In this section:
Overview
Sonus WebRTC Gateway (WRTC) is a new technology that enables web browsers to participate in audio, video, and data communications, without any kind of additional plug-ins or application downloads. Using a WRTC enabled browser user can place a call, participate in multi-party video and audio conferencing, and engage in screen sharing collaboration. Sonus Web Service Solution bridges the web and SIP worlds to facilitate the integration of communications (voice, video, and data) in applications.
Sonus SBC is a component of Sonus Web Service Solution. Sonus SBC provides media service functionality when WRTC endpoints are behind a NAT.
Sonus SBC acts as a WRTC to SIP media gateway. It enables WRTC users to communicate to any back-end SIP system and PSTN. Sonus SBC also provides routing, security, transcoding, and interworking. It supports the following functionalities:
Relays and monitors the media streams.
Inter-works WRTC media DTLS/SRTP to traditional RTP/UDP.
Relays or transcodes opus to G7xx voice codecs.
Relays VP8/VP9, and H.264 video codecs.
Supports ICE and STUN procedures for NAT traversal.
Deployment Scenarios
WRTC Enabled Device to SIP Call (SBC in Data Center)
The WRTC enabled device employs the ICE procedures and connects to the SBC on a public address. The SBC acts as an ICE-Lite agent to support the WRTC enabled device to punch the pinholes in the NAT for media exchange with the SBC. This can work with any Firewall in front of the WRTC enabled device that can support opening NAT Pinholes for the UDP traffic. The NAT can be Full-Cone, restricted, or symmetric NAT.
Browser to SIP call
WRTC Enabled Device to SBC Through TURN Server
In this case, media is exchanged between the WRTC enabled device and the SBC. The ICE-Lite mechanism is used to negotiate a relay address for the firewalls in front of the WRTC enabled device to use for media exchange over TCP or http ports. A TURN relay is used with media path to convert RTP/TCP to RTP/UDP towards SBC.
Browser to SBC through TURN server
Call Flows
Basic call (No ICE UE to Full ICE UE)
Basic Call between UE supporting ICE and no ICE
- M11 - RTP Sever Reflexive candidate
- M12 - RTP Host candidate
- M11C - RTCP Sever Reflexive candidate
- M12C - RTCP Host candidate
Mid Call ICE Restart
Mid call ICE restart
Configuring WRTC includes:
Configuring ICE-Lite
When natTraversal is set for iceSupport, it is recommended that both mediaNat or secureMediaNatPrefix are not configured.
To configure ICE for a WRTC call:
SIP Trunk Group Configuration
The ICE capability is enabled on the trunk group towards the WRTC endpoints:
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD services natTraversal iceSupport iceWebrtc
SDP Method for Multiple IP Version
To configure the SDP method, ICE support must be enabled first.
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD media mediaAddrType iPv4andiPv6 ice <offerPreference | answerPreference> % set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD media mediaAddrType iPv4andiPv6 ice offerPreference <ipv4 | ipv6 | matchSigAddrType> % set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD media mediaAddrType iPv4andiPv6 ice answerPreference <honorRecvPrec | ipv4 | ipv6 | matchSigAddrType>
For detailed information on iPv4 and iPv6 CLI changes, refer to sipTrunkGroup media - CLI.
Policing Logic for STUN Packets
When policing is enabled, SBC uses the following prefix lengths to screen the packets that are received from the network. IP addresses that match are allowed to be processed at a higher frequency than IP addresses that do not match.
- RTP IPV6 Host Address - Hard-coded 128 bit prefix
- RTP IPV4 TURN Address - Hard-coded 32 bit prefix
- RTP IPV6 TURN address - Hard-coded 128 bit prefix
- RTP IPV4 Server Reflexive address - Prefix based on the provisioned length
If policing is disabled, all the packets are treated at the lower frequency of processing and can be dropped if there is an excessive amount of traffic received.
