SIP Application Layer Gateway Technology

introduction

SIP (Session Initiation Protocol) is a text-based protocol similar to HTTP and SMTP. SIP is independent of the transport layer protocol and other session control protocols. It can be used with other protocols (such as RSVP, RTSP, etc.) to build multimedia communication systems such as smart home networks and video conferencing [2].

NAT/Firewall (FW) provides a unified external exit for the private network, thereby hiding the topology of the internal network and improving the security of the private network[3]. However, this also brings great trouble to the remote control application of the private network. For NAT, its function is to map between the public network IP address and port and the private network IP address and port. It works at the transport layer and only modifies the address and port in the TCP/UDP packet header. The SIP protocol requires the IP address and port number to be embedded in the signaling message[5]. These addresses and ports are visible at the application layer. Therefore, NAT will not modify the address information therein, resulting in the IP address and port in the signaling message not being able to point to the correct address, and thus communication cannot proceed normally. For FW, the ports opened to the public network are usually fixed (FW will not dynamically open or close these ports during operation) and the number is limited. The remote control application of the private network built based on SIP requires FW to not only provide the proxy function for the signaling protocol, but also require FW to be able to dynamically open some ports for media stream data exchange during the communication process. Existing FWs are difficult to meet this requirement.

In view of the above reasons, this paper proposes the "SIP application layer gateway" technology and applies it to network communications to establish a relatively reasonable and complete SIP network to solve the problem of traversing NAT/FireWall in SIP private network remote control.

Analysis of SIP private network traversal method of NAT/firewall

Since all NAT and Firewall processes and filters below the TCP/IP layer, and SIP is an application layer control signaling protocol, SIP has nothing to do with the transport layer and network layer protocols below. Therefore, other approaches must be used to solve the problem of private network traversal of NAT/firewall based on SIP. There are mainly the following different solutions: 1. UPnP (Universal Plug and Play); 2. TURN (Traversal Using Relay NAT); 3. STUN (Simple Traversal of UDP Through network Address Translators); 4. ALG (Application Layer Gateway).

The first three methods are that the SIP Client (including UA and Proxy) obtains its own public network address and port before INVITE through some means or protocols. It requires additional support from the SIP Client and is not suitable for all NAT methods. ALG (Application Layer Gateway) [2] is suitable for all NAT methods and does not require any additional support from the SIP Client. It processes and modifies the SIP signaling at the Application layer to achieve transparent address conversion. The basic idea is to add protocol awareness capabilities to NAT/FW so that NAT/FW can modify the address information in the content of SIP signaling messages when they pass through. ALG modifies the SIP address and port in the SIP message and binds the address and port assigned to the caller. In this way, the subsequent media stream data can pass through the port specified by NAT/FW. This article mainly discusses the application layer gateway method based on SIP.

Analysis of the Principle of SIP Application Layer Gateway

"SIP Application Layer Gateway" is a solution proposed to solve the problem of SIP-based private network control applications traversing NAT/FW and to achieve the interconnection between SIP user agents in the private network and SIP user agents on the public network. Functionally, SIP Application Layer Gateway is a SIP device or software that provides proxy functions for SIP terminals in the private network to connect to the public network. The "Application Layer Gateway" and ALG (Application Level Gateway) mentioned below both refer to SIP Application Layer Gateway.

In order to realize the function of SIP application layer gateway and maintain compatibility with existing SIP applications, ALG must be designed as a SIP compatible application. However, for SIP applications on private and public networks, the functions provided by ALG are not exactly the same: for SIP terminals on private networks, the role of SIP application layer gateway is a proxy server in the sense of SIP. It not only needs to provide a proxy for calls to the public network, but also needs to provide a proxy for calls between different SIP terminals in the private network; on the other hand, ALG must allow SIP terminals in the private network to register, because only through registration can SIP terminals understand that ALG is their proxy server. Therefore, SIP application layer gateway is also a SIP registration server on the private network. For SIP terminals on the public network, the private network is invisible. The only visible thing is the SIP application layer gateway on the public network. Therefore, for it, ALG is just a SIP terminal, and SIP devices on the public network can directly call it or receive its calls.

To summarize, the functions of SIP application layer gateway are asymmetric on private and public networks, and can be divided into: 1. Internal functions: SIP application layer gateway is the SIP registration server and proxy server on the private network. At the same time, for cross-network calls, SIP application layer gateway needs to provide not only SIP message proxy for private network terminals, but also media stream data proxy. This media data proxy function is transparent to both communicating parties; External functions: On the public network, SIP application layer gateway exists as an ordinary SIP terminal. It can establish interconnection with other SIP applications on the public network and hide the relationship between ALG and SIP applications within the private network.

Implementation of SIP Application Layer Gateway

The previous part of this section introduced in detail the theoretical basis of SIP application layer gateway implementation. This section introduces the software implementation of ALG. The software development platform is Windows 2000, the development tool is Visual C++ 6.0, the OSIP protocol stack is used, and the development language is mainly C.

Structure and workflow

Here ALG is divided into two parts: the ALG main body and the SIP URI information management system. These two parts are designed to be two independent programs. The function of the ALG main body is to process various SIP messages in the flow direction, manage the call environment, and forward RTP data packets between the communicating parties when calling across networks; the function of the SIP URI information management system is to be responsible for the management and maintenance of the SIP URI and its binding information within the private network. The system and its maintained database are placed on other hosts within the private network and run. The two parts communicate through UDP/TCP, which can reduce the risk of attacks from the external network and thus improve the security of data information. Since the ALG main body cannot directly access the data information of the SIP URI, an access interface must be provided between the two parts. The "information database interface" module is the interface for ALG to access the SIP URI information management system.

