SIP NAT Function
This section explains how to configure the optional SIP NAT function. You can configure the SIP NAT function if you need to translate IP address and UDP/TCP port information. The SIP NAT function also prevents private IP addresses in SIP message URIs from traveling through an untrusted network.
Overview
TheOracle® Enterprise Session Border Controller is an intermediary device that provides NAT functions between two or more realms. It translates IP addresses between untrusted and trusted networks using NAT. A trusted network is inside the NAT, and a untrusted network is outside the NAT. A NAT also lets a single IP address represent a group of computers.
For SIP, the SIP NAT function on the Oracle® Enterprise Session Border Controller does the following:
- routes SIP packets between the Oracle® Enterprise Session Border Controller’s SIP proxy (B2BUA) and external networks (or realms), including the translation of IP address and UDP/TCP port information.
- prevents private IP addresses in SIP message URIs from traveling through the untrusted network. SIP NAT either translates the private address to one appropriate for an untrusted address or encrypts the private address into the URI.
Packets arriving on the external address (at port 5060) are forwarded to the Oracle® Enterprise Session Border Controller’s SIP proxy with the source address changed to the home address (at port 5060). When the Oracle® Enterprise Session Border Controller’s SIP proxy sends packets to the home address (at port 5060), they are forwarded to the external proxy address (and external proxy port), with the source address changed to the external address (at port 5060).
Note:
The SIP config’s NAT mode parameter works in conjunction with the SIP NAT function configuration. It identifies the type of realm in which the SIP proxy is located (public or private) and affects whether IPvr addresses in SIP messages are encoded.The translation of URIs in the actual SIP message occurs as messages are received and sent from the Oracle® Enterprise Session Border Controller’s SIP proxy. For the messages being sent to the external network, the contents of the SIP message are examined after the translation to determine if the destination needs to be changed from the external proxy address to an address and port indicated by the SIP message. This process takes place so the request is sent to where the Request-URI or the Route header indicates, or so the response is sent to where the Via indicates.
NAT Modes
The specific addresses used in translating URIs in the SIP message depend on whether the Oracle® Enterprise Session Border Controller is performing NAT functions for a trusted or untrusted network. This condition is determined by the NAT mode value you enter when you configure the SIP config element. The NAT modes are:
- untrusted—The SIP proxy is associated with an address for an untrusted network (the address value you entered when you configured the SIP interface’s SIP port parameter), and the home address in the SIP NAT is the address of the external realm/network. When the URI contains the external address, it is translated to the SIP NAT’s home proxy address (or to the SIP port address if the home proxy address field is empty). When a URI contains the external proxy address, it is translated to the home address.
If the URI contains any other private address (matching the realm’s address prefix, identified in the SIP NAT’s realm ID), it is encrypted and the address is replaced with the home address value. If the URI contains a user part, a suffix consisting of the user NAT tag and the encrypted address is appended to the user part. For example, with a user NAT tag value of -private-, the private URI of sip@123192.169.200.17:5060 will become the public URI of sip:123-private-eolmhet2chbl3@172.16.0.15.
If there is no user part, the host consists of the host NAT tag followed by the encrypted address and the domain suffix. A maddr parameter equal to the home address (or received in the case of a Via header) is added to the URI. For example, with a host NAT tag value of PRIVATE- and a domain suffix value of private.com, the private URI of sip:192.168.200.17:5060 will become the public URI of sip:PRIVATE-eolmhet2chbl3.private.com:5060;maddr=172.16.0.15.
- trusted—The SIP proxy is on a trusted network (the address value you entered when you configured the SIP interface’s SIP port parameter), and the SIP NAT’s external address is the public address of the external realm/network. When the URI contains the home address value, it is translated to the value set for the external proxy address. When the URI contains the SIP proxy’s address, it is translated to the external address. If the URI contains any other private address (matching the realm’s address prefix, identified in the SIP NAT’s realm ID), the private address is encrypted and the address is replaced with the external address.
