks 1460 NAT traversal capabilities please refer to our white paper here

NAT traversal with IPsec

The increasing need to provide security for SIP signalling has lead to bodies such as 3GPP and TISPAN to evaluate and select suitable security protocols. 3GPP selected IPsec ESP, however this was not suitable for TISPAN's use in fixed line networks. IPsec encounters problems when traversing NAT devices which lead TISPAN to select UDP encapsulation of IPsec. This overcomes the NAT traversal problems whilst providing the required encryption and authentication and still complies with 3GPP's overall security architecture. The White Paper "IPsec in VoIP Networks" examines the flavours of IPsec and TISPAN's selection of UDP encapsulation.