[Freeswitch-users] OT: Apple goes to great lengths to defeat NAT and firewalls with new Facetime

Kristian Kielhofner kris at kriskinc.com
Fri Sep 20 18:11:49 MSD 2013


On Fri, Sep 20, 2013 at 9:49 AM, Steven Ayre <steveayre at gmail.com> wrote:
> Because SIP over UDP doesn't play well with fragmentation. SDP can make
> packets large than the PMTU, leading to fragmented packets, which leads to
> devices ignoring the packet. Removing the unnecessary rtpmap lines means
> smaller SDP so smaller packet so less likelihood of that being an issue.
>
> It shouldn't be such an issue over TCP.
>
> Devices *should* support it since the standard explicitly say the rtpmap
> isn't required for static types, but there are some manufacturers who
> ignored that part so there's the verbose_sdp=true compatibility option for
> them.

  I'm guessing you didn't read the post first :).  My questions here
were somewhat rhetorical and certainly not posed by me (seeing as I go
into the same kind of detail you have).  If you included it for list
archival purposes, excellent!

> That's not necessarily a given.
>
> In general though because the TCP connection explicitly signals the
> connection closing the mapping will stay in the firewall. With UDP it is
> removed after a long period of inactivity. That can cause problems with
> signalling during a phone call unless the endpoints send keepalive packets
> often enough.
>
> TLS will prevent the router helping with SIP ALG - you must have endpoints
> capable of doing NAT traversal themselves (STUN). Though that's a good idea
> in all cases anyway.

  In my experience with a fairly large network and a number of
endpoints TCP fragmentation is *much* more reliable than UDP
fragmentation.  Various stateful firewalls also handle TCP much better
(connection oriented and used by most applications people care about -
more testing, etc).  Your points about keepalives and TLS are spot on
although many devices don't have the "luxury" of keepalives due to
issues with battery power.

>> Maybe support deflate encoding?
>
>
> That wouldn't automatically work. It would need support by both ends and
> protocol changes to support it.

  I'd hope by now you realize that I understand that - which is why
I've raised this point simultaneously on the FreeSWITCH, Kamailio,
Asterisk, and Wireshark mailing lists.  I'm hoping to builder broader
support for these kinds of "standard" features within the open source
ecosystem.

-- 
Kristian Kielhofner



Join us at ClueCon 2013 Aug 6-8, 2013
More information about the FreeSWITCH-users mailing list