Weitere ähnliche Inhalte Mehr von Olle E Johansson (20) Kürzlich hochgeladen (20) SIP 2012:: ICE - NAT traversal for media1. ICE
ICE
Taking us out of the NAT darkness.
http://edvina.net/sip2012
2. ICE
The goal
• Find the best media path between two
devices
• Manage changes in a complex network
• ICE depends on STUN (v2)
• Discovery of public IP address + port
• ICE depends on TURN
• Allocation of public IP address + port for media relay
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
3. ICE Ice: Show me yours, and
I’ll show you mine.
NATted network • All UAs find all their
addresses, including using
SIP SIP STUN
Alice • May allocate an address using
TURN
• Sends all addresses as
”candidates” in SDP
• Supports both IPv4 and IPv6
• IPv6 UAs allocate IPv4 Turn
Turn address
Bob
NATted network Media relay
RFC 5245
Cecilia
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
4. ICE Ice: Show me yours, and
I’ll show you mine.
NATted network • All UAs find all their
addresses, including using
SIP SIP STUN
Alice • May allocate an address using
TURN
• Sends all addresses as
”candidates” in SDP
• Supports both IPv4 and IPv6
• IPv6 UAs allocate IPv4 Turn
Turn address
Bob
NATted network Media relay
RFC 5245
Cecilia
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
5. ICE Ice: Show me yours, and
I’ll show you mine.
NATted network • All UAs find all their
addresses, including using
SIP SIP STUN
Alice • May allocate an address using
TURN
• Sends all addresses as
”candidates” in SDP
• Supports both IPv4 and IPv6
• IPv6 UAs allocate IPv4 Turn
Turn address
Bob
NATted network Media relay
RFC 5245
Cecilia
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
6. ICE
ICE candidate types
Alice
• HOST candidate: Address on
the local network interface (VPN
NAT
and mobile IP included)
• Server Reflexive Addresses:
Addresses discovered with STUN
(outside NAT)
Turn
• Relayed Candidates: TURN
(RTP proxy) Server addresses
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
7. ICE
Indicating Ice support
• SIP media tag ”sip.ice” can be included in
registrations
• SIP extension name ”ice” used in Require:
header, not in Supported:
• RFC 5768
Contact: 1200@192.168.50.23;ice
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
8. ICE
Passing the token
• Each STUN check uses a unique
SIP ”message authentication code” - MAC
• One per candidate and per party involved
STUN
SIP • These are exchanged in the signalling
layer
• Prevention from unauthenticated media
streams
a=ice-pwd:asd88fgpdd777uzjYhagZg
a=ice-ufrag:8hhY
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
9. ICE
Role play
ICE
Controlling
agent
• One agent (UA) is controlling, one is controlled agent
SIP
• The controlling agent decides which media streams to
use
STUN
SIP • The confirmation is done by sending a STUN request
on the winning stream, with a flag set to indicate that
this will be used
• This cancels further ICE processing
ICE Controlled
agent
• In most call setups, the CALLER is the controller
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
10. ICE
Re-invite?
ICE
Controlling
agent
• If the selected candidates do not match
SIP
the address in the C and M= lines in the
STUN SDP, a reinivite with a new SDP offer
RTP SIP should be sent
• At any point during the call, ICE can be
restarted by anyone sending a re-INVITE
with a new offer
ICE Controlled
agent
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
11. ICE ICE Lite for hosts with
public IP
ICE full
SIP
• Doesn’t send a list of candidates
STUN
• Doesn’t send STUN requests
SIP
• Answers to STUN requests
• The full agent is the controlling
party and selects media IP pair
ICE lite on
media server
with public IP
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
12. ICE
Producing an offer
• 1. Gather candidates
HOST
192.168.40.23
Server Reflexive
• 2. Prioritize them
192.0.2.34:48712
• 3. Eliminate redundant candidates
From STUN response
Relayed
• 4. Choose default candidates
198.51.100.23:52124
• 5. Formulate the SDP offer
TURN allocation
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
13. ICE
Typical configuration
PC
Host address (Wifi) 192.168.0.23:6001
Host address (VPN) 10.7.17.123:6001
Reflexive address (Turn) 123.123.123.123:2343
Relay address (Turn) 123.123.123.127:7080
Four candidates
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
14. ICE
Dual stack
PC
192.168.0.23:6001
Host address (Wifi)
IPv6 Link local, GLOBAL
Host address (VPN) 10.7.17.123:6001
IPv6 VPN
Reflexive address (Turn) 123.123.123.123:2343
Relay address (Turn) 123.123.123.127:7080
Seven candidates
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
15. ICE
Single stack IPv6
PC
Host address (Wifi) IPv6 Link local, ULA, GLOBAL
Host address (VPN) IPv6 VPN
Reflexive address (Turn)
Relay address (Turn) 123.123.123.127:7080
Five candidates
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
16. ICE
INVITE and ICE
INVITE with SDP
Alice Bob
200 OK with SDP
STUN request
STUN response
STUN request
STUN response
STUN request + selected flag
STUN response
Media starts
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
17. ICE
ICE and PRACK
• Using ICE; there’s a need to start selection
and media a.s.a.p.