Note:
Do not use the home proxy address value with private NAT functioning.
Adding a maddr Parameter to a URI
When you configure a SIP interface, you can configure the contact mode. The contact mode sets the contact header routing mode, which determines how the contact address from a trusted network is formatted. You set the contact mode to add a maddr parameter equal to the SIP proxy to the URI in the Contact header. For example, the URI from the prior example (sip:192.168.200.17:5060) becomes sip:123-trusted-eolmhet2chbl3@172.16.0.15;maddr=172.16.0.12.
Note:
For SIP elements that do not support the maddr parameter, configure a Contact mode as none.You might require this encryption to cause other SIP elements in the untrusted network to send requests directly to the SIP proxy. Otherwise, the requests are sent to the home address. However, responses sent by the SIP proxy will have the SIP proxy’s source address, rather than the home address. Some SIP elements might drop responses that come from a IP address different from the one to which the request is sent.
About Headers
You can specify which SIP headers you want effected by the SIP NAT function. The URIs in these headers are translated and encrypted, the encryption occurs according to the rules of this SIP NAT function.
You can enter header values by using either the full header name or its corresponding abbreviation, if applicable. The following table lists the available headers and their corresponding abbreviations.
| Header | Abbreviation |
|---|---|
| Call-ID | i |
| Contact | m |
| From | f |
| Record-Route | none |
| Route | none |
| Ready-To | none |
| Replaces | none |
| Refer-To | r |
| To | t |
| Via | v |
SIP sessions are terminated and re-originated as new sessions as they are routed through the Oracle® Enterprise Session Border Controller. Among the actions performed, SIP headers are modified to prevent the transmission of IP address and route information.
Replacing Headers
In the SIP signaling message, any Via headers are stripped out and a new one is constructed with the Oracle® Enterprise Session Border Controller’s IP address in the sent-by portion. If a Contact header is present, it is replaced with one that has the Oracle® Enterprise Session Border Controller’s IP address. All other headers are subject to NATing based on the following rules:
- The Request-URI is replaced with the next hop’s IP or FQDN address.
- All other headers are replaced based on the two SIP NAT function SIP NAT function rules
Mapping FQDNs
The Oracle® Enterprise Session Border Controller maps FQDNs that appear in the certain headers of incoming SIP messages to the IP address that the SBC inserts in outgoing SIP contact headers. The mapped FQDNs are restored in the SIP headers in messages that are sent back to the originator.
This feature is useful to carriers that use IP addresses in the SIP From address to create trunk groups in a softswitch for routing purposes. When the carrier’s peer uses FQDNs, the carrier is forced to create trunk groups for each possible FQDN that it might receive from a given peer. Similarly, this can apply to SIP Contact and P-Asserted-Identity headers.
SIP NAT Function Cookies
Cookies are inserted to hide that information is coming from a realm external to the home realm. They are used when information needs to be placed into a given element of a SIP message that must also be seen in subsequent SIP messages within a flow. When forwarding a SIP message, the Oracle® Enterprise Session Border Controller (E-SBC) encodes various information in the outgoing message, which is passed from one side to another in SIP transactions.
SIP NAT function cookies let the E-SBC hide headers, IPv4 addresses, and SIP URIs. These cookies are included when certain conditions are present in E-SBC SIP transactions.
Oracle’s SIP NAT function cookies can be used in the userinfo, host, URL parameter, and tel URL parameter portions of the SIP message.
userinfo
The Oracle® Enterprise Session Border Controller places a cookie in the userinfo portion of a SIP URI when a SIP header contains a SIP URI, and includes that header type in the list of headers to be hidden (encrypted) in the associated SIP NAT function. The cookie for the userinfo portion is the following:
[user nat tag][encrypted 13-byte host IP][encrypted 13 byte maddr IP (if present)]where:
- [user nat tag] refers to the SIP NAT function’s original user NAT tag field.
