Old question about mediaproxy "bridge" mode between public and private networks

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Old question about mediaproxy "bridge" mode between public and private networks

Giuseppe Roberti-3
Hi.

I have an opensips server running "between" a man local area and
internet. This mean that UAC comes from local area and gateways are on
internet.
The local interface (eth0) ip is not reachable from internet.
Opensips server can traverse the nat using add_local_rport(), can
mediaproxy do the same ?

Regards.

--
Giuseppe Roberti
<[hidden email]>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Old question about mediaproxy "bridge" mode between public and private networks

Brett Nemeroff
For what it's worth, I've had problems doing this with some [broken]
carriers. Namely they see a private address in one of the Vias and
they assume it's NAT.. Pretty messy. If you look through the archive
you'll see what happened to me.

That being said, I think it's pretty unusual that this happens.
-Brett


On Wed, Dec 10, 2008 at 8:14 AM, Giuseppe Roberti <[hidden email]> wrote:

> Hi.
>
> I have an opensips server running "between" a man local area and
> internet. This mean that UAC comes from local area and gateways are on
> internet.
> The local interface (eth0) ip is not reachable from internet.
> Opensips server can traverse the nat using add_local_rport(), can
> mediaproxy do the same ?
>
> Regards.
>
> --
> Giuseppe Roberti
> <[hidden email]>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Old question about mediaproxy "bridge" mode between public and private networks

Robert Dyck
I see a need for a very basic proxy-like B2BUA. This would completely hide the
local topology. This would provide privacy and extra security as well as
working around the bad behaviour of some service providers.
Rob

On Wednesday 10 December 2008, Brett Nemeroff wrote:

> For what it's worth, I've had problems doing this with some [broken]
> carriers. Namely they see a private address in one of the Vias and
> they assume it's NAT.. Pretty messy. If you look through the archive
> you'll see what happened to me.
>
> That being said, I think it's pretty unusual that this happens.
> -Brett
>
> On Wed, Dec 10, 2008 at 8:14 AM, Giuseppe Roberti <[hidden email]> wrote:
> > Hi.
> >
> > I have an opensips server running "between" a man local area and
> > internet. This mean that UAC comes from local area and gateways are on
> > internet.
> > The local interface (eth0) ip is not reachable from internet.
> > Opensips server can traverse the nat using add_local_rport(), can
> > mediaproxy do the same ?
> >
> > Regards.
> >
> > --
> > Giuseppe Roberti
> > <[hidden email]>
> >
> > _______________________________________________
> > Users mailing list
> > [hidden email]
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Old question about mediaproxy "bridge" mode between public and private networks

Brett Nemeroff
I don't think you'll get what you want out of OpenSIPs. It's not a
B2BUA and does not mask topology. I'd love to hear other's who don't
believe this.

www.opensipstack.org has an open source SBC, but I can't vouch for
it's capabilities. You may also want to check out FreeSwitch.
-Brett



On Wed, Dec 10, 2008 at 2:32 PM, Robert Dyck <[hidden email]> wrote:

> I see a need for a very basic proxy-like B2BUA. This would completely hide the
> local topology. This would provide privacy and extra security as well as
> working around the bad behaviour of some service providers.
> Rob
>
> On Wednesday 10 December 2008, Brett Nemeroff wrote:
>> For what it's worth, I've had problems doing this with some [broken]
>> carriers. Namely they see a private address in one of the Vias and
>> they assume it's NAT.. Pretty messy. If you look through the archive
>> you'll see what happened to me.
>>
>> That being said, I think it's pretty unusual that this happens.
>> -Brett
>>
>> On Wed, Dec 10, 2008 at 8:14 AM, Giuseppe Roberti <[hidden email]> wrote:
>> > Hi.
>> >
>> > I have an opensips server running "between" a man local area and
>> > internet. This mean that UAC comes from local area and gateways are on
>> > internet.
>> > The local interface (eth0) ip is not reachable from internet.
>> > Opensips server can traverse the nat using add_local_rport(), can
>> > mediaproxy do the same ?
>> >
>> > Regards.
>> >
>> > --
>> > Giuseppe Roberti
>> > <[hidden email]>
>> >
>> > _______________________________________________
>> > Users mailing list
>> > [hidden email]
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>
>> _______________________________________________
>> Users mailing list
>> [hidden email]
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Old question about mediaproxy "bridge" mode between public and private networks

Robert Dyck
I wasn't suggesting it was a B2BUA. It was a wish. The funny thing is that
people on the FreeSwitch list are asking for proxy-like behaviour so they can
pass through things like REGISTER.

