Getting SIP (Session Initiation Protocol) through NAT (Network Address Translation)
firewalls is a complex process thanks to the complexity and asymmetry of SIP,
and thanks to the inherent unsuitability of NAT for anything but stretching
the pool of available IPv4 (Internet Protocol version 4) addresses further than
it deserves. NAT complicates everything, and the only reason that client-server
functions work at all over the Internet is because of all the clever hacks designed
to overcome NAT.
The cure for NAT is IPv6, which has a host of benefits in addition to a huge
address space, such as easier network administration and addressing, and genuine
QoS for high-quality streaming media. Someday NAT will be an optional tool for
those who really want it, instead of a necessity to have un-rationed numbers
of clients in your networks. I’m not holding my breath, as the USA owns about
three-fourths of the available IPv4 addresses, and is well behind Europe, Japan,
Finland, and other parts of the world in affordable broadband, and in advanced
wireless and cellular services. So there is an insufficient level of urgency
for migrating to IPv6, and a corresponding lackadaisicalness in—forgive
me for using the word—innovation in these areas.
So until that golden day when IPv6 becomes the norm, we must deal with the
nasty, brutish realities of current reality with cunning and ingenuity. If you
must support SIP there are a number of ways to get around nasty NAT problems:
SIP proxies, STUN (Simple Traversal of UDP through NAT) servers, and majick
routers. Or you might consider avoiding SIP entirely and use IAX (Inter-Asterisk
What is IAX?
IAX is the native Asterisk protocol. It has a number of advantages over SIP:
- It uses a single UDP port, 4569, so it slides through NAT with ease
- It is bandwidth-efficient
- It supports trunking, which means data from multiple calls are merged into a single set of packets, which reduces IP overhead
- You can trunk SIP calls over IAX to sneak them through those nasty NATs
- Signaling and data travel together, rather than independently as they do with SIP
- It is a binary protocol, so it’s more difficult to attack
Some of the downsides of IAX are it is not supported as widely as SIP, and it
places a heavier load on your server because all traffic must pass through the
server. SIP, on the other hand, allows the media stream to route by the most efficient
method, so your VoIP server is not a bottleneck. (Those with a thirst for details
can consult Resources.)
When to use IAX
So the short story is if you’re running an Asterisk server, or an Asterisk derivative, there are some scenarios where IAX just might be a better option for you than SIP:
- If you connect to branch offices that also run Asterisk servers, you could run IAX trunks between them for all inter-branch call traffic
- Road warriors can use IAX phones for easy remote connectivity
- If you connect to any Asterisk peer, such as a customer or vendor
- If you use a VoIP service that supports IAX trunking
Support for IAX in VoIP devices is growing. I don’t know that it will ever equal
SIP’s popularity (I shall refrain from repeating my rant about U.S. vendors
and their antipathy towards real innovation; apparently one new protocol per
generation is the limit), but as long as you’re running Asterisk you can mix’n’match
the protocols to your best advantage.
Let’s take a look at softphones first. I’m getting to be a big fan of softphones, especially since I finally retired my very antique Thinkpad (it is now a specialized networking diagnostic-and-fixit laptop) and got a new hotrod dual-core model with a gigabyte of memory. Suddenly all softphones sound good.
IAX softphones are terrific for road warriors who have to lug along a laptop anyway. Throw in a lightweight USB headset and they’re all set. There are a number of good IAX softphones; these three are free of cost and cross-platform:
iaxComm runs on Linux, Mac OS X, and Windows.
KIAX runs on Linux, Mac OS X, and various flavors of Unix, and Windows. This is a nice phone with multi-language support.
is a freeware (but not open source) IAX phone derived from the Voix Manager,
which is a nice call manager (also called a switchboard application) for Asterisk.
It runs on Linux, Mac OS X, and Windows.
All three are nice softphones with the usual rafts of useful features like address books, multiple codec support, hold, transfer, user-configurable ringtones, multiple server support, and so on.
Next week we’ll look at some IAX hard phones, and some slick ways to use IAX
to swat those pesky NATs.