- [encrypted 13-byte host IP] refers to the host IP encryption.
- [encrypted 13 byte maddr IP (if present)] refers to the maddr IP encryption, if it exists.
With a user NAT tag of -acme, the following SIP-URI:
sip:6175551212@192.168.1.100might be translated into:
sip:6175551212-acme-pfi1s7n2pstna@172.16.1.10Note:
Multiple additional cookies might be appended with each hop (for example, from the external proxy to the home proxy and back).host
When hiding IP addresses in a SIP message, the SIP NAT function generates the following cookie for a SIP-URI with no userinfo portion:
[host nat tag][encrypted 13-byte host IP][encrypted 13 byte maddr IP (if present)][domain suffix]where:
- [host nat tag] refers to the SIP NAT function’s host NAT tag.
- [encrypted 13-byte host IP] refers to the host IP encryption.
- [encrypted 13 byte maddr IP (if present)] refers to the maddr IP encryption, if it exists.
- [domain suffix] refers to the SIP NAT function’s domain suffix field.
With a SIP NAT function’s host tag of ACME- and a domain suffix of .acme.com, the following SIP header:
Via: SIP/2.0/UDP 192.168.1.100:5060
might be translated into the following:
Via: SIP/2.0/UDP ACME-pfi1s7n2pstna.acme.comURL Parameter
If the SIP NAT function’s use url parameter field has a value of from-to or all, the SIP NAT function places all cookies generated to hide SIP URIs in a custom tag appended to the header. Setting the use url parameter field to:
- from-to only affects the behavior of the SIP NAT function’s cookies in the From and To headers.
- all affects all SIP headers processed by the SIP NAT function
The cookie is the following:
[;url-parameter]=[host nat tag][encrypted 13-byte host IP][encrypted 13-byte maddr IP]
where:
- [;url-parameter] refers to the SIP NAT function’s parameter name field.
This cookie type is associated with the all and from-to field value options of the SIP NAT function’s use url parameter field.
- [host nat tag] refers to the SIP NAT function’s host NAT tag field.
- [encrypted 13-byte host IP] refers to the host IP encryption.
- [encrypted 13 byte maddr IP (if present)] refers to the maddr IP encryption, if it exists.
With a host NAT tag of ACME- and a parameter name of acme_param, the following SIP-URI:
sip:6175551212@192.168.1.100might be translated into the following:
sip:6175551212@172.16.1.10;acme_param=ACME-pfi1s7n2pstna.tel URL
The SIP NAT function cookie is used when devices in your network are strict about the context portion of SIP messages regarding the conversion of tel URLs. This cookie for the tel URL parameter portion of a SIP message is the following:
tel URL parameter-[13-byte host IP][13 byte optional maddr IP]domain suffixwhere:
- tel URL parameter refers to the SIP NAT function’s use url parameter.
This cookie type is associated with the use url parameter’s phone field value for the SIP NAT.
- [13-byte host IP] refers to the host IP encryption.
- [13 byte optional maddr IP] refers to the maddr IP encryption, if it exists.
- domain suffix refers to the SIP NAT function’s domain suffix field.
Configuration Overview
Configuring the SIP NAT function falls into two areas, the SIP NAT interface parameters and the SIP NAT policies.
SIP NAT Interface
The following tables lists the SIP NAT function interface parameters you need to configure on the Oracle® Enterprise Session Border Controller (E-SBC).
| Parameter | Description |
|---|---|
| realm ID | Name of the external realm. The realm ID must
be unique; no two SIP NATs can have the same realm ID.
This realm ID must also correspond to a valid realm identifier entered when you configured the realm. |
| external proxy address | IPv4 address of the SIP element (for example, a SIP proxy) in the external network with which the E-SBC communicates. Entries must follow the IP address format. |
| external proxy port | UDP/TCP port of the SIP element (for example, a
SIP proxy) in the external network with which the
E-SBC communicates.