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD services natTraversal iceSourceAddressFilterPriority <serverReflexivePrefixLength | state> % set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD services natTraversal iceSourceAddressFilterPriority serverReflexivePrefixLength <0..32> % set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD services natTraversal iceSourceAddressFilterPriority state <enabled | disabled>
The aggregate policer screen shows information about the number of STUN packet accepts and discards that have occurred for a given address context. The command for aggregate policer is :
%show table addressContext default ipAccessControlList getAggrPolicers POL POLICING ZONE POLICING PACKET PACKET AGG POL ID TYPE ID MODE BUCKET SIZE CREDIT RATE ACCEPT DISCARD NAME ----------------------------------------------------------------------------------------- 0 Link - DataRate 300000 byte 62500000 byte/s 0 0 LINK_pkt0 1 Link - DataRate 300000 byte 62500000 byte/s 0 0 LINK_pkt1 4 StunDtls - PktRate 100 pkt 10000 pkt/s 0 0 STUN 5 StunDtls - PktRate 100 pkt 10000 pkt/s 0 0 DTLS
Configuring DTLS-SRTP
If the latest developer version of "Firefox" is used, additional configuration is required to correct the following error:
091 09042015 115022.824913:1.01.00.21882.MAJOR .DTLS_SRTP: *DTLS Error no shared cipher
Execute the following command to correct the error:
config set profiles security dtlsProfile defaultDtlsProfile cipherSuite2 tls_ecdhe_rsa_with_aes_128_cbc_sha commit
- Creating the DTLS Profile
- Attaching the DTLS Profile to Trunk Group
- Creating Crypto Suite Profile
- Attaching the Crypto Suite Profile to the Packet Service Profile
- Enabling the Parameters Under DTLS Crypto Suite Profile
- Attaching the Packet Service Profile to the Sip Trunk Group
- Licensing
Creating the DTLS Profile
% set profiles security dtlsProfile d1 CertName defaultDtlsSBCCert cipherSuite1 rsa-with-aes-128-cbc-sha cipherSuite2 nosuite cipherSuite3 nosuite cookieExchange enabled dtlsRole server handshakeTimer 5 hashType sha1 sessionResumpTimer 300 v1_0 enabled v1_1 disabled v1_2 disabled
Attaching the DTLS Profile to Trunk Group
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD media dtlsProfileName d1
Creating Crypto Suite Profile
% set profiles security cryptoSuiteProfile cp1 entry 1 cryptoSuite AES-CM-128-HMAC-SHA1-80
Attaching the Crypto Suite Profile to the Packet Service Profile
% set profiles media packetServiceProfile PSP_IAD dtls dtlsCryptoSuiteProfile cp1
Enabling the Parameters Under DTLS Crypto Suite Profile
% set profiles media packetServiceProfile PSP_IAD dtls dtlsCryptoSuiteProfile cp1 dtlsFlags allowDtlsFallback enable enableDtlsSrtp enable
The allowDtlsFallback parameter enables a fall back to standard RTP when corresponding leg does not have DTLS-SRTP support. If this parameter is disabled, SBC does not allow any other call other than DTLS-SRTP on that leg.
Attaching the Packet Service Profile to the Sip Trunk Group
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD policy media packetServiceProfile PSP_IAD
The Packet Service Profile can be attached to the ingress, egress, or both ingress and egress Sip Trunk Group.
Licensing
The SRTP license must be enabled for DTLS support.
The license can be seen by executing the following command:
% show table system licenseInfo LICENSE USAGE FEATURE NAME ID EXPIRATION DATE LIMIT
Navigate to All > License > Bundle
SRTP License
Defining SMM Rules
As SBC does not support SAVPF, the following SMM rules are applied for inter-working with WRTC endpoints:
Output Adapter Profile:
% set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 % set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 criterion 1 type message % set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 criterion 1 type message message messageTypes all condition exist % set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 action 2 type messageBody % set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 action 2 operation regsub % set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 action 2 regexp string "RTP/SAVP" matchInstance all % set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 action 2 from type value value "RTP/SAVPF" % set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 action 2 to type messageBody messageBodyValue all % set profiles signaling sipAdaptorProfile OUT_SMM_RULE state enable commit
Input Adapter Profile
For an audio and video WRTC (chrome) to WRTC (chrome) call, an inputAdaptorProfile SMM rule is required. The SMM rule is dependent on the configuration of the sdpAttributesSelectiveRelay control. This SMM rule is configured on the incoming Trunk Group. The same settings are required when inter-working from WRTC to Acano.