• If SDP answer is in 183, it has to be sent
reliably in order to not miss the oppurtunity
to start the ICE selection process
• Using PRACK is one way. Another solution is
to retransmit the 18x message with SDP until
a STUN Bind request is received.
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
18. ICE 18x+sdp speeds up the
process
• With a 18x-response with SDP, the ICE
selection process starts before the user
answers. He/She may not answer at all - but
it does help the user experience to have
media ready when the user answers.
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
19. ICE
STUN success
• Verification of the response:
• The response must be addressed to our sender’s IP
and port
• The response must be sent from our destination IP
and port
• The credentials must be correct
• Otherwise STUN FAILS
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
20. ICE
ICE failure
• If there are no selected ICE candidate pairs
in any media stream, then the controlling
agent needs to terminate the dialog
• If there are at least one successful stream,
the dialog continues. Failed streams should
be disabled in a new offer
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
21. ICE
ICE SDP using STUN
v=0
o=jdoe 2890844526 2890842807 IN IP4 10.0.1.1
s=
c=IN IP4 192.0.2.3 The UA suggests using the STUN address
t=0 0
a=ice-pwd:asd88fgpdd777uzjYhagZg
a=ice-ufrag:8hhY
m=audio 45664 RTP/AVP 0
b=RS:0
b=RR:0
a=rtpmap:0 PCMU/8000
a=candidate:1 1 UDP 2130706431 10.0.1.1 8998 typ host
a=candidate:2 1 UDP 1694498815 192.0.2.3 45664 typ srflx raddr 10.0.1.1 rport 8998
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
22. ICE
Two selection processes
Aggressive Regular
• Faster conclusion • Slower
• May find low-latency
media path
An implementation could set up the call with
aggressive nomination procedures, then re-invite and
restart ICE with regular selection to find the best
media path.
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
23. ICE
Aggressive ICE
Alice Bob
STUN request + selected flag
STUN response
STUN request
STUN response
The controller does not
wait. The first request that reaches
Bob is selected.
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
24. ICE
Regular ICE nomination
Alice Bob
STUN request
STUN response
STUN request
STUN response
STUN request + selected flag
STUN response The controller waits for
results until making a selection
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
25. ICE
ICE delay
• If there are many candidates and media streams, a
noticeable delay will happen after user ”answers”
the call until media starts flowing
• With a b2bua in the call path that use ICE, this will
happen twice in the same call, which is not good
• b2bua could speed up process by sending 183 with
a=inactive then re-inviting quickly after 200 OK with
a=sendrecv. This restarts ICE, but media is flowing.
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
26. ICE
ICE changes to STUN
• ICE added new request
Attributes
types and a new attribute
• Adding a new response ICE Priority
• Stun username is peer
Use-Candidate
username plus local
username separated by :
Ice-Controlling
• Username and password are
random per session
Ice-Controlled
• Controller sends local
username and password in
the SDP
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
27. ICE
RTP keepalives
• Activates after 15 secs of no RTP
• All agents MUST send NAT keepalives in
every media stream
• STUN binding requests if the other side
supports ice
• otherwise RTP no-op, RTP CNG or RTP with incorrect
version number (just dropped)
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
28. ICE
IPv4 and IPv6
• Candidates for both address families can be
presented
• Priority may be discussed, relates to O/S
configuration (RFC 6724)
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
29. ICE
New SDP attributes
a=candidate a=ice-ufrag
a=remote-candidates a=ice-passwd
a=ice-lite a=ice-options
a=ice-mismatch
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
30. ICE
ICE
• Finds the best media path • Takes time at call
between two nodes setup
• Supports IPv4 and IPv6 • Hard for b2bua’s to
deployments support
• Binds SIP+SDP to actual
• Complex for
media
developers
• Used by Microsoft, Apple
(FaceTime), Google
+ -
Hangouts
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d .
31. This material is part
of the Edvina
Learn more about SIP Master Classes
SIP2012 at
http://edvina.net/sip2012
© C o p y ri g h t 2 0 1 2 E d v i n a A B , S o l l e n t u n a , S w e d e n . A l l ri g h t s re s e r v e d . The SIP Master Class
Hinweis der Redaktion \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n