NAT Traversal of VoIP

Applications
(Skype)
Vladislav Marinov
International University Bremen

Outline
Introduction to Network Address
Translators (NAT)
Classification of NATs
Introduction to Skype
Skype login
Skype call establishment in the presence
of different types of NATs

Network Address Translator

NAT
Definition: middlebox placed on the datapath
which maps a set of private IP addresses to a
set of globally unique IP addresses
Benefits:
- Security
- Conserves the IPv4 address space
Disadvantages:
- Constitutes an obstacle for the normal
operation of Peer-to-Peer applications

Private
Address
Space

Public
Internet

NAT
Src IP: 10.0.0.1
Dst. IP: 216.239.57.99

Src IP: 195.37.70.65

Dst. IP: 216.239.57.99

Src. IP : 216.239.57.99
Src. IP : 216.239.57.99

10.0.0.1

Dst. IP: 10.0.0.1

Dst. IP: 195.37.70.65

216.239.57.99

Types of NATs

Fullcone NAT
Restricted cone NAT
Port-restricted cone NAT
Symmetric NAT

Fullcone NAT

Fullcone NAT:all requests from the same internal IP address and

port are mapped to the same external IP address and port. Any
external host can send a packet to the internal host, by sending a
packet to the mapped external address.

Restricted-cone NAT
All requests from the same internal IP address and port are mapped
to the same external IP address and port. An external host (with IP
address X) can send a packet to the internal host only if the internal
host had previously sent a packet to IP address X.

Port-restricted cone NAT

Port-restricted cone NAT: is one where all requests from the same
internal IP address and port are mapped to the same external IP
address and port. An external host can send a packet, with source
IP address X and source port P, to the internal host only if the
internal host had previously sent a packet to IP address X and port
P.

Symmetric NAT
Symmetric NAT : all requests from the same internal IP address and
port, to a specific destination IP address and port,
port are mapped to
the same external IP address and port. If the same host sends a
packet with the same source address and port, but to a different
destination, a different mapping is used. Only the external host that
receives a packet can send a UDP packet back to the internal host

Introduction to Skype
Voice over IP, Peer-to-Peer application
developed by KaZaa
Supports voice calls, instant messaging,
conference calls etc.
Very popular for the strategies it employs
to traverse NATs and firewalls

Skype Network

Normal Skype users each user has a file

shared.xml which stores a list of available Super
Nodes (Host Cache), NAT and Firewall configuration
Skype Super Nodes (SN) used for filling and
refreshing of the HC
Skype default Super Nodes used for filling and
refreshing of the HC during initial login
Skype login servers used to verify username and
password
Skype HTTP server provides information about
updates of the Skype software

Important IP addresses and ports

Skype login servers:
212.72.49.141:33033
195.215.8.141:33033
Skype HTTP server:
212.72.49.131:80

Default Super Nodes:

66.246.49.60
66.246.49.61
66.246.48.23
66.235.180.9
66.235.181.9
195.215.8.145
212.72.49.143
212.72.49.145
202.232.0.0/16
202.139.0.0/16
130.244.0.0/16
204.152.0.0/16

Connection establishment
Connection with a SN:
Random port
Port https (443)
Port http (80)
Connection with a Skype login server:
Port 33033
Port https (443)
Port http (80)

Login Scenario
TCP connection with the Skype HTTP server:
getlatestversion request
UDP exchange with members from the HC update the
HC
TCP connection with a Super Node symbolizes that
the user is connected to the Skype network and remains
open until the user logs off
TCP connection with the Skype login server verification
of username and password
Externally initiated TCP connection with a SN test if the
user can be a SN
UDP traffic with members of the HC

Login

Login Firewall Blocking the Login

Servers

TCP relay via a SN

Login Failures
Firewall blocking TCP the connection
with a SN cannot be established
Firewall blocking the default SNs and
invalid HC (empty, containing wrong IPs)

Call Establishment Fullcone NAT

User X wants to call user Y
User X must learn the IP of Y via
TCP/UDP quiery of a SN. Y has informed
X about its IP if X is on its buddy list.
X establishes direct TCP and UDP
connections with Y
Voice traffic is carried via the UDP
connection, signalling is carried via the
TCP connection

Call Establishment Fullcone NAT

Call Establishment Port-restricted

NAT
User X wants to call user Y
User X queries its SN and receives IP
addresses that can be the SN of Y
User X sends UDP packets to those IPs
until it reaches Ys SN
X and Y exchange their public IPs and
ports via relay through their SNs

Call Establishment Port-restricted

NAT(contd)
Y sends a UDP packet to the IP and port
announced by X
Packet is rejected by Xs NAT, a mapping is
created on Ys NAT
X sends a UDP packet to the IP and port
announced by Y
Packet goes through Ys NAT
UDP connection is established, voice traffic is
carried via UDP
TCP traffic is carried via relay through 4 external
SNs

Call Establishment Port-restricted

NAT

Call Establishment Symmetric

NAT

User X wants to call user Y

User X queries its SN and receives IP addresses
that can be the SN of Y
User X sends UDP packets to those IPs until it
reaches Ys SN
X and Y exchange via relay through their SNs their
public IPs and 20-30 port numbers at which they are
available
However, those ports are mapped ports obtained
during exchange with the SN and the external
mappings in the case of a symmetric NAT are
destination dependent

Call Establishment Symmetric

NAT
User Y sends 20-30 UDP packets to the IP and ports
announced by X
Packets are rejected by Xs NAT but mappings are created
on Ys NAT
The mappings have different source ports from the ones
announced to X
Those packets arrive on Xs NAT at ports other than the
ones at which X is expecting them
X sends 20-30 UDP packets to the public IP of Y and the
ports announced by Y
The packets get rejected by Ys NAT as there is no
mapping created for them
Calling is performed via relay with 4 external SNs

Call Establishment Symmetric

NAT

Conclusion
Skype works through all types of NATs
Each user has a HC a list with the IPs and
ports of SNs
Login consists of a TCP connection with a SN as
well as a TCP connection with the login server.
When necessary HC is used to update the HC.
Call establishment is performed via a direct TCP
and UDP connections whenever possible. For a
port-restricted NAT tricky ways about creating
a mappings on the NATs are applied. However,
when a symmetric NAT is used the only way to
carry the traffic is via relay.

Conclusion
Skype fails during login when the firewall
blocks TCP or when the HC is invalid and
the firewall blocks the default SNs.