Solved

RTP Problem with Firewall

Posted on 2014-12-02
10
221 Views
Last Modified: 2014-12-04
Hi,
I saw the following statement in a tutorial on SIP, RTP firewall n NAT. I am unable to understand it - '

When there is a firewall in between the SIP signaling request response is allowed. But there is a problem during RTP.  During RTP the data will be able to go through firewall to User agent but data from user agent won’t be able to reach the other side of the firewall as the firewall does not have information about port to which the User Agent is sending data.

What i dont understand here is that
1) Why the firewall needs to have prior information about the port to which the User Agent will send data ?
why cant it allow data transfer to the port.
2) If there is a problem with RTP transfer when there is a firewall, why is there no problem during SIP signalling.

Also please let me know any good resources or tools to study SIP (session initiation protocol) and RTP, firewalls
Thanks
0
Comment
Question by:Rohit Bajaj
  • 5
  • 5
10 Comments
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40477207
The issue is that the port that will be used for the RTP stream is often chosen dynamically so you either have to open up a huge port range on your firewall, basically making the firewall useless, or you have to dynamically open the port that RTP will use only for the time it is being used. And that requires "prior knowledge."

The port that will be used is negotiated between the two SIP endpoints and is confirmed via SIP messages. Since the SIP traffic is often on a single port (5060, for example) a firewall rule to allow SIP is much easier.
0
 

Author Comment

by:Rohit Bajaj
ID: 40477928
Hi,
I am just trying to understand SIP and RTP so i have some doubts in the above explanation.
As i read the RTP port is exchanged between SIP clients in the SDP body. So i guess these are also fixed before the RTP flow starts. So how are the ports for RTP stream chosen dynamically ?

Thanks
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40477990
It is exchanged in the SIP stream, but is dynamic and negotiated. It is not dissimilar to FTP where the actual data stream is dynamic and created at the time of transfer, which is why most firewalls have FTP "helper" inspection rules to discover the dynamic port from the FTP control stream. You'll also see newer firewalls have SIP inspection that can dynamically open RTP ports based on inspected SIP traffic.
0
 

Author Comment

by:Rohit Bajaj
ID: 40478491
Does the RTP port which is negotiated between the two SIP clients change in between flow of RTP stream ??
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40478500
It will not usually change during a single session. But it will likely change with every new session. The RTP stream only constructed as needed. So if you have a SIP trunk provider, each incoming or outgoing call creates a new RTP stream on a new port that lasts only as long as that call, as an example.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:Rohit Bajaj
ID: 40478913
How will the call be handled if suppose client1 ip changes during rtp flow. That is say he moves to a different network while talking.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40479839
That depends on the client. Some (most) will simply disconnect. Those that handle network changes gracefully do so by subterfuge. Both the SIP traffic and RTP traffic us changing so new constructs are built. This usually involves a new RTP port as it is actually a new stream.
0
 

Author Comment

by:Rohit Bajaj
ID: 40479949
Can you please let me know the exact steps that will happen in case the ip changes. How exactly will the client handle this network change.
Does the client need to simply inform the other client that this is my new ip so send the rtp data to this ip instead of the old one.
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40479956
There is no standard for this scenario. Different applications (or clients) and servers handle it differently. I can't give exact steps because they vary wildly.  Lynch handles it differently than asterisk. And asterisk handles it differently when talking to a Cisco endpoint than it does a 3Com endpoint. Or to one SIP trunk provider vs. another, or even dependent on an SBC in place. So many variables.
0
 

Author Comment

by:Rohit Bajaj
ID: 40480157
HI,
Thanks for the answers.  I am writing a new question on lines with this discussion. Please help me with it.
http://www.experts-exchange.com/Networking/Protocols/Q_28574172.html
Thanks
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now