Saturday, 3 July 2010

NAT is evil (still), NAT & SIP

I say it enough, but the latest adventures in SIP make me even more convinced at the evilness of NAT. I thought it may be worth trying briefly to explain what the hell I am on about. It is a tad tricky without getting technical, but I'll have a bash.

Computers send messages to each other - that is how networks work. The internet is a damn big network and has been around a while so the messages use a protocol which is just a well defined set of rules that everyone follows. Part of that protocol is addressing. It is how one computer says, in the message, where the message is to get to in the end. It also says where the reply is to go (a return address).

There are many ways to do an addressing system. You will know some of these already - telephone numbers are a sort of address as are postal addresses. Postal addresses are not too bad an example of how this works in the internet world.

The internet protocol uses an addressing scheme designed around the fundamental principle that every end-point has a globally unique address. Each of the messages that are sent has this as the address and it stays the same all the way as it passed from computer to computer. The same is true with a letter. You put the address on it, and maybe put a return address on the back, and you send it. That address does not change as it travels around the postal system.

At each stage the job of whoever has that letter is to send it to the right place to get it logically closer to the destination address on the letter. My local sorting office put it on a truck or a train or whatever to get to another sorting office. They ensure it goes on a van, and gets to a postman, and finally the postman sees that same full address on the envelope and ensures he puts it through the right letter box.

This type of system is very sensible. It makes things relatively easy as the address does not change. It means if you look up my address, it is always the same address regardless of where you send the letter from (pretty much).

You can have other schemes. You could put on the envelope to send to the local sorting office, where they open it and find another envelope saying to send to another sorting office. They open it and find another that says which van to put it on. The postman opens it to find which road to take it to. Etc. This is complicated and means the way you address things changes as the message goes through the system. It also means that it changes depending on where you are starting.

So, where does NAT come in?

Imagine that you are in an office, and in the office you have decided that all addresses are "Wonderland". And your room is "No. 5 Mad-Hatters corridor, Wonderland.". You can send letters freely to other places in Wonderland no problem, and you can put your return address on the letter and they can reply, no problem. Lots of different offices do the same thing, so there are actually lots of "No. 5 Mad-Hatters corridor, Wonderland" in the country. This is fine as long as letters do not leave your offices.

But if you want to send a letter to someone in the real world, e.g. "10 Downing Street, London" the post room cross out your return address and put the real address of the office on, e.g. "A&A, Enterprise Court, Bracknell". Then when people in the real world get the letter they can reply. Obviously the reply gets to the post room, and they somehow have to remember who was sending letters to "10 Downing Street, London", cross out the address and put "No. 5 Mad-Hatters corridor, Wonderland" on it, and send it on in the internal post.

As a system it sounds sensible...

Except it is not. It is broken. Imagine my letter to "10 Downing Street, London", had in it, "Please can you send a letter to by friend at No. 7 Alice's Gardens, Wonderland" in it. This is inside the envelope. It is not the return address on the outside. This means the post room did not know about it. When the recipient gets the letter they try replying to the Wonderland address and it does not work as the post office have no idea where Wonderland is. Even if they know it is one of those magical addresses a lot of offices use, they would not know which office.

Well, some protocols that use IP (internet protocol) work on the basis of replies coming back to the sender address on the envelope. That means they work via NAT as the post room changed the reply address, and made a note for the reply.

Some protocols do this, but expect to be able to send replies much later and the post room have forgotten who was writing to "10 Downing Street, London" by the time these replies come back and don't know where to send the letter internally. SIP does this, so you can get a case where the phones work for seconds or minutes after they have been turned on or made a call, but later incoming calls don't work.

Some protocols send other addresses in the letter. SIP does this, a lot! SIP says where to send replies to the initial letter. Where to send things later (may be different) and where to send the actual call audio itself (different again).

Now, if you have a really smart post room, they don't just change the return address, they look in the letters and change the addresses quoted in the letter. But they have to understand hundreds of different ways people write letters. SIP is just one.

SIP is a specially complex because it includes addresses in the message in lost of ways. Getting SIP to work with NAT is specially complex too.

1. Some SIP phones are clever and they manage to get and quote "outside" addresses. There are various complex ways to do this depending on the router and firewalls involved.
2. Many NAT devices will rewrite the SIP messages and handle the SIP setup and registration and even call set up.
3. Some SIP phones can handle the audio using something called a STUN server to work out what sort of NAT is done.
4. Some SIP call servers (proxies) also break the normal SIP protocol and ignore the addresses quoted but instead reply to the return address they see which then works.