The main work of the SIP application layer gateway is completed by a SIP message listening thread, a thread for communicating with the SIP URI information management system, a SIP message processing thread (including the management and maintenance of the dialogue) and an indefinite number of RTP packet forwarding threads. The RTP packet forwarding threads can be dynamically generated and released as needed, so the number is indefinite.

The basic working process of SIP application layer gateway is as follows:

After the application is initialized, the SIP message listening thread, URI information database access thread and SIP message processing thread are started. The SIP message listening thread listens to all SIP ports of the ALG (including private and public networks). If a SIP message is received, it encapsulates the message together with its source IP address and port and the length of the message itself into a simple data structure and puts it into a first-in, first-out queue (FIFO), and then continues to listen without further processing the message.

Once there is a SIP message in the FIFO, the SIP message processing thread is awakened and put into operation. It takes the message from the FIFO and then starts to process the message: first it parses the message and performs routine syntax checks, and then divides the SIP message into four categories based on the source address and destination address:

(1) Internal messages, whose source and destination addresses are both inside the private network.

(2) For external messages, the source address is a private network address and the destination address is a public network address.

(3) For internal messages, the source address is the public network address and the destination address is the public network address of the ALG.

(4) External messages, whose source and destination addresses are both public network addresses.

After SIP messages are divided into the above four categories, ALG processes them differently. Category (1) messages are called "internal messages", categories (2) and (3) messages are collectively called "cross-network messages"; category (4) messages are called "external messages", which will be unconditionally discarded and ALG will not process them further. While processing "cross-network messages", the SIP message processing thread manages and maintains the call context environment, and when necessary, starts a new RTP packet forwarding thread to complete the forwarding of RTP packets for cross-network communication.

Based on SOCKET message receiving and response function module

Since the reception of UDP packets is asynchronous, ALG cannot predict when a SIP message will arrive. Therefore, in the design of the SIP application layer gateway, a separate thread is used to monitor the SIP port. Since the SIP application layer gateway is located at the boundary of two networks and forwards data between the two networks, the SIP port of ALG is also divided into two parts: private network and public network. On either side of the network, one or more SIP ports associated with the socket can be opened. And at regular intervals, it attempts to read data from the SOCKET associated with all the monitored SIP ports. If data is read, it simply encapsulates the data and puts it into the SIP message FIFO of the application layer gateway.

Information database interface module

For security reasons, the SIP URI information management system is separated from the SIP application layer gateway. The functions of this system are not complicated. On the one hand, it accepts access from the ALG; on the other hand, it must maintain its own information database. The ALG itself must access it through the information database interface module.

There are two types of information that ALG needs to obtain from the SIP URI information management system: one is user information, including username and password; the other is SIP URI binding information. The interaction of this type of information is two-way. Different REGISTER requests will require ALG to add, modify, delete or simply obtain SIP URI binding information. This article uses a unified data structure to represent these two types of information, so that all the required information can be obtained with only one access, which can shorten the time required for ALG to process SIP messages.

Information management module

SIP application layer gateway needs a lot of information to complete its work. Some information is dynamic, such as SIP URI binding information. The binding information of different users at different times is different, so the application layer gateway only dynamically accesses it from the database when needed; while other information is relatively stable, such as the domain name and IP address of the ALG itself. This information is a lot, but not complicated. Most of them are strings, values ​​or Boolean variables. The function of the information management module is to maintain and manage them.

Media Session module

When the SIP application layer gateway establishes a media session (video, audio) connection between the terminals of a cross-network call, the main interaction between the two parties will be the interaction of RTP data streams (media data is packaged into RTP data packets). The function of the "media session" module is mainly to forward RTP data packets between the communicating parties. Each RTP data packet forwarder can provide data packet forwarding services for multiple RTP connections.

When the ALG needs to provide packet forwarding service for an RTP connection, it tries to get an idle RTP packet forwarder from the forwarder environment. If all the forwarders in the environment are already occupied, the environment will try to create a new RTP packet forwarder, add it to the environment, and return it to the ALG for use. On the other hand, when a forwarder no longer provides forwarding service for any RTP connection, the environment will delete it and release the corresponding resources.

"Message processing and dialogue maintenance" module

This is the core module of the SIP application layer gateway. Its functions are to parse and process received SIP messages, complete the proxy of SIP messages, maintain the context of cross-network calls, and start the RTP proxy of the conversation when necessary. These functions are interrelated and are uniformly completed by the SIP message processing and conversation maintenance thread. Figure 2 is a flowchart of the SIP message processing thread.

Sections

The SIP protocol is increasingly favored by the industry for its many advantages such as simplicity, easy scalability and ease of implementation. More and more SIP-based networks such as VOIP, video conferencing and smart home systems are being developed and implemented. The SIP application layer gateway implemented in this article is the key technology for SIP networks to traverse NAT/Firewall, but this solution still has its shortcomings. Since the SIP application layer gateway must parse all SIP messages across the network, these messages must be transmitted in plain text, which reduces the security of SIP applications. Further research shows that this requires us to appropriately expand the SIP protocol to achieve information encryption.