In this section:
Sonus WebRTC Gateway (WRTC) is a new technology that enables web browsers to participate in audio, video, and data communications, without any kind of additional plug-ins or application downloads. Using a WRTC enabled browser user can place a call, participate in multi-party video and audio conferencing, and engage in screen sharing collaboration. Sonus Web Service Solution bridges the web and SIP worlds to facilitate the integration of communications (voice, video, and data) in applications.
Sonus SBC is a component of Sonus Web Service Solution. Sonus SBC provides media service functionality when WRTC endpoints are behind a NAT.
Sonus SBC acts as a WRTC to SIP media gateway. It enables WRTC users to communicate to any back-end SIP system and PSTN. Sonus SBC also provides routing, security, transcoding, and interworking. It supports the following functionalities:
Relays and monitors the media streams.
Inter-works WRTC media DTLS/SRTP to traditional RTP/UDP.
Relays or transcodes opus to G7xx voice codecs.
Relays VP8/VP9, and H.264 video codecs.
Supports ICE and STUN procedures for NAT traversal.
WRTC Enabled Device to SIP Call (SBC in Data Center)
The WRTC enabled device employs the ICE procedures and connects to the SBC on a public address. The SBC acts as an ICE agent to support the WRTC enabled device to punch the pinholes in the NAT for media exchange with the SBC. This can work with any Firewall in front of the WRTC enabled device that can support opening NAT Pinholes for the UDP traffic. The NAT can be Full-Cone, restricted, or symmetric NAT.
WRTC Enabled Device to SBC Through TURN Server
In this case, media is exchanged between the WRTC enabled device and the SBC. The ICE mechanism is used to negotiate a relay address for the firewalls in front of the WRTC enabled device to use for media exchange over TCP or http ports. A TURN relay is used with media path to convert RTP/TCP to RTP/UDP towards SBC.
Basic call (No ICE UE to Full ICE UE)
Mid Call ICE Restart
Configuring WRTC includes:
When natTraversal
is set for iceSupport
, it is recommended that both mediaNat
or secureMediaNatPrefix
are not configured.
To configure ICE for a WRTC call:
The ICE capability is enabled on the trunk group towards the WRTC endpoints:
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD services natTraversal iceSupport iceFull
iceFull
to support faster completion on the ICE exchange as the two end points locks down on the first accessible connection path attempted.iceWebrtc
to allow selection of the optimum connection path, for example, Host vs TURN address.To configure the SDP method, ICE support must be enabled first.
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD media mediaAddrType iPv4andiPv6 ice <offerPreference | answerPreference> % set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD media mediaAddrType iPv4andiPv6 ice offerPreference <ipv4 | ipv6 | matchSigAddrType> % set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD media mediaAddrType iPv4andiPv6 ice answerPreference <honorRecvPrec | ipv4 | ipv6 | matchSigAddrType>
For detailed information on iPv4 and iPv6 CLI changes, refer to sipTrunkGroup media - CLI.
When policing is enabled, SBC uses the following prefix lengths to screen the packets that are received from the network. IP addresses that match are allowed to be processed at a higher frequency than IP addresses that do not match.
If policing is disabled, all the packets are treated at the lower frequency of processing and can be dropped if there is an excessive amount of traffic received.
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD services natTraversal iceSourceAddressFilterPriority <serverReflexivePrefixLength | state> % set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD services natTraversal iceSourceAddressFilterPriority serverReflexivePrefixLength <0..32> % set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD services natTraversal iceSourceAddressFilterPriority state <enabled | disabled>
The aggregate policer screen shows information about the number of STUN packet accepts and discards that have occurred for a given address context. The command for aggregate policer is :
%show table addressContext default ipAccessControlList getAggrPolicers POL POLICING ZONE POLICING PACKET PACKET AGG POL ID TYPE ID MODE BUCKET SIZE CREDIT RATE ACCEPT DISCARD NAME ----------------------------------------------------------------------------------------- 0 Link - DataRate 300000 byte 62500000 byte/s 0 0 LINK_pkt0 1 Link - DataRate 300000 byte 62500000 byte/s 0 0 LINK_pkt1 4 StunDtls - PktRate 100 pkt 10000 pkt/s 0 0 STUN 5 StunDtls - PktRate 100 pkt 10000 pkt/s 0 0 DTLS
If the latest developer version of "Firefox" is used, additional configuration is required to correct the following error:
091 09042015 115022.824913:1.01.00.21882.MAJOR .DTLS_SRTP: *DTLS Error no shared cipher
Execute the following command to correct the error:
config set profiles security dtlsProfile defaultDtlsProfile cipherSuite2 tls_ecdhe_rsa_with_aes_128_cbc_sha commit
The default DTLS profile is already present when the system is up and can be used to run WRTC calls.
% show profiles security dtlsProfile defaultDtlsProfile handshakeTimer 5; sessionResumpTimer 300; cipherSuite1 rsa-with-aes-128-cbc-sha; dtlsRole server; hashType sha1; CertName defaultDtlsSBCCert; cookieExchange enabled; v1_0 enabled; v1_1 disabled; v1_2 disabled; [ok]
For special configuration requirement in the DTLS profile, the default DTLS profile can be modified or a a new DTLS profile can be created. For details, refer to the section Creating the DTLS Profile.
% set profiles security dtlsProfile d1 CertName defaultDtlsSBCCert cipherSuite1 rsa-with-aes-128-cbc-sha cipherSuite2 nosuite cipherSuite3 nosuite cookieExchange enabled dtlsRole server handshakeTimer 5 hashType sha1 sessionResumpTimer 300 v1_0 enabled v1_1 disabled v1_2 disabled
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD media dtlsProfileName d1
% set profiles security cryptoSuiteProfile cp1 entry 1 cryptoSuite AES-CM-128-HMAC-SHA1-80
% set profiles media packetServiceProfile PSP_IAD dtls dtlsCryptoSuiteProfile cp1
% set profiles media packetServiceProfile PSP_IAD dtls dtlsCryptoSuiteProfile cp1 dtlsFlags allowDtlsFallback enable enableDtlsSrtp enable
The allowDtlsFallback
parameter enables a fall back to standard RTP when corresponding leg does not have DTLS-SRTP support. If this parameter is disabled, SBC does not allow any other call other than DTLS-SRTP on that leg.
% set profiles media packetServiceProfile PSP_IAD dtls dtlsFlags dtlsSrtpRelay enable dtlsSctpRelay enable
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD policy media packetServiceProfile PSP_IAD
The Packet Service Profile can be attached to the ingress, egress, or both ingress and egress Sip Trunk Group.
The SRTP license must be enabled for DTLS support.
The license can be seen by executing the following command:
% show table system licenseInfo LICENSE USAGE FEATURE NAME ID EXPIRATION DATE LIMIT
Navigate to All > License > Bundle
As SBC does not support SAVPF, the following SMM rule is applied for inter-working with WRTC endpoints:
% set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 % set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 criterion 1 type message % set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 criterion 1 type message message messageTypes all condition exist % set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 action 2 type messageBody % set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 action 2 operation regsub % set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 action 2 regexp string "RTP/SAVP" matchInstance all % set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 action 2 from type value value "RTP/SAVPF" % set profiles signaling sipAdaptorProfile OUT_SMM_RULE rule 1 action 2 to type messageBody messageBodyValue all % set profiles signaling sipAdaptorProfile OUT_SMM_RULE state enable commit
These SMM profile is assigned to the Trunk Group towards the WRTC.
the adpAttributesSelectiveRelay
control must be enabled to support WSX-SBC-WSX call scