INGATE RESELLER DAY SIP Trunking and Beyond TURN
INGATE RESELLER DAY: SIP Trunking and Beyond TURN Server for Web. RTC in the Firewall Prepared for: Ingate’s SIP Trunking, UC and Web. RTC Seminars ITEXPO January 2014 Miami By: Karl Erik Ståhl CEO Ingate Systems AB (and Intertex Data AB, now merged) karl. stahl@intertex. se © 2014 Ingate Systems AB 1
What Web. RTC Does NOT Do: What Web. RTC Does: Ø “No Numbers” No rendezvous – “no addressing” at all. Not like SIP • Sets up media directly between browsers (SDP/RTP like SIP) – typically on same web application. ------ • “Handles” NAT/FW traversal (ICE, STUN, TURN) – fooling firewalls (like Skype). More islands? Yes, but it is adding high quality real-time communication where we already are in contact. Voice Video Data “For free!” 2
Q-TURN for the Enterprise (Carrier Later) “NEW” Considerations: Qo. S for Web. RTC, plus authenticated access, measurable and billable. For ALL Web. RTC, not just the communication converted to SIP, Vo. IP, IMS! 3
Web. RTC Like All Real-Time Communication Protocols has a NAT/Firewall Traversal Problem Ø Firewalls do not allow unknown incoming traffic and media is a “surprise” (just like SIP) signaling Company Web Server LAN media Ø SBCs are Firewalls that know SIP and take it into the LAN, but Web. RTC prescribes ICE/STUN/TURN to fool the firewall to let the RTC traffic through (similar to Skype. ) Ø Websockets, WS/WSS, often used to hold the signaling channel open media Company Web Server WS/WSS ICE STUN TURN SERVER LAN Ø There are issues… a) Getting through b) Quality 4
ICE/STUN/TURN Means There is no Web. RTC-SBC • ICE was developed and standardized for SIP (long after SIP), but not used much for SIP… It is supposed to work without the Firewall being aware of what is traversed (like Skype). • Sometimes a TURN-server is required • With restrictive enterprise firewalls – ICE is not sufficient. • Best: Web. RTC is end-to-end and does not encourage application specific networks • Worst: The firewalls are unaware of what is being traversed – Quality: The firewall cannot prioritize RTC traffic. 5
The TURN Server IN the Firewall Fixes Traversal, Quality and can Measure Usage: Q-TURN in the Firewall or an “EW-SBC” A novel Ingate view: Knock-knock; Give my media a Quality Pipe • Regard ICE as a request for real-time traffic through the Firewall. Interpret the STUN & TURN signals in the Firewall • Have the STUN/TURN server functionality IN the Firewall and setup the media flows under control • Security is back in the right place The firewall is in charge of what is traversing • The Enterprise firewall can still be restrictive QTU RN Q-TURN Enables Qo. S and More: • Prioritization and Traffic Shaping • Diffserve or RVSP Qo. S over the Net • Authentication (in STUN and TURN) • Accounting (usage of this pipe) 6
Q-TURN Will Come as a Module to the Ingate E-SBC, Our SIParator® / Firewall Product. What are the use cases? Ø As the outlined Q-Turn Firewall: • Handling both the data and real-time traffic (we are the complete Firewall) • Handling the real-time data in parallel with an existing firewall (like a SIParator) Ø As a ”conventional” TURN server (typically stand alone on the public Internet): • Such server may be used a service provider to support his service (an application, or the actual access) • Does not help the most restrictive firewalls • No quality enhancement! • Authentication and accounting will only relate to the usage of the TURN server (not the users pipe), so less interesting. QTU RN Q-TURN Enables Qo. S and More: • Prioritization and Traffic Shaping • Diffserve or RVSP Qo. S over the Net • Authentication (in STUN and TURN) • Accounting (usage of this pipe) There are several configuration and setup considerations being worked on until product launch 7
- Slides: 7