SIP 2012 :: SIP Outbound NAT traversal
Letting the client set up two connections to the SIP service
When SIP was created 10 years ago the result – in the implementations – was a UDP-based protocol that did not handle NAT very well. During the years, many proposals have been written on how to solve this. NAT servers are not easy to work around and they way they translate IP addresses and port numbers vary. Now, ten years later we have a set of tools to handle NAT, both for media and signaling. One of the core tools for the SIP protocol is called SIP outbound and is covered in RFC 5626. The idea behind this specification is to push the responsibility of handling NAT traversal to the client. Let me explain.
SIP is a protocol where each implementation is both a client and a server. The client part sends SIP messages and the server part receives them. In order to get an incoming call, a phone has to be reachable by the server. If the phone, the SIP User Agent, hides behind a NAT, the server would not be able to reach it. With SIP Outbound, the client opens a connection to the server, which goes through the NAT from the inside. The client manages this connection and keeps it open, so that the NAT doesn’t close it or forget the NAT setup. The server is able to reuse this connection for outbound requests. With outbound support, the server will not need to open a connection to the client.
Connection set up and failure discovery times
The time it takes for the client to set up a new connection varies from sending a UDP packet to negotiation a TLS connection over TCP. Setting up TLS requires quite a few message exchanges between the applications. One problem with TCP and TLS is that it takes time to discover a broken connection. If a device in the middle of the network fails, it can take a long time – minutes – to discover that the TCP connection is invalid. We can not have it that way with telephony.
SIP Outbound therefore mandates that a client sets up at least two connections to two separate servers, called edge proxys. If one connection fails, both sides can quickly switch over to the new one. The client sends a keepalive on both connections to test them and if needed, reset them.
SIP outbound solves many problems in connection management and setup. With SIP Outbound, a SIP phone opens connections to proxys at startup and keep them open, very much like XMPP. The connection is reused for SIP transactions in both directions. This provides a more stabile NAT traversal solution than other solutions, a quick failover schema in case of network problems as well as a solution for TLS sessions between the phone and the server without requiring a client certificate in the phone.
SIP Outbound – RFC 5626 – should be a requirement for everyone buying SIP devices and applications in 2012.