[Serusers] nat and rtpproxy/mediaproxy

Jan Janak jan at iptel.org
Sun Apr 25 18:18:39 CEST 2004 

On 21-04 13:20, Richard wrote:
> Hi,
> 
> I looked at the archieve and tried to find a solution
> for natted clients in a carrier environment. I have to
> say I am clear as mud. In our senario, some clients
> are behind nat, while others are not. Clients may move
> between nat and no-nat. What's the best approach to
> rtpproxy/mediaproxy. In rtpproxy's readme, it uses
> "search" to find certain client. It has issues to
> support other clients. Is nat_uac_test/client_nat_test
> sufficient to test either src or dest is behind nat
> and should go through media proxy? 
 
  Yes, it will detect clients behind NAT if there is no
  SIP-ALG (something that rewrites SIP messages). If the
  NAT rewrites SIP messages as well then they will look
  like ordinary message coming from clients in the public
  internet and they will not be treated like NATed -- in
  that case the NAT will take care of the clients.

> What if some
> clients have stun support? 

  If implemented properly then it will work. If a phones
  discovers that it can traverse the NAT using STUN then
  it will do so and such a client will look like a client
  in the public internet to ser -- neither special treatment
  nor rtp proxy is necessary.

> What if some are behind
> symmetric NAT and some are not?

  Clients supporting STUN will detect that they are behind
  symmetric NAT and should put private IPs in the messages
  (because symmetric NATs are not traversable by STUN and
  therefore STUN should not be used). In this case SER will
  take care of traversing the NAT (nathelper/rtp relay).

  The rule of thumb for user agents is: Rewrite the contents of
  SIP message only if you are absolutely sure that you can traverse
  the NAT without additional help from the server.
  
  If a SIP user agent is able to detect the type of the NAT and 
  traverse it by any means (STUN, UPNP, whatever) then it should do 
  it. In this case ser won't do anything special.

  If the user agent cannot traverse the NAT or if it is not sure 
  that it can traverse it properly then it _should not do anything_,
  it should just send SIP messages containing private IPs to the
  server and hope that the server will be able to traverse it. In
  this case ser needs to get as much original information
  as possible -- mainly private IP addresses.

    Jan.

More information about the sr-users mailing list