SIP security problem?
SIP requires explicit IP address and doesn't traverse NAT firewalls.
Virtually all routers, such as found at Best Buy or from Cisco or Netgear or 3Com support a feature called Network Address Translation. NAT allows an IP address to be used to identify the router on the Internet while sharing that address with dozens of devices (PCs, printers, servers) inside the network. In fact, NAT is thought of by the marketing types in router vendors as a 'firewall' function, albeit rudimentary. So the internal devices use addresses such as 192.168.1.91 even if the router has been assigned the address 188.8.131.52. This way, the global address space can be shared and reused again and again.
Unfortunately, because of the way SIP works, (using explicit addressing and User Datagram Protocol (UDP)-oriented transport) each device sends its IP address to the other device that it is attempting to establish a session with. If it sends 192.168.1.91, the receiving device will try to establish a link with a device that is aware only of a locally relevant address.
However, there are work-arounds. Simple Transversal of UDP through NAT (STUN) is one, but there are others. NATs come in four typical flavors: full-cone, address restricted cone, port restricted cone and symmetric NAT. There are several methods to traverse these NATs including: application layer gateways (ALGs), media tunnels, third party proxies, or simple transversal of UDP through NAT (STUN). Since providing an ALG, tunnel or third-party proxy requires the co-operation of the premises NAT device or additional equipment, it's highly impractical for a consumer level deployment and therefore as the ATA vendor, we are on our own to solve the NAT problem.
STUN is the most deployed option and will traverse most NAT firewalls. STUN works by using a lightweight UDP protocol and an external STUN server to identify the type of translation performed by NAT firewall(s). It will then identify specifically the exact translation the NAT has chosen to do on a particular UDP connection used for RTP or SIP. This information is gathered without the specific co-operation of the NAT firewall and is then used to establish the SIP and RTP sessions. While virtually all consumer premises equipment uses a flavor of cone NAT, in a corporate environment it is more likely to encounter symmetric NAT. In this case, an ALG or local proxy is unfortunately needed.
Another technique endorsed by Microsoft and many other software vendors engaged in the consumer and gaming markets, is the UPnP – Universal Plug and Play – which is a derivative of the STUN model suited to multi-player gamers.
This post has already been read 0 times!