On Wednesday 10 December 2008, Brett Nemeroff wrote:

> I don't think you'll get what you want out of OpenSIPs. It's not a
> B2BUA and does not mask topology. I'd love to hear other's who don't
> believe this.
>
> www.opensipstack.org has an open source SBC, but I can't vouch for
> it's capabilities. You may also want to check out FreeSwitch.
> -Brett
>
> On Wed, Dec 10, 2008 at 2:32 PM, Robert Dyck <[hidden email]> wrote:
> > I see a need for a very basic proxy-like B2BUA. This would completely
> > hide the local topology. This would provide privacy and extra security as
> > well as working around the bad behaviour of some service providers.
> > Rob
> >
> > On Wednesday 10 December 2008, Brett Nemeroff wrote:
> >> For what it's worth, I've had problems doing this with some [broken]
> >> carriers. Namely they see a private address in one of the Vias and
> >> they assume it's NAT.. Pretty messy. If you look through the archive
> >> you'll see what happened to me.
> >>
> >> That being said, I think it's pretty unusual that this happens.
> >> -Brett
> >>
> >> On Wed, Dec 10, 2008 at 8:14 AM, Giuseppe Roberti <[hidden email]> wrote:
> >> > Hi.
> >> >
> >> > I have an opensips server running "between" a man local area and
> >> > internet. This mean that UAC comes from local area and gateways are on
> >> > internet.
> >> > The local interface (eth0) ip is not reachable from internet.
> >> > Opensips server can traverse the nat using add_local_rport(), can
> >> > mediaproxy do the same ?
> >> >
> >> > Regards.
> >> >
> >> > --
> >> > Giuseppe Roberti
> >> > <[hidden email]>
> >> >
> >> > _______________________________________________
> >> > Users mailing list
> >> > [hidden email]
> >> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >>
> >> _______________________________________________
> >> Users mailing list
> >> [hidden email]
> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> > _______________________________________________
> > Users mailing list
> > [hidden email]
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Old question about mediaproxy "bridge" mode between public and private networks

Adrian Georgescu
In reply to this post by Robert Dyck
Robert,

Could you expand on what you mean by:

1. Privacy
2. Extra security

These seem to be highly abused terms while there is no proper description available of what they mean and for whom they provide the benefit. 

Adrian

On Dec 10, 2008, at 9:32 PM, Robert Dyck wrote:

I see a need for a very basic proxy-like B2BUA. This would completely hide the
local topology. This would provide privacy and extra security as well as
working around the bad behaviour of some service providers.
Rob

On Wednesday 10 December 2008, Brett Nemeroff wrote:
For what it's worth, I've had problems doing this with some [broken]
carriers. Namely they see a private address in one of the Vias and
they assume it's NAT.. Pretty messy. If you look through the archive
you'll see what happened to me.

That being said, I think it's pretty unusual that this happens.
-Brett

On Wed, Dec 10, 2008 at 8:14 AM, Giuseppe Roberti <[hidden email]> wrote:
Hi.

I have an opensips server running "between" a man local area and
internet. This mean that UAC comes from local area and gateways are on
internet.
The local interface (eth0) ip is not reachable from internet.
Opensips server can traverse the nat using add_local_rport(), can
mediaproxy do the same ?

Regards.

--
Giuseppe Roberti
<[hidden email]>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Old question about mediaproxy "bridge" mode between public and private networks

Brett Nemeroff
Hiding your local topology will be difficult, if not impossible with
OpenSER.. It certainly can be obfuscated....
-Brett


On Wed, Dec 10, 2008 at 4:00 PM, Adrian Georgescu <[hidden email]> wrote:

> Robert,
> Could you expand on what you mean by:
> 1. Privacy
> 2. Extra security
> These seem to be highly abused terms while there is no proper description
> available of what they mean and for whom they provide the benefit.
> Adrian
> On Dec 10, 2008, at 9:32 PM, Robert Dyck wrote:
>
> I see a need for a very basic proxy-like B2BUA. This would completely hide
> the
> local topology. This would provide privacy and extra security as well as
> working around the bad behaviour of some service providers.
> Rob
>
> On Wednesday 10 December 2008, Brett Nemeroff wrote:
>
> For what it's worth, I've had problems doing this with some [broken]
>
> carriers. Namely they see a private address in one of the Vias and
>
> they assume it's NAT.. Pretty messy. If you look through the archive
>
> you'll see what happened to me.
>
> That being said, I think it's pretty unusual that this happens.
>
> -Brett
>
> On Wed, Dec 10, 2008 at 8:14 AM, Giuseppe Roberti <[hidden email]> wrote:
>
> Hi.
>
> I have an opensips server running "between" a man local area and
>
> internet. This mean that UAC comes from local area and gateways are on
>
> internet.
>
> The local interface (eth0) ip is not reachable from internet.
>
> Opensips server can traverse the nat using add_local_rport(), can
>
> mediaproxy do the same ?
>
> Regards.
>
> --
>
> Giuseppe Roberti
>
> <[hidden email]>
>
> _______________________________________________
>
> Users mailing list
>
> [hidden email]
>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
>
> Users mailing list
>
> [hidden email]
>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Old question about mediaproxy "bridge" mode between public and private networks

Robert Dyck
In reply to this post by Adrian Georgescu
You are right, these terms are used in a rather casual manner. Also privacy
and security can never be absolute. However there are reasons why an
individual or organization may want to hide their topology. Those with bad
intentions may look for clues so that they may subvert the system.

Perhaps a stronger case can be made when we consider that NAT is perhaps the
biggest headache with SIP. Different service providers have different ideas
how they might overcome the problem. If a UA on a LAN or an extension on a
PBX appears as a simple UA with a public address then the chance of success
improves.

OpenSBC may be the way to go. It will act as a proxy or B2BUA. The nice thing
about OpenSIPS is its light weight if you don't need a lot of modules. I am
not a programmer but it seems to me that it would not be too difficult to
hide the private VIAs and CONTACTs. It already supports mediaproxy/rtpproxy.

On Wednesday 10 December 2008, Adrian Georgescu wrote:

> Robert,
>
> Could you expand on what you mean by:
>
> 1. Privacy
> 2. Extra security
>
> These seem to be highly abused terms while there is no proper
> description available of what they mean and for whom they provide the
> benefit.
>
> Adrian
>
> On Dec 10, 2008, at 9:32 PM, Robert Dyck wrote:
> > I see a need for a very basic proxy-like B2BUA. This would
> > completely hide the
> > local topology. This would provide privacy and extra security as
> > well as
> > working around the bad behaviour of some service providers.
> > Rob
> >
> > On Wednesday 10 December 2008, Brett Nemeroff wrote:
> >> For what it's worth, I've had problems doing this with some [broken]
> >> carriers. Namely they see a private address in one of the Vias and
> >> they assume it's NAT.. Pretty messy. If you look through the archive
> >> you'll see what happened to me.
> >>
> >> That being said, I think it's pretty unusual that this happens.
> >> -Brett
> >>
> >> On Wed, Dec 10, 2008 at 8:14 AM, Giuseppe Roberti <[hidden email]>
> >>
> >> wrote:
> >>> Hi.
> >>>
> >>> I have an opensips server running "between" a man local area and
> >>> internet. This mean that UAC comes from local area and gateways
> >>> are on
> >>> internet.
> >>> The local interface (eth0) ip is not reachable from internet.
> >>> Opensips server can traverse the nat using add_local_rport(), can
> >>> mediaproxy do the same ?
> >>>
> >>> Regards.
> >>>
> >>> --
> >>> Giuseppe Roberti
> >>> <[hidden email]>
> >>>
> >>> _______________________________________________
> >>> Users mailing list
> >>> [hidden email]
> >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >>
> >> _______________________________________________
> >> Users mailing list
> >> [hidden email]
> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
> >
> > _______________________________________________
> > Users mailing list
> > [hidden email]
> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Old question about mediaproxy "bridge" mode between public and private networks

Brett Nemeroff
Well, you really are looking for the functionality of a B2BUA. I'm
fairly confident that you could make this work in a way this kinda
looked like a B2BUA, but you'd be coercing OpenSIPs to perform in ways
it wasn't intended. It would involve a lot of storing information from
the original message, matching dialogs and replacing that data.. it
would all together be a mess and would likely not give you a good
impression of OpenSIPs or perform well.

Given your scenario, you need a B2BUA. I forgot another one you should
definately look at.. Check out Sippy's B2BUA which is really simple
(no config file).

The website for it is down (www.b2bua.org) but here's something on it..
http://en.wikipedia.org/wiki/Sippy_B2BUA

-Brett


On Wed, Dec 10, 2008 at 7:02 PM, Robert Dyck <[hidden email]> wrote:

> You are right, these terms are used in a rather casual manner. Also privacy
> and security can never be absolute. However there are reasons why an
> individual or organization may want to hide their topology. Those with bad
> intentions may look for clues so that they may subvert the system.
>
> Perhaps a stronger case can be made when we consider that NAT is perhaps the
> biggest headache with SIP. Different service providers have different ideas
> how they might overcome the problem. If a UA on a LAN or an extension on a
> PBX appears as a simple UA with a public address then the chance of success
> improves.
>
> OpenSBC may be the way to go. It will act as a proxy or B2BUA. The nice thing
> about OpenSIPS is its light weight if you don't need a lot of modules. I am
> not a programmer but it seems to me that it would not be too difficult to
> hide the private VIAs and CONTACTs. It already supports mediaproxy/rtpproxy.
>
> On Wednesday 10 December 2008, Adrian Georgescu wrote:
>> Robert,
>>
>> Could you expand on what you mean by:
>>
>> 1. Privacy
>> 2. Extra security
>>
>> These seem to be highly abused terms while there is no proper
>> description available of what they mean and for whom they provide the
>> benefit.
>>
>> Adrian
>>
>> On Dec 10, 2008, at 9:32 PM, Robert Dyck wrote:
>> > I see a need for a very basic proxy-like B2BUA. This would
>> > completely hide the
>> > local topology. This would provide privacy and extra security as
>> > well as
>> > working around the bad behaviour of some service providers.
>> > Rob
>> >
>> > On Wednesday 10 December 2008, Brett Nemeroff wrote:
>> >> For what it's worth, I've had problems doing this with some [broken]
>> >> carriers. Namely they see a private address in one of the Vias and
>> >> they assume it's NAT.. Pretty messy. If you look through the archive
>> >> you'll see what happened to me.
>> >>
>> >> That being said, I think it's pretty unusual that this happens.
>> >> -Brett
>> >>
>> >> On Wed, Dec 10, 2008 at 8:14 AM, Giuseppe Roberti <[hidden email]>
>> >>
>> >> wrote:
>> >>> Hi.
>> >>>
>> >>> I have an opensips server running "between" a man local area and
>> >>> internet. This mean that UAC comes from local area and gateways
>> >>> are on
>> >>> internet.
>> >>> The local interface (eth0) ip is not reachable from internet.
>> >>> Opensips server can traverse the nat using add_local_rport(), can
>> >>> mediaproxy do the same ?
>> >>>
>> >>> Regards.
>> >>>
>> >>> --
>> >>> Giuseppe Roberti
>> >>> <[hidden email]>
>> >>>
>> >>> _______________________________________________
>> >>> Users mailing list
>> >>> [hidden email]
>> >>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >>
>> >> _______________________________________________
>> >> Users mailing list
>> >> [hidden email]
>> >> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>> >
>> > _______________________________________________
>> > Users mailing list
>> > [hidden email]
>> > http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Old question about mediaproxy "bridge" mode between public and private networks

Adrian Georgescu
In reply to this post by Robert Dyck
Robert,

NAT traversal is solved by OpenSIPS/MediaProxy combination for both signalling and media. Cost is important for an operator and any intermediate like an SBC, which does not bring any value to end customer is not likely to remain there for long.

What I am trying to figure out is if there are other good reasons besides the NAT issue for which the insertion of the SBC justifies its cost for an operator.

Regards,
Adrian

On Dec 11, 2008, at 2:02 AM, Robert Dyck wrote:

You are right, these terms are used in a rather casual manner. Also privacy
and security can never be absolute. However there are reasons why an
individual or organization may want to hide their topology. Those with bad
intentions may look for clues so that they may subvert the system.

Perhaps a stronger case can be made when we consider that NAT is perhaps the
biggest headache with SIP. Different service providers have different ideas
how they might overcome the problem. If a UA on a LAN or an extension on a
PBX appears as a simple UA with a public address then the chance of success
improves.

OpenSBC may be the way to go. It will act as a proxy or B2BUA. The nice thing
about OpenSIPS is its light weight if you don't need a lot of modules. I am
not a programmer but it seems to me that it would not be too difficult to
hide the private VIAs and CONTACTs. It already supports mediaproxy/rtpproxy.

On Wednesday 10 December 2008, Adrian Georgescu wrote:
Robert,

Could you expand on what you mean by:

1. Privacy
2. Extra security

These seem to be highly abused terms while there is no proper
description available of what they mean and for whom they provide the
benefit.

Adrian

On Dec 10, 2008, at 9:32 PM, Robert Dyck wrote:
I see a need for a very basic proxy-like B2BUA. This would
completely hide the
local topology. This would provide privacy and extra security as
well as
working around the bad behaviour of some service providers.
Rob

On Wednesday 10 December 2008, Brett Nemeroff wrote:
For what it's worth, I've had problems doing this with some [broken]
carriers. Namely they see a private address in one of the Vias and
they assume it's NAT.. Pretty messy. If you look through the archive
you'll see what happened to me.

That being said, I think it's pretty unusual that this happens.
-Brett

On Wed, Dec 10, 2008 at 8:14 AM, Giuseppe Roberti <[hidden email]>

wrote:
Hi.

I have an opensips server running "between" a man local area and
internet. This mean that UAC comes from local area and gateways
are on
internet.
The local interface (eth0) ip is not reachable from internet.
Opensips server can traverse the nat using add_local_rport(), can
mediaproxy do the same ?

Regards.

--
Giuseppe Roberti
<[hidden email]>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Old question about mediaproxy "bridge" mode between public and private networks

Brett Nemeroff
Having a single point of connectivity to the customer, topology
masking,  and potentially CALEA compliance. You can get by without
it.. It's a matter of preference of sorts. Some people have more luck
with nat traversal with them. I'd being interested in hearing other's
experiences with them.

On the other hand, it IS a fixed bottleneck. I can't tell you how many
times I've had a provider's overloaded SBC kill the QOS on my calls..

-Brett


On Thu, Dec 11, 2008 at 2:25 AM, Adrian Georgescu <[hidden email]> wrote:

> Robert,
> NAT traversal is solved by OpenSIPS/MediaProxy combination for both
> signalling and media. Cost is important for an operator and any intermediate
> like an SBC, which does not bring any value to end customer is not likely to
> remain there for long.
> What I am trying to figure out is if there are other good reasons besides
> the NAT issue for which the insertion of the SBC justifies its cost for an
> operator.
> Regards,
> Adrian
> On Dec 11, 2008, at 2:02 AM, Robert Dyck wrote:
>
> You are right, these terms are used in a rather casual manner. Also privacy
> and security can never be absolute. However there are reasons why an
> individual or organization may want to hide their topology. Those with bad
> intentions may look for clues so that they may subvert the system.
>
> Perhaps a stronger case can be made when we consider that NAT is perhaps the
> biggest headache with SIP. Different service providers have different ideas
> how they might overcome the problem. If a UA on a LAN or an extension on a
> PBX appears as a simple UA with a public address then the chance of success
> improves.
>
> OpenSBC may be the way to go. It will act as a proxy or B2BUA. The nice
> thing
> about OpenSIPS is its light weight if you don't need a lot of modules. I am
> not a programmer but it seems to me that it would not be too difficult to
> hide the private VIAs and CONTACTs. It already supports mediaproxy/rtpproxy.
>
> On Wednesday 10 December 2008, Adrian Georgescu wrote:
>
> Robert,
>
> Could you expand on what you mean by:
>
> 1. Privacy
>
> 2. Extra security
>
> These seem to be highly abused terms while there is no proper
>
> description available of what they mean and for whom they provide the
>
> benefit.
>
> Adrian
>
> On Dec 10, 2008, at 9:32 PM, Robert Dyck wrote:
>
> I see a need for a very basic proxy-like B2BUA. This would
>
> completely hide the
>
> local topology. This would provide privacy and extra security as
>
> well as
>
> working around the bad behaviour of some service providers.
>
> Rob
>
> On Wednesday 10 December 2008, Brett Nemeroff wrote:
>
> For what it's worth, I've had problems doing this with some [broken]
>
> carriers. Namely they see a private address in one of the Vias and
>
> they assume it's NAT.. Pretty messy. If you look through the archive
>
> you'll see what happened to me.
>
> That being said, I think it's pretty unusual that this happens.
>
> -Brett
>
> On Wed, Dec 10, 2008 at 8:14 AM, Giuseppe Roberti <[hidden email]>
>
> wrote:
>
> Hi.
>
> I have an opensips server running "between" a man local area and
>
> internet. This mean that UAC comes from local area and gateways
>
> are on
>
> internet.
>
> The local interface (eth0) ip is not reachable from internet.
>
> Opensips server can traverse the nat using add_local_rport(), can
>
> mediaproxy do the same ?
>
> Regards.
>
> --
>
> Giuseppe Roberti
>
> <[hidden email]>
>
> _______________________________________________
>
> Users mailing list
>
> [hidden email]
>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
>
> Users mailing list
>
> [hidden email]
>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
> _______________________________________________
>
> Users mailing list
>
> [hidden email]
>
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>
>
>
> _______________________________________________
> Users mailing list
> [hidden email]
> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>
>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Old question about mediaproxy "bridge" mode between public and private networks

Adrian Georgescu
I can only concur with you.

In my experience the trend was always the same. In the beginning the operator works hard to implement an SBC for all kind of reasons that are not related to his business. After some relative small effort everything seem to work in a test environment with a few calls and types of phones.

Once real traffic starts flowing, then problems, which were not visible in the beginning start to emerge. Once they emerge they only expand in scope and multiply in size, which is fine for the SBC manufacturer as they have infinite work to process.

The operator then consumes infinite resources navigating around the problems introduced by the SBC. In the end everyone wishes to take it out but is too late because the architecture is already in place, nobody want to admit it was a mistake in the first place, after all it was a gigantic vendor selection process where everyone was involved  and nobody wants to go through the pain of fixing it. Profitability has gone done the drain due to over-engineering of the network.

The lesson is to keep the infrastructure simple, make sure you are 'complying' with whatever regulation is required but don't embed that requirement to deep into your product or it will kill it long term.

I wish everyone who starts a SIP business for scratch does not make the mistakes many did in the hype VoIP era.

Adrian


On Dec 11, 2008, at 9:36 AM, Brett Nemeroff wrote:

Having a single point of connectivity to the customer, topology
masking,  and potentially CALEA compliance. You can get by without
it.. It's a matter of preference of sorts. Some people have more luck
with nat traversal with them. I'd being interested in hearing other's
experiences with them.

On the other hand, it IS a fixed bottleneck. I can't tell you how many
times I've had a provider's overloaded SBC kill the QOS on my calls..

-Brett


On Thu, Dec 11, 2008 at 2:25 AM, Adrian Georgescu <[hidden email]> wrote:
Robert,
NAT traversal is solved by OpenSIPS/MediaProxy combination for both
signalling and media. Cost is important for an operator and any intermediate
like an SBC, which does not bring any value to end customer is not likely to
remain there for long.
What I am trying to figure out is if there are other good reasons besides
the NAT issue for which the insertion of the SBC justifies its cost for an
operator.
Regards,
Adrian
On Dec 11, 2008, at 2:02 AM, Robert Dyck wrote:

You are right, these terms are used in a rather casual manner. Also privacy
and security can never be absolute. However there are reasons why an
individual or organization may want to hide their topology. Those with bad
intentions may look for clues so that they may subvert the system.

Perhaps a stronger case can be made when we consider that NAT is perhaps the
biggest headache with SIP. Different service providers have different ideas
how they might overcome the problem. If a UA on a LAN or an extension on a
PBX appears as a simple UA with a public address then the chance of success
improves.

OpenSBC may be the way to go. It will act as a proxy or B2BUA. The nice
thing
about OpenSIPS is its light weight if you don't need a lot of modules. I am
not a programmer but it seems to me that it would not be too difficult to
hide the private VIAs and CONTACTs. It already supports mediaproxy/rtpproxy.

On Wednesday 10 December 2008, Adrian Georgescu wrote:

Robert,

Could you expand on what you mean by:

1. Privacy

2. Extra security

These seem to be highly abused terms while there is no proper

description available of what they mean and for whom they provide the

benefit.

Adrian

On Dec 10, 2008, at 9:32 PM, Robert Dyck wrote:

I see a need for a very basic proxy-like B2BUA. This would

completely hide the

local topology. This would provide privacy and extra security as

well as

working around the bad behaviour of some service providers.

Rob

On Wednesday 10 December 2008, Brett Nemeroff wrote:

For what it's worth, I've had problems doing this with some [broken]

carriers. Namely they see a private address in one of the Vias and

they assume it's NAT.. Pretty messy. If you look through the archive

you'll see what happened to me.

That being said, I think it's pretty unusual that this happens.

-Brett

On Wed, Dec 10, 2008 at 8:14 AM, Giuseppe Roberti <[hidden email]>

wrote:

Hi.

I have an opensips server running "between" a man local area and

internet. This mean that UAC comes from local area and gateways

are on

internet.

The local interface (eth0) ip is not reachable from internet.

Opensips server can traverse the nat using add_local_rport(), can

mediaproxy do the same ?

Regards.

--

Giuseppe Roberti

<[hidden email]>

_______________________________________________

Users mailing list

[hidden email]

http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________

Users mailing list

[hidden email]

http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________

Users mailing list

[hidden email]

http://lists.opensips.org/cgi-bin/mailman/listinfo/users




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users




_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Old question about mediaproxy "bridge" mode between public and private networks

Giuseppe Roberti-3
In reply to this post by Brett Nemeroff
My problem is that we have a lot of customer using provider called
fastweb, on italy, that is the biggest nat i have ever seen :)
This provider use optical fiber on internal MAN, at least in Milan, so
that everybody in this MAN is a natted client.
Because of fast internal network my customer tell me to put a media
relay server that "bridge" the rtp traffic from the MAN to the carriers
but i have problem on doing it with mediaproxy.
I know that rtpproxy can do it, so i'm looking why mediaproxy seems not.

I hope i am explained me clean.

P.S. Note that the ip address of the clients on MAN are not from RFC1918
private address; it look like 1.0.0.0/9 for Milan Optical Fiber,
2.0.0.0/8 for Milan Hinterland, etc..

Brett Nemeroff wrote:

> For what it's worth, I've had problems doing this with some [broken]
> carriers. Namely they see a private address in one of the Vias and
> they assume it's NAT.. Pretty messy. If you look through the archive
> you'll see what happened to me.
>
> That being said, I think it's pretty unusual that this happens.
> -Brett
>
>
> On Wed, Dec 10, 2008 at 8:14 AM, Giuseppe Roberti <[hidden email]> wrote:
>> Hi.
>>
>> I have an opensips server running "between" a man local area and
>> internet. This mean that UAC comes from local area and gateways are on
>> internet.
>> The local interface (eth0) ip is not reachable from internet.
>> Opensips server can traverse the nat using add_local_rport(), can
>> mediaproxy do the same ?
>>
>> Regards.
>>
>> --
>> Giuseppe Roberti
>> <[hidden email]>
>>
>> _______________________________________________
>> Users mailing list
>> [hidden email]
>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>


--
Giuseppe Roberti
<[hidden email]>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Old question about mediaproxy "bridge" mode between public and private networks

Brett Nemeroff
Nice addresses!! (rolling eyes) I guess they just thought they'd start
re-numbering the internet starting at 1.0.0.0. Brilliant!

Well if it's routable it shouldn't matter. I thought you were going to
say that you had conflicting addresses in the RFC1918 space (ie: a
customer with a 192.168.15.20 address and a media gateway also on the
same address on the other side of the network). Other than that, even
if they are goofy addresses, it shouldn't matter as long as it's
properly routable.

As for RTP and SIP.. You'll be telling the carriers to send RTP to
your external IP and signal to your external IP.. So I don't think
you'll have a problem. I'm curious why you say mediaproxy can't do it.

-Brett



On Thu, Dec 11, 2008 at 4:44 AM, Giuseppe Roberti <[hidden email]> wrote:

> My problem is that we have a lot of customer using provider called
> fastweb, on italy, that is the biggest nat i have ever seen :)
> This provider use optical fiber on internal MAN, at least in Milan, so
> that everybody in this MAN is a natted client.
> Because of fast internal network my customer tell me to put a media
> relay server that "bridge" the rtp traffic from the MAN to the carriers
> but i have problem on doing it with mediaproxy.
> I know that rtpproxy can do it, so i'm looking why mediaproxy seems not.
>
> I hope i am explained me clean.
>
> P.S. Note that the ip address of the clients on MAN are not from RFC1918
> private address; it look like 1.0.0.0/9 for Milan Optical Fiber,
> 2.0.0.0/8 for Milan Hinterland, etc..
>
> Brett Nemeroff wrote:
>> For what it's worth, I've had problems doing this with some [broken]
>> carriers. Namely they see a private address in one of the Vias and
>> they assume it's NAT.. Pretty messy. If you look through the archive
>> you'll see what happened to me.
>>
>> That being said, I think it's pretty unusual that this happens.
>> -Brett
>>
>>
>> On Wed, Dec 10, 2008 at 8:14 AM, Giuseppe Roberti <[hidden email]> wrote:
>>> Hi.
>>>
>>> I have an opensips server running "between" a man local area and
>>> internet. This mean that UAC comes from local area and gateways are on
>>> internet.
>>> The local interface (eth0) ip is not reachable from internet.
>>> Opensips server can traverse the nat using add_local_rport(), can
>>> mediaproxy do the same ?
>>>
>>> Regards.
>>>
>>> --
>>> Giuseppe Roberti
>>> <[hidden email]>
>>>
>>> _______________________________________________
>>> Users mailing list
>>> [hidden email]
>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>
>
>
> --
> Giuseppe Roberti
> <[hidden email]>
>

