Context for Configuring the Signaling Proxy and Media Proxy
By using an internal signaling media proxy module, the PBX can implement NAT traversal and communicate with the devices on other network segments.
Overview of the Signaling Proxy and Media Proxy
Network address translation (NAT) technology was developed to alleviate IPv4 address exhaustion. Unlike traditional gateways that connect different network segments, NAT devices can be regarded as special gateways that connect private and public IP networks. When an IP packet passes through a NAT device, its source IP address is translated into a routable public address. In addition, the NAT device creates a binding covering the private source address, public source address, and public destination address. In this way, the response packet from the public network can be routed to the source on the private network.
Although NAT technology can mitigate IP address exhaustion, the technology brings about the following problems: Most of the existing protocols are incompatible with NAT technology. IP addresses can be translated by NAT devices at the network and transport layers but cannot be translated at the application layer. As a result, IP addresses contained in the application-layer protocol are still private addresses and response packets sent based on these IP addresses cannot be routed to the source network elements. A NAT device binds the private source address, public source address, and public destination address together only for IP packets sent from a private network to a public network. Public network entities cannot initiate connection requests to private network entities before the bindings are created. NAT traversal includes four modes: static NAT, Simple Traversal of User Datagram Protocol (UDP) Through Network Address Translators (NATs) (STUN), ALG, and proxy. The signaling media proxy is the proxy mode.
The signaling media proxy is a proxy-based IP gateway. The signaling media proxy supports signaling proxy and media proxy for VoIP services. It directionally transmits all signaling and media streams, and re-specifies a destination address and port for a signaling or media stream from a private or public address to help achieve address translation between various network domains, including address translation between private and public networks.
- SIP signaling proxy: All registration and call messages of intra-office users are sent to the signaling media proxy. The signaling media proxy processes signaling messages and forwards them to a control node such as a trunk or a SIP server. A call request from an inter-office user is sent to the signaling media proxy first, and then the signaling media proxy processes the request and forwards it to the called party. The signaling media proxy processes and analyzes the signaling to obtain address change and bandwidth requirement information about calls, and determines whether the media streams pass through the signaling media proxy based on the network resource usage. This helps to protect networks, prevent bandwidth theft, and achieve NAT traversal.
- Media proxy: All RTP media streams pass through the signaling media proxy. The signaling media proxy processes and forwards media streams to allow communication between intra-office and inter-office users. The signaling media proxy checks whether packets are valid and determines a forwarding policy for the media streams based on the signaling processing results. The forwarding policy covers packet filtering, QoS, and address translation. The signaling media proxy specifies IP addresses and ports for intra-office and inter-office users to receive RTP media streams to correctly forward the media streams and ensure QoS and security.
SIP Signaling Proxy
To implement signaling NAT traversal, the INVITE request must reach the destination user connected to the NAT device. In Figure 2-72, a private SIP UE registered with the SIP server is used as an example.
- A SIP UE sends a REGISTER request to the NAT device. The source IP address contained in the REGISTER packet header and the contact address contained in the payload are both the private address/port (Aa) of the SIP UE.
- The NAT device allocates a public address/port (Nn) to the UE, generates a mapping between Aa and Nn, translates Aa in the packet header into Nn, and forwards the REGISTER request to the signaling media proxy.
- The signaling media proxy receives the REGISTER request, allocates a public signaling address/port (Dd), translates the address contained in the REGISTER packet header and payload, records the mapping between Nn/Cc and Dd/Ee, and sends the REGISTER request to the SIP server to which the SIP UE belongs.
- The SIP server authenticates the SIP UE and sends a response packet to the signaling media proxy.
- The signaling media proxy receives the response packet, modifies the address contained in the packet header and payload according to the address mapping, and forwards the response packet to the NAT device.
- The NAT device translates the IP address contained in the response packet into Aa and forwards the packet to the SIP UE.
Media Proxy
Media streams are transmitted over the VoIP network using RTP. RTP is carried over UDP. The IP addresses and ports used for the RTP media streams are negotiated using the signaling messages sent for establishing calls.
SIP uses the SDP information of the calling user and called user to negotiate the media addresses and ports for the calling user and called user. When the signaling carrying SDP information passes through the NAT device, the NAT device translates only the IP, TCP, or UDP packet header, but not the IP address and port. The media address obtained by a called user is the private address and port a calling user. As a result, the called user cannot use the private address to access the calling user on the private network. Deploying a media proxy on the network is an effective way to implement media NAT traversal. The media proxy translates private media addresses and ports into public addresses and ports during end-to-end media negotiation.
The signaling media proxy provides the media proxy function to support media NAT traversal without the need to upgrade the existing NAT device on the network. Media NAT traversal on the signaling media proxy is divided into two stages: signaling negotiation and media transmission.
- Signaling negotiation stage, at which media address mappings
are set up by SDP negotiation
Figure 2-73 shows media address mapping setup through SDP negotiation.
Before a calling user and a called user make a call, they must send signaling packets to negotiate a channel for transmitting media streams. The signaling media proxy obtains the calling user's and called user's IP addresses and ports for receiving media streams according to SDP information contained in the signaling packets, allocates the access-side and core-side media addresses and ports to the calling user and called user, and creates an address mapping entry (192.168.1.2:3008, 10.211.3.8:7003)<->(10.10.3.5:5007, 10.211.5.9:9000) for media sessions. All media streams will pass through the signaling media proxy, but only the media streams matching media session entries on the signaling media proxy will be forwarded.
- Media transmission stage, at which the IP addresses for
media packets are learned and translated
The media transmission stage is divided into three sub stages: pre-media-latching, media latching, and post-media-latching.
- Pre-media-latching sub stage: As shown in Figure 2-74, because a terminal at 192.168.1.2 does not send media packets to the signaling media proxy, the media address mapping between the terminal and signaling media proxy is not generated on the NAT device. As a result, the NAT device discards all media packets destined for the terminal.
- Media latching sub stage: As shown in Figure 2-75, a terminal sends the first media packet to the signaling media proxy. After the first media packet passes through the NAT device, the NAT device creates an address mapping between 192.168.1.2:3008 and 10.211.2.3:8028. The signaling media proxy receives the media packet processed by the NAT device, learns the transport-layer address and port (10.211.2.3:8028) contained in the media packet, and updates the address mapping entry (10.211.2.3:8028, 10.211.3.8:7003)<->(10.10.3.5:5007, 10.211.5.9:9000) for media sessions.
- Post-media-latching sub stage: As shown in Figure 2-76, the signaling media proxy queries the updated address mapping entry (10.211.2.3:8028, 10.211.3.8:7003)<->(10.10.3.5:5007, 10.211.5.9:9000) after it receives media packets destined for a terminal at 192.168.1.2 and forwards the media packets to 10.211.2.3:8028. The NAT device queries the address mapping entry (192.168.1.2:3008)<->(10.211.2.3:8028) and forwards the media packets to the terminal.