The NAT Traversal Problemin P2PSIP

Bruce Lowekamp (SIPeerior)

Philip Matthews (Avaya)

NATs cause problems for P2PSIP overlays

NAT

NAT

NA

T

NAT

About 90% of NATs will drop inbound packets for a peer unless there is a previously-established “connection” with the sender.

NAT Traversal vs. Msg Type• P2PSIP will have (at least) 3 different message

types:– Peer/Client Protocol msgs– SIP msgs– RTP (or other media transport protocol) msgs

• For RTP (or other media protocol), use ICE and STUN to establish direct media stream

• For SIP and Peer/Client Protocol msgs, problem is more complex. Here, two solutions have been proposed:– The “superpeer” approach– The “fully-distributed” approach

• These solutions provide traversal and/or routing for peer/client and SIP messages across the overlay and can provide relay for RTP if needed.

The “Superpeer” solution

O

S

O

ONAT

NAT

NA

TS

O

NAT

O

S

Peers with public IP addresses and other ‘good’ properties are promoted to “superpeers” (S). These peers can freely exchange messages with each other.

Each “ordinary peer” (O) establishes a Peer Protocol connection to an ordinary peer. These peers can exchange messages directly with its superpeer, and indirectly with other peers with the help of its superpeer.

The “Fully-Distributed” approach

NAT

NAT

NA

T

NAT

Each peer establishes a small number of Peer Protocol connections to other peers (a partial mesh).

A message may traverse multiple hops to get to its destination.

Example: Fully-Distributed approach w/ Chord

X

C

BA

D •Chord uses exponentially spaced entries in finger table. •Each peer uses “greedy routing” to route a message to its neighbor that is closest to the final destination.•Establish connections through NATs to make connection table match DHT routing.

Using ICE to Open New Connections

NAT

NAT

1. Initially inbound connections are rejected

2. Proxy INVITE with ICE sdp through established connection to establish new {peer protocol, SIP, RTP} connection

3. New connection now established

INVITE

1

2

3

Comparison of approachesSuperpeer

• Establish connections with an Outbound-like scheme?

• (Pro) “Classic” scheme used by many P2P systems today

• (Con) Requires there be enough peers eligible for superpeer status.

• May limit DHT to superpeers?

• Need mechanism to assign ordinary peers to superpeers

Fully-Distributed• Establish connections

using SIP signaling with ICE.

• (Con) No operational experience w/ approach.

• (Pro) No requirement that some peers have public IP addresses.

• (Pro) No limits on DHT participation?

• (Con) May require up to Log2 N hops.

More on Routing (either approach)

• Direct Routing. – Send msg directly to destination. May work in

some cases.

• Recursive Routing– Send msg to neighbor nearest to destination. Ask

neighbor to forward msg for you.

• Iterative Routing– Send msg to neighbor nearest to destination.

Neighbor replies with a redirect to another peer U.– Use direct or recursive routing to set up a

connection to peer U.– Repeat.

Establishing a Peer Protocol Connection

Peer X Peer U Peer V Peer YINVITE (To:Y; R-D:Proxy)

200 OK

ACK

ICE Connnectivity Checks

Direct PeerProtocol Connection Established

INVITE (Replaces)

200 OK

ACK

BYE

200 OK

[See draft-matthews-p2psip-bootstrap-mechanismsfor how first connection might be established.]