Routers SIP ALG
Created by: ibc,Last modification on Tue 13 of May, 2008 [08:39 UTC]
Introduction
Many of today's commercial routers implement SIP ALG (Application-level gateway), coming with this feature enabled by default. While ALG could help in solving NAT related problems in client LAN side, the fact is that many routers ALG implementation has wrong behaviour and breaks SIP protocol making, more or less, impossible the communication.There are various solutions for SIP clients behind NAT, some of them in client side (STUN, TURN, ICE), others in server side (Proxy RTP as RtpProxy, MediaProxy). ALG works typically in the client LAN router or gateway. In some scenarios some client side solution are not valid, for example STUN with symmetrical NAT router. If our SIP proxy doesn't provide us a server side NAT solution, then ALG solution could have place.
An ALG understands the protocol used by the specific applications that it supports (in our case SIP) and does a protocol packet-inspection of SIP traffic through it. A NAT router with inbuilt SIP ALG can re-write information within the SIP messages (SIP headers and SDP body) making possible signalling and audio traffic between LAN client and outside SIP endpoint.
SIP ALG example
- caller behind NAT with private IP 192.168.1.33.
- caller router public IP 200.200.200.200
- SIP proxy in Internet with domain "mydomain.org".
INVITE from the LAN client (with private IP)
INVITE sip:destino@mydomain.org SIP/2.0
Via: SIP/2.0/UDP 192.168.1.33:5060;branch=z9hG4bKjyofoqmp
Max-Forwards: 70
To: <sip:destino@mydomain.org>
From: "Iñaki" <sip:ibc@mydomain.org>;tag=nrrrx
Call-ID: xetazdjyktlpsfo@192.168.1.33
CSeq: 800 INVITE
Contact: <sip:ibc@192.168.1.33:5060>
Content-Type: application/sdp
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,PRACK,REFER,NOTIFY,SUBSCRIBE,INFO,MESSAGE
Supported: replaces,norefersub,100rel
User-Agent: Twinkle/1.1
Content-Length: 312
v=0
o=ibc 1090098764 894503441 IN IP4 192.168.1.33
s=-
c=IN IP4 192.168.1.33
t=0 0
m=audio 8000 RTP/AVP 98 97 8 0 3 101
a=rtpmap:98 speex/16000
a=rtpmap:97 speex/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:3 GSM/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=zrtp
Via: SIP/2.0/UDP 192.168.1.33:5060;branch=z9hG4bKjyofoqmp
Max-Forwards: 70
To: <sip:destino@mydomain.org>
From: "Iñaki" <sip:ibc@mydomain.org>;tag=nrrrx
Call-ID: xetazdjyktlpsfo@192.168.1.33
CSeq: 800 INVITE
Contact: <sip:ibc@192.168.1.33:5060>
Content-Type: application/sdp
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,PRACK,REFER,NOTIFY,SUBSCRIBE,INFO,MESSAGE
Supported: replaces,norefersub,100rel
User-Agent: Twinkle/1.1
Content-Length: 312
v=0
o=ibc 1090098764 894503441 IN IP4 192.168.1.33
s=-
c=IN IP4 192.168.1.33
t=0 0
m=audio 8000 RTP/AVP 98 97 8 0 3 101
a=rtpmap:98 speex/16000
a=rtpmap:97 speex/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:3 GSM/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=zrtp
Note that text in red needs to be fixed before it arrives to the proxy (in case our proxy doesn't provide us a NAT server solution). If not, the proxy reply will not arrive to the client (caller):
- SIP replies must be sent to address in "Via" header and caller indicates a private address so it won't be reachable by the proxy in Internet.
- The caller couldn't receive in-dialog/sequential messages (ACK for the INVITE, BYE, REFER, re-INVITE...) since the address in "Contact" is private.
- Unidirectional audio since the caller told the callee to send audio to a private IP and port (so the caller won't hear the callee).
