You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

In this section:

Overview

Sonus WebRTC Gateway (WRTC) is a new technology that enables web browsers to participate in audio, video, and data communications, without any kind of additional plug-ins or application downloads. Using a WRTC enabled browser user can place a call, participate in multi-party video and audio conferencing, and engage in screen sharing collaboration. Sonus Web Service Solution bridges the web and SIP worlds to facilitate the integration of communications (voice, video, and data) in applications.

Sonus SBC is a component of Sonus Web Service Solution. Sonus SBC provides media service functionality when WRTC endpoints are behind a NAT.

Sonus SBC acts as a WRTC to SIP media gateway. It enables WRTC users to communicate to any back-end SIP system and PSTN. Sonus SBC also provides routing, security, transcoding, and interworking. It supports the following functionalities:

  • Relays and monitors the media streams.

  • Inter-works WRTC media DTLS/SRTP to traditional RTP/UDP.

  • Relays or transcodes opus to G7xx voice codecs.

  • Relays VP8/VP9, and H.264 video codecs.

  • Supports ICE and STUN procedures for NAT traversal.

Deployment Scenarios

WRTC Enabled Device to SIP Call (SBC in Data Center)

The WRTC enabled device employs the ICE procedures and connects to the SBC on a public address. The SBC acts as an ICE agent to support the WRTC enabled device to punch the pinholes in the NAT for media exchange with the SBC. This can work with any Firewall in front of the WRTC enabled device that can support opening NAT Pinholes for the UDP traffic. The NAT can be Full-Cone, restricted, or symmetric NAT.

Browser to SIP call

WRTC Enabled Device to SBC Through TURN Server

In this case, media is exchanged between the WRTC enabled device and the SBC. The ICE mechanism is used to negotiate a relay address for the firewalls in front of the WRTC enabled device to use for media exchange over TCP or http ports. A TURN relay is used with media path to convert RTP/TCP to RTP/UDP towards SBC.

Browser to SBC through TURN server

Call Flows

Basic call (No ICE UE to Full ICE UE)

Basic Call between UE supporting ICE and no ICE

  • M11 - RTP Sever Reflexive candidate
  • M12 - RTP Host candidate
  • M11C - RTCP Sever Reflexive candidate
  • M12C - RTCP Host candidate

Mid Call ICE Restart

Mid call ICE restart

Configuring WRTC includes:

Configuring ICE

When natTraversal is set for iceSupport, it is recommended that both mediaNat or secureMediaNatPrefix are  not configured.

To configure ICE for a WRTC call:

SIP Trunk Group Configuration

The ICE capability is enabled on the trunk group towards the WRTC endpoints:

% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD services natTraversal iceSupport iceFull
  • SBC uses iceFull to support faster completion on the ICE exchange as the two end points locks down on the first accessible connection path attempted.
  • SBC uses iceWebrtc to allow selection of the optimum connection path, for example, Host vs TURN address.

SDP Method for Multiple IP Version

To configure the SDP method, ICE support must be enabled first.

% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD media mediaAddrType iPv4andiPv6 ice <offerPreference | answerPreference>
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD media mediaAddrType iPv4andiPv6 ice offerPreference <ipv4 | ipv6 | matchSigAddrType>
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD media mediaAddrType iPv4andiPv6 ice answerPreference <honorRecvPrec | ipv4 | ipv6 | matchSigAddrType>

For detailed information on iPv4 and iPv6 CLI changes, refer to sipTrunkGroup media - CLI.

Policing Logic for STUN Packets

When policing is enabled, SBC uses the following prefix lengths to screen the packets that are received from the network. IP addresses that match are allowed to be processed at a higher frequency than IP addresses that do not match.

  • RTP IPV6 Host Address - Hard-coded 128 bit prefix
  • RTP IPV4 TURN Address - Hard-coded 32 bit prefix
  • RTP IPV6 TURN address - Hard-coded 128 bit prefix
  • RTP IPV4 Server Reflexive address - Prefix based on the provisioned length

If policing is disabled, all the packets are treated at the lower frequency of processing and can be dropped if there is an excessive amount of traffic received.

% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD services natTraversal iceSourceAddressFilterPriority <serverReflexivePrefixLength  | state>
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD services natTraversal iceSourceAddressFilterPriority serverReflexivePrefixLength  <0..32>
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD services natTraversal iceSourceAddressFilterPriority state <enabled | disabled>

The aggregate policer screen shows information about the number of STUN packet accepts and discards that have occurred for a given address context. The command for aggregate policer is :

%show table addressContext default ipAccessControlList getAggrPolicers
 
POL  POLICING  ZONE  POLICING                                PACKET  PACKET   AGG POL    
ID   TYPE      ID    MODE      BUCKET SIZE  CREDIT RATE      ACCEPT  DISCARD  NAME       
-----------------------------------------------------------------------------------------
0    Link      -     DataRate  300000 byte  62500000 byte/s  0       0        LINK_pkt0  
1    Link      -     DataRate  300000 byte  62500000 byte/s  0       0        LINK_pkt1  
4    StunDtls  -     PktRate   100 pkt      10000 pkt/s      0       0        STUN       
5    StunDtls  -     PktRate   100 pkt      10000 pkt/s      0       0        DTLS

Configuring DTLS-SRTP

  • If the latest developer version of "Firefox" is used, additional configuration is required to correct the following error:
    091 09042015 115022.824913:1.01.00.21882.MAJOR   .DTLS_SRTP: *DTLS Error  no shared cipher
    Execute the following command to correct the error:

    config
    set profiles security dtlsProfile defaultDtlsProfile cipherSuite2 tls_ecdhe_rsa_with_aes_128_cbc_sha
    commit
  • The DTLS-SRTP and SCTP relay controls must be enabled on the Packet Service Profile for the end-to-end DTLS handshake for WSX-SBC-WSX call flows.

Using the Default DTLS Profile

The default DTLS profile is already present when the system is up and can be used to run WRTC calls.

% show profiles security dtlsProfile defaultDtlsProfile 
handshakeTimer 5;
sessionResumpTimer 300;
cipherSuite1      rsa-with-aes-128-cbc-sha;
dtlsRole          server;
hashType          sha1;
CertName          defaultDtlsSBCCert;
cookieExchange    enabled;
v1_0              enabled;
v1_1              disabled;
v1_2              disabled;

[ok]

For special configuration requirement in the DTLS profile, the default DTLS profile can be modified or a a new DTLS profile can be created. For details, refer to the section Creating the DTLS Profile.

Creating the DTLS Profile

% set profiles security dtlsProfile d1 CertName defaultDtlsSBCCert cipherSuite1 rsa-with-aes-128-cbc-sha cipherSuite2 nosuite cipherSuite3 nosuite cookieExchange enabled dtlsRole server handshakeTimer 5 hashType sha1 sessionResumpTimer 300 v1_0 enabled v1_1 disabled v1_2 disabled

Attaching the DTLS Profile to Trunk Group

% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD media dtlsProfileName d1

Creating Crypto Suite Profile

% set profiles security cryptoSuiteProfile cp1 entry 1 cryptoSuite AES-CM-128-HMAC-SHA1-80

Attaching the Crypto Suite Profile to the Packet Service Profile

% set profiles media packetServiceProfile PSP_IAD dtls dtlsCryptoSuiteProfile cp1

Enabling the DTLS Crypto Suite Profile Parameters

% set profiles media packetServiceProfile PSP_IAD dtls dtlsCryptoSuiteProfile cp1 dtlsFlags allowDtlsFallback enable enableDtlsSrtp enable

The allowDtlsFallback  parameter enables a fall back to standard RTP when corresponding leg does not have DTLS-SRTP support. If this parameter is disabled, SBC does not allow any other call other than DTLS-SRTP on that leg.

