[Users] STUN still mandatory ?

Klaus Darilion klaus.mailinglists at pernau.at
Tue Nov 22 17:01:33 CET 2005


Hi Christophe!

There are 2 ways to traverse NAT.

1. The client does NAT traversal (via STUN)
2. The server does NAT traversal (e.g. nathelper+rtpproxy or 
mediaproxy+mediaproxy)

If the server does NAT traversal always (for each user and request), the 
client do not need to use STUN.

If the client's NAT can be traversed by STUN, there is no need for NAT 
traversal on the server. Unfortunatelly there are NATs which can be 
traversed by STUN (symmetrc NAT).

So, if you want it the easy way, you can just use server based NAT 
traversal all the time and do not care about STUN.

If you are having lots of users, server based NAT traversal is a 
bottleneck. Further it may add additional delay due to the additional 
hop in the RTP stream.

I suggest:

1. Install a stun server (e.g. vovida stun, works fine) and set up SRV 
records which point to the stun server. Many clients perform SRV lookups 
to find the stun server automatically:

_stun._udp.yourdomain.              SRV     0 0 3478 stun.yourdomain.
stun.yourdomain.                    A       1.2.3.4

This enables the client to detect the kind of NAT (symmetric, coned, ...)

2. use nat_uac_test(18) (from nathelper module) to detect if the client 
is behind NAT. If the client is behind NAT, user serverbased NAT traversal.

If the client can use STUN to traverse the NAT, the nat_uac_test will 
fail and the client will be handled like it has a public IP.

If the client can not use STUN to traverse the NAT (e.g. symmetric NAT), 
  it should use the private IP addresses in the SIP messages. Thus, the 
nat_uac_test will trigger and the server can do the NAT traversal.

server based NAT traversal means ...
   - force_rport for all requests
   - fix_nated_register for REGISTER messages
   - fix_nated_contact for INVITE requests and corresponding 1xx, 2xx;
   - force_rtpproxy or use_media_proxy to have an RTP proxy
... if the caller or the callee is behind NAT (nat_uac_test==TRUE)


regards
klaus



Christophe Irles wrote:
> Hi,
> 
> Is the use of a STUN server or any other solution of this type (another
> daemon) still mandatory to solve NAT problem since I have set up correctly
> a media proxy and the netHelper module in my configuration file ? If it's
> not the case which type of configuration is out of the scope if my server is
> in this configuration ?
> 
> For example for this network configuration, is a STUN server with UA
> compatible mandatory ?
> UA1 --- [openSER+MediaProxy+FW wiht NAT] --- [ Internet ] --- [ FW/NAT ] ---
> UA2
> 
> If it the case, which module(s) must be used with openSER and which STUN
> server (open source/free) can be used ?
> 
> I already tested that this network configuration is working without any STUN
> server
> UA1 --- [openSER+MediaProxy+FW wiht NAT] --- [Internet] ---  [FW] ---
> UA2(softphone on PC with direct access on internet)
> 
> Thanks,
> Christophe
> 
> 
> _______________________________________________
> Users mailing list
> Users at openser.org
> http://openser.org/cgi-bin/mailman/listinfo/users
> 
> 





More information about the sr-users mailing list