The same INVITE modified by the ALG router
INVITE sip:destino@mydomain.org SIP/2.0
Via: SIP/2.0/UDP 200.200.200.200:12345;branch=z9hG4bKjyofoqmp
Max-Forwards: 70
To: <sip:destino@mydomain.org>
From: "Iñaki" <sip:ibc@mydomain.org>;tag=nrrrx
Call-ID: xetazdjyktlpsfo@192.168.1.33
CSeq: 800 INVITE
Contact: <sip:ibc@200.200.200.200:12345>
Content-Type: application/sdp
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,PRACK,REFER,NOTIFY,SUBSCRIBE,INFO,MESSAGE
Supported: replaces,norefersub,100rel
User-Agent: Twinkle/1.1
Content-Length: 312
v=0
o=ibc 1090098764 894503441 IN IP4 192.168.1.33
s=-
c=IN IP4 200.200.200.200
t=0 0
m=audio 33445 RTP/AVP 98 97 8 0 3 101
a=rtpmap:98 speex/16000
a=rtpmap:97 speex/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:3 GSM/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=zrtp
Via: SIP/2.0/UDP 200.200.200.200:12345;branch=z9hG4bKjyofoqmp
Max-Forwards: 70
To: <sip:destino@mydomain.org>
From: "Iñaki" <sip:ibc@mydomain.org>;tag=nrrrx
Call-ID: xetazdjyktlpsfo@192.168.1.33
CSeq: 800 INVITE
Contact: <sip:ibc@200.200.200.200:12345>
Content-Type: application/sdp
Allow: INVITE,ACK,BYE,CANCEL,OPTIONS,PRACK,REFER,NOTIFY,SUBSCRIBE,INFO,MESSAGE
Supported: replaces,norefersub,100rel
User-Agent: Twinkle/1.1
Content-Length: 312
v=0
o=ibc 1090098764 894503441 IN IP4 192.168.1.33
s=-
c=IN IP4 200.200.200.200
t=0 0
m=audio 33445 RTP/AVP 98 97 8 0 3 101
a=rtpmap:98 speex/16000
a=rtpmap:97 speex/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:3 GSM/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-15
a=ptime:20
a=zrtp
The ALG has fixed NAT related problem by:
- Replacing IP in "Via" header with the public IP and port.
- Replacing "Contact" with mapped public IP and port.
- Replacing SDP media address with public IP and port.
SIP ALG problems
The main problem is the poor implementation at SIP protocol level of most commercial routers and the fact that this technology is just useful for outgoing calls, but not for incomings calls:- Lack of incoming calls: When a UAC is switched on it sends a REGISTER to the proxy in order to be localizable and receive incoming calls. This REGISTER is modified by the ALG feature (if not the user wouldn't be reachable by the proxy since it indicated a private IP in REGISTER "Contact" header). Common routers just mantain the UDP "conntection" open for a while (30-60 seconds) so after that time the port forwarding is ended and incoming packets are discarted by router.
- Breaking SIP signalling: Many of the actual common routers with inbuilt SIP ALG does a wrong job modifying SIP headers and SDP body, breaking SIP protocol and making communication just impossible.
- Dissallows server side solutions: Even if you don't need a client side NAT solution (your SIP proxy gives you a server NAT solution) if your LAN router has SIP ALG enabled that breaks SIP signalling then it will make not possible the communication with your proxy.
List of routers with SIP ALG enabled
The following is a list containing SIP ALG router models, their issues and how to dissable SIP ALG (enabled by default in most of the cases):SpeedTouch
Models: ST530 v6 (firmware >= 5.4.0.13) comes with SIP ALG enabled by default.NAT type: symmetrical
Issues:
- No incoming calls.
- It performs a complete "regex" by replacing the private IP appearing in SIP headers with the public IP. If for example the private IP appears in the "Call-ID" it replaces it too (that it's completely unnecessary).
~# telnet router
-> connection unbind application=SIP port=5060
-> saveall
-> connection unbind application=SIP port=5060
-> saveall
Zyxel
Models: 660 family comes with SIP ALG enabed by default.NAT type: symmetrical
Issues:
- No incoming calls.
- SIP protocol broken making impossible 50% of outgoing calls because wrong values inserted in SIP headers.
~# telnet router
Menu option "24. System Maintenance".
Menu option "8. Command Interpreter Mode".
ip nat service sip active 0
Menu option "24. System Maintenance".
Menu option "8. Command Interpreter Mode".
ip nat service sip active 0
See Also
- NAT survey
- NAT and VOIP
- Application-level gateway (ALG) in Wikipedia
- RFC 2633 IP Network Address Translator (NAT) Terminology and Considerations
Comments