Enabling the DTLS SRTP and DTLS SCTP Relay Flags in Packet Service Profile

% set profiles media packetServiceProfile PSP_IAD dtls dtlsFlags dtlsSrtpRelay enable dtlsSctpRelay enable

Attaching the Packet Service Profile to the Sip Trunk Group

% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD policy media packetServiceProfile PSP_IAD

The Packet Service Profile can be attached to the ingress, egress, or both ingress and egress Sip Trunk Group.

Licensing

The SRTP license must be enabled for DTLS support.

The license can be seen by executing the following command:

 

% show table system licenseInfo

LICENSE USAGE 
FEATURE NAME ID EXPIRATION DATE LIMIT 

Navigate to All > License > Bundle

SRTP License

 

Defining SMM Rules

As SBC does not support SAVPF, the following SMM rule is applied for inter-working with WRTC endpoints:

% set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1
% set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 criterion 1 type message 
% set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 criterion 1 type message message messageTypes all condition exist
% set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 action 2 type messageBody
% set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 action 2 operation regsub
% set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 action 2 regexp string "RTP/SAVP" matchInstance all
% set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 action 2 from type value value "RTP/SAVPF"
% set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 action 2 to type messageBody messageBodyValue all
% set profiles signaling sipAdaptorProfile OUT_SMM_RULE state enable
commit 

These SMM profile is assigned to the Trunk Group towards the WRTC.

the adpAttributesSelectiveRelay control must be enabled to support WSX-SBC-WSX call scenarios.

 

Assigning SMM Profiles to Trunk Group

The SMM profile is applied to the Trunk Group as shown below:

% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD signaling messageManipulation outputAdapterProfile OUT_SMM_RULE

Other Configuration

% set addressContext default zone ZONE_IAD sipTrunkGroup ATG_SIPART_IAD services natTraversal mediaNat disabled
% set profiles media packetServiceProfile PSP_IAD rtcpOptions rtcp enable

The STUN handling for media NAT and ICE are mutually exclusive. Therefore, mediaNAT is disabled when ICE is used.

For DTLS, an association is created for both RTP and RTCP. The RTCP control must be enabled for RTCP packets to flow.

 

Viewing the Call Detail Status

To view the call detail status for an ICE enabled WRTC call:

% show status global callDetailStatus
callDetailStatus 17334272 {
  mediaStreams         audio;
  state                Stable;
  callingNumber        777;
  calledNumber         444;
  addressTransPerformed    none;
  origCalledNum        "";
  scenarioType         SIP_TO_SIP;
  callDuration         8;
  mediaType            passthru;
  associatedGcid1      17334272;
  associatedGcid2      17334272;
  associatedGcidLegId1    1;
  associatedGcidLegId2    0;
  ingressMediaStream1LocalIpSockAddr  "10.54.4.176/ 1026";
  ingressMediaStream1RemoteIpSockAddr "10.70.52.67/ 55658";
  egressMediaStream1LocalIpSockAddr   "10.54.6.176/ 1026";
  egressMediaStream1RemoteIpSockAddr  "10.70.52.67/ 5124";
  ingressMediaStream1Security         "rtp-Encrypted rtp-auth rtcp-encrypted rtcp-auth crypto-aescm hmacsha180";
  egressMediaStream1Security          "rtp-disabled rtcp-disabled";
  ingressMediaStream1Bandwidth          135;
  egressMediaStream1Bandwidth           127;
  ingressMediaStream1IceState          ST_ICE_COMPLETE;
  egressMediaStream1IceState          NONE;
  ingressDtlsSrtpStream1              ENABLED;
  egressDtlsSrtpStream1               DISABLED;
  iceCallTypes                       "ing-lcl-FULL-ICE ing-rmt-FULL-ICE eg-lcl-NONE eg-rmt-NONE";

}

The following screen shows a successful DTLS handshake packet capture:

The Screen Showing a Successful DTLS Packet Capture

  • No labels