Sadly it is very hard for our call server to work properly with NAT without a lot of messing about. One of the problems is that the audio can be connected to the far end directly over internet protocol. This is best for reliability and performance reasons. Our call server only has to handle the actual call setup and not the stream of packets that are the call itself as they go direct. This means that to work with some types of NAT, every possible audio (RTP) endpoint would have to play the game to work with NAT. This is impractical.

The other problem is that the work arounds are dependant on several bits all working together. Our new call server works fine with NAT where the NAT router does all of the necessary header changes. But some that do not do all of the header changes and some cases with some phones, do not work. The work arounds depends on so many bits not following the normal design rules of internet protocol and bodging things. So change one bit and you have a different set of working and not working cases.

The end result is, for now, that we maintain some customers on the old call server. It has several bodges and also relays the media as well. This is one of the reasons it is not as scalable and why we wanted the new call server in the first place.

Longer term, we don't support NAT, but we do support IPv6. We plan to test as many phones on IPv6 as possible, and have our firewall boxes that handle IPv6 so that NAT is not needed.

For the non technical it is worth explaining one of the reasons people do NAT. It is because they only get one address. A whole office with one address (for the post room, effectively). So they have no choice. In fact what you need is every endpoint, even within an office or home, to have its own globally unique address (as per the original design of IP) and then no NAT would ever be necessary. IPv6 is a new system that allows every atom to have its own address so NAT should never be needed. Sadly some people will still find convoluted reasons to use NAT with IPv6 and they should be properly shunned by everyone else. Shun the NAT user. NAT is evil... etc.

9 comments:

  1. ...but it's a great way to protect a LAN ;)

    ReplyDelete
  2. That has to be a wind up. NAT is a terrible way to protect a LAN. It does not offer the configuration that the simplest of firewalls offers. It is relatively easy for all sorts of applications to punch through and often has protocols specially to do that (such as upnp). NAT is not a firewall, and any fire walling you get from NAT is a side effect. A simple firewall is a great way to protect a LAN.

    ReplyDelete
  3. I have found NAT necessary to force a return path to a specific entry point where 2 (layer 3) networks are connected via 2 discrete (stateful) firewalls at two different locations...

    ReplyDelete
  4. The design of IP is that every endpoint has a unique routable address. Following that design means that any machine anywhere can send data to any other machine anywhere (subject to firewall rules) and as such NAT is never *necessary*.

    ReplyDelete
  5. "The design of IP is that every endpoint has a unique routable address."

    It's not, actually. IP was designed to sit above LAN protocols - as the name Internet Protocol implies, it's intended to link networks. What goes on in the LANs is up to them. See http://www.faqs.org/rfcs/rfc791.html, particularly section 2.

    ReplyDelete
  6. I manage a part of a public /16 address space and we elect to use firewall provided NAT to the Internet on purpose - we use it as a random turnstile to provide an outbound conduit for only as long as the internal machines need it. As soon as they stop their transmission the turnstile is torn down and bad people can not try to find them. We used to use our public space internally and nat public inside to public outside on a 1 to 1 basis - it essentially opens outbound connections only as needed but we figured why not just go 10./9 internally.
    If there were not bad people on the Internet we would not have to hide in such a fashion but there are and so we do what we have to.
    For devices that need permanent conduits we provide Internet to DMZ natting and feel perfectly correct doing so.

    It is a shame that you provide a service that requires public exposure to random wankers without a mechanism to validate that they are indeed legitimate sources of IP traffic before you let them connect. Is there a certificate based authentication for remote callers ?
    Kind of like not accepting non-callerid phone calls.

    Nat is good, nat is not evil, nat is a great tool. Your applications however are not NAT aware or NAT friendly - not everybody elses fault. Perhaps you should have made that a requirement prior to selecting and offering an application or service maybe a ssl-based SIP system with end user certs ???

    ReplyDelete
  7. No, NAT is evil. There are places for firewalls, obviously. Firewall rules can be set up for SIP and RTP reasonably sensibly. You can even have a SIP aware firewall that specifically opens the RTP up for a specific call based on the sdp in the SIP session it sees. This is no more work than the NAT ALG. You do not have to have NAT as such to achieve the sort of security you want. The problem with using NAT is that your router has to be aware of every protocol, and protocol development is stifled by not being able to assume that IP addresses are unique as per design.

    ReplyDelete
  8. Sounds more-like SIP is bust, not NAT.

    ReplyDelete
  9. What? sIP is fine if IP works as designed. NAT is evil.

    ReplyDelete