sdpAttributesSelectiveRelayis disabled% set addressContext default zone <zone name> sipTrunkGroup <sip Trunk Group name> media sdpAttributesSelectiveRelay disabled % set profiles signaling sipAdaptorProfile IN_SMM_RULE rule 1 criterion 1 type message message messageTypes all condition exist % set profiles signaling sipAdaptorProfile IN_SMM_RULE rule 1 action 1 type messageBody % set profiles signaling sipAdaptorProfile IN_SMM_RULE rule 1 action 1 operation regdel % set profiles signaling sipAdaptorProfile IN_SMM_RULE rule 1 action 1 regexp string "a=ssrc.*?\r\n" matchInstance all % set profiles signaling sipAdaptorProfile IN_SMM_RULE rule 1 action 1 to type messageBody messageBodyValue all % set profiles signaling sipAdaptorProfile IN_SMM_RULE state enable commit
sdpAttributesSelectiveRelayis enabled% set addressContext default zone <zone name> sipTrunkGroup <sip Trunk Group name> media sdpAttributesSelectiveRelay enabled % set profiles signaling sipAdaptorProfile IN_SMM_RULE rule 1 criterion 1 type message message messageTypes all condition exist % set profiles signaling sipAdaptorProfile IN_SMM_RULE rule 1 action 1 type messageBody % set profiles signaling sipAdaptorProfile IN_SMM_RULE rule 1 action 1 operation regdel % set profiles signaling sipAdaptorProfile IN_SMM_RULE rule 1 action 1 regexp string "a=group:BUNDLE.*?\r\n" matchInstance all % set profiles signaling sipAdaptorProfile IN_SMM_RULE rule 1 action 1 to type messageBody messageBodyValue all % set profiles signaling sipAdaptorProfile IN_SMM_RULE rule 1 action 2 type messageBody % set profiles signaling sipAdaptorProfile IN_SMM_RULE rule 1 action 2 operation regdel % set profiles signaling sipAdaptorProfile IN_SMM_RULE rule 1 action 2 regexp string "a=msid-semantic.*?\r\n" matchInstance all % set profiles signaling sipAdaptorProfile IN_SMM_RULE rule 1 action 2 to type messageBody messageBodyValue all % set profiles signaling sipAdaptorProfile IN_SMM_RULE state enable commit
These SMM profiles are assigned to the Trunk Group towards the WRTC.
Assigning SMM Profiles to Trunk Group
The SMM profile is applied to the Trunk Group as shown below:
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD signaling messageManipulation outputAdapterProfile OUT_SMM_RULE
Other Configuration
% set addressContext default zone ZONE_IAD sipTrunkGroup ATG_SIPART_IAD services natTraversal mediaNat disabled % set profiles media packetServiceProfile PSP_IAD rtcpOptions rtcp enable
The STUN handling for media NAT and ICE are mutually exclusive. Therefore, mediaNAT is disabled when ICE is used.
For DTLS, an association is created for both RTP and RTCP. The RTCP control must be enabled for RTCP packets to flow.
- For routing related information, refer to the section Category - Call Routing.
- For configuring video call, refer to the section Configuring SIP-SIP Video.
- For more information on WRTC configuration, refer to the WRTC Documentation.
Viewing the Call Detail Status
To view the call detail status for an ICE enabled WRTC call:
% show status global callDetailStatus
callDetailStatus 17334272 {
mediaStreams audio;
state Stable;
callingNumber 777;
calledNumber 444;
addressTransPerformed none;
origCalledNum "";
scenarioType SIP_TO_SIP;
callDuration 8;
mediaType passthru;
associatedGcid1 17334272;
associatedGcid2 17334272;
associatedGcidLegId1 1;
associatedGcidLegId2 0;
ingressMediaStream1LocalIpSockAddr "10.54.4.176/ 1026";
ingressMediaStream1RemoteIpSockAddr "10.70.52.67/ 55658";
egressMediaStream1LocalIpSockAddr "10.54.6.176/ 1026";
egressMediaStream1RemoteIpSockAddr "10.70.52.67/ 5124";
ingressMediaStream1Security "rtp-Encrypted rtp-auth rtcp-encrypted rtcp-auth crypto-aescm hmacsha180";
egressMediaStream1Security "rtp-disabled rtcp-disabled";
ingressMediaStream1Bandwidth 135;
egressMediaStream1Bandwidth 127;
ingressMediaStream1IceState ST_ICE_COMPLETE;
egressMediaStream1IceState NONE;
ingressDtlsSrtpStream1 ENABLED;
egressDtlsSrtpStream1 DISABLED;
iceCallTypes "ing-lcl-ICE-LITE ing-rmt-FULL-ICE eg-lcl-NONE eg-rmt-NONE";
}
Overview
Content Tools