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Old question about mediaproxy "bridge" mode between public and private networks

Giuseppe Roberti-3
Brett Nemeroff wrote:
> Nice addresses!! (rolling eyes) I guess they just thought they'd start
> re-numbering the internet starting at 1.0.0.0. Brilliant!
>
> Well if it's routable it shouldn't matter. I thought you were going to
> say that you had conflicting addresses in the RFC1918 space (ie: a
> customer with a 192.168.15.20 address and a media gateway also on the
> same address on the other side of the network). Other than that, even
> if they are goofy addresses, it shouldn't matter as long as it's
> properly routable.
It is not routable unless you are in the MAN.

>
> As for RTP and SIP.. You'll be telling the carriers to send RTP to
> your external IP and signal to your external IP.. So I don't think
> you'll have a problem. I'm curious why you say mediaproxy can't do it.
I'm sorry, i was misunderstanding.

I'm sorry, i was thinking that the relay server have 2 interfaces, one
with public address and one from 1.0.0.0/8, so i was looking if media
relay can listen on this two interfaces and "bridge" traffics.

But i was misunderstanding.
Both UAC and relay are on this MAN, so there is a route between UAC and
relay.
What are missing is a route between the carriers and the relay (that is
natted).
Its a simple problem of natting.
So i have to look something like stun for translating the ip:port
selected by the relay to the related external ip:port (i know that is a
full cone).

Sorry again for the misunderstanding.


>
> -Brett
>
>
>
> On Thu, Dec 11, 2008 at 4:44 AM, Giuseppe Roberti <[hidden email]> wrote:
>> My problem is that we have a lot of customer using provider called
>> fastweb, on italy, that is the biggest nat i have ever seen :)
>> This provider use optical fiber on internal MAN, at least in Milan, so
>> that everybody in this MAN is a natted client.
>> Because of fast internal network my customer tell me to put a media
>> relay server that "bridge" the rtp traffic from the MAN to the carriers
>> but i have problem on doing it with mediaproxy.
>> I know that rtpproxy can do it, so i'm looking why mediaproxy seems not.
>>
>> I hope i am explained me clean.
>>
>> P.S. Note that the ip address of the clients on MAN are not from RFC1918
>> private address; it look like 1.0.0.0/9 for Milan Optical Fiber,
>> 2.0.0.0/8 for Milan Hinterland, etc..
>>
>> Brett Nemeroff wrote:
>>> For what it's worth, I've had problems doing this with some [broken]
>>> carriers. Namely they see a private address in one of the Vias and
>>> they assume it's NAT.. Pretty messy. If you look through the archive
>>> you'll see what happened to me.
>>>
>>> That being said, I think it's pretty unusual that this happens.
>>> -Brett
>>>
>>>
>>> On Wed, Dec 10, 2008 at 8:14 AM, Giuseppe Roberti <[hidden email]> wrote:
>>>> Hi.
>>>>
>>>> I have an opensips server running "between" a man local area and
>>>> internet. This mean that UAC comes from local area and gateways are on
>>>> internet.
>>>> The local interface (eth0) ip is not reachable from internet.
>>>> Opensips server can traverse the nat using add_local_rport(), can
>>>> mediaproxy do the same ?
>>>>
>>>> Regards.
>>>>
>>>> --
>>>> Giuseppe Roberti
>>>> <[hidden email]>
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> [hidden email]
>>>> http://lists.opensips.org/cgi-bin/mailman/listinfo/users
>>>>
>>
>> --
>> Giuseppe Roberti
>> <[hidden email]>
>>


--
Giuseppe Roberti
<[hidden email]>



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users