Minimum value is 1025, and maximum value is 65535. Default is 5060. |
| external address | IPv4 address on the media interface in the
external realm. Enter a value that ensures any packet with an external address
value as its destination address is routed to the
E-SBC through the media
interface connected to or routable from the external realm. Entries must follow
the IP address format.
To specify whether the external realm referenced in this field is private or public, configure the SIP config’s NAT mode. |
| home address | IPv4 address on the media interface in the home
realm. Enter a value that ensures any packet with a home address value as its
destination address must be routed to the
E-SBC through the media
interface connected to or routable from the home realm. Entries must follow the
IP address format.
The value entered in this field must be different from the IP address value of the home realm’s network interface element. The home realm network interface is associated with this SIP NAT by its realm ID and the realm’s identifier and network interface value you entered when you configured the realm. The realm’s network interface identifier value corresponds to this SIP NAT’s realm ID, the SIP config’s home realm ID, and the media manager’s home realm ID. |
| home proxy address | Sets the IP address for the home proxy (from
the perspective of the external realm).
By default, this field is empty. An empty home proxy address field value signifies that there is no home proxy, and the external address will translate to the address of the E-SBC ’s SIP proxy. Entries must follow the IP address format. |
| home proxy port | Sets the port number for the home realm proxy.
Value can be set to zero (0). Minimum is 1025 and maximum is 65535. Default is 5060. |
| route home proxy | Whether to route all inbound requests for the
SIP NAT to the home proxy.
enabled adds route if Request-URI is not the E-SBC disabled does not route inbound requests to the home proxy forced always adds route |
SIP NAT Function Policies
The following tables lists the SIP NAT function policy parameters you need to configure on the Oracle® Enterprise Session Border Controller (E-SBC).
| Parameter | Description |
|---|---|
| domain suffix | Domain name suffix of the external realm. The
domain name suffix refers to and must conform to the hostname part of a URI. In
combination with the user NAT tag and host NAT tag values, this value is used
to help the
E-SBC identify an
encoded URI that it needs to translate when moving between public and private
realms.
This suffix is appended to encoded hostnames that the SIP NAT function creates. For example, if the encoded hostname is ACME-abc123 and the domain-suffix value is .netnetsystem.com, the resulting FQDN will be ACME-abc123.netnetsystem.com. |
| address prefix | Defines which IPv4 address prefixes from incoming messages require SIP-NAT encoding (regardless of the realm from which these messages came). |
| tunnel redirect | Controls whether Contact headers in a 3xx Response message received by the E-SBC are NATed when sent to the initiator of the SIP INVITE message. |
| use url parameter | Establishes whether SIP headers will use the URL parameter entered in the parameter name for encoded addresses that the SIP NAT function creates. Also, if SIP headers will be used, which type of headers will use the URL parameter. For example, all headers or just the From and To headers. Enumeration field. |
| parameter name | Indicates the name of the URL parameter when use url applies. This field value will be used in SIP NAT encoding addresses that have a use url parameter value of either from-to or all. |
| user NAT tag | Identifies the prefix used when an address is
encoded into the username portion of user@host;name=xxxx; where name =
parameter name.
The user NAT tag values can consist of any characters that are valid for the userinfo part of a URI. In combination with the domain suffix and host NAT tag field values, this value is used to help the E-SBC identify an encoded URI that it needs to translate when moving between public and private realms. |
| host NAT tag | Identifies the prefix used when encoding an address into the hostname part of the URI or into a URL parameter. The host NAT tag values refer to domain labels and can consist of any characters that are valid for the hostname part of a URI. In combination with the domain suffix and user NAT tag values, this value is used to help the E-SBC identify an encoded URI that it needs to translate when moving between public and private realms. |
| headers | Lists the SIP headers to be affected by the E-SBC SIP NAT function. The URIs in these headers will be translated and encrypted, and encryption will occur according to the rules of this SIP NAT. |