| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by MichaelGG 5513 days ago

If it's user@domain, it's probably just using SIP URI routing. (You define records in your domain to lookup the responsible SIP server, similar to how email works, but more complicated just for the fun of it.)

FreeSWITCH is a great starting point, but NAT traversal isn't reliable for point to point, for the general case. You have to consider symmetric NAT without UPnP and firewalls that allow outbound+response, but no incoming. In these cases, you are going to need a proxy with a public IP that can relay audio. That's the only reliable thing that's going to work in all cases. (Just look at the IETF's documents on NAT traversal where they come up with all these complex ways to try to exploit limitations in certain NAT devices...)

Actual NAT traversal in SIP/RTP is very straightforward. You just ignore the silly parts in spec that specify IPs, and just reply to the IP:port combo you received from. For RTP, same deal. You know where you'll receive RTP, so as soon as you get a packet there, you just reply to the IP:port it came from.

Skype's "breakthrough" that let them win so much early on was that they used P2P to do public IP relays, since connectivity between any two points is not guaranteed. (Had MS been smart enough to proxy audio/video in their clients early on, they might have dominated this market to begin with...)

So, to overcome this with free software, they'd need a public IP relay system that protects things end-to-end. If they do that, it could be worth watching. But from that linked presentation, they expect Sipwitch to update the firewall rules in such access. Good luck with that.

1 comments

viraptor 5512 days ago

I can't find the bits about updating firewall rules, but anyways... They keep concentrating on the media path, while getting the signalling to the right place is just as hard. They need some public relay and that's one part I still haven't seen seriously mentioned yet. I disagree with "Actual NAT traversal in SIP/RTP is very straightforward." - since there are many issues:

- They can't use end-to-end encryption since public relay has to add information about the public address the message came from (unless it wants to transfer the media itself).

- They can't allow random changes to addresses by intermediate nodes, since that would allow trivial attack on the mesh infrastructure.

How will they stop a situation where someone creates lots of nodes, proxies SIP, but randomises the media addresses? Media address can't be encoded at the source, since it has to come from the relay. It wouldn't be hard for a competing company to spawn thousands of nodes on EC2 and overload the network with broken "relay" nodes.

MichaelGG 5512 days ago

Sorry I should have made it clear. SIP/RTP don't work with NATs at all (public IP and a NAT'd client) if you follow the spec. By NAT traversal with SIP, I'm referring to this case, not NAT'd client to NAT'd client.

You're right that using relays requires some thought in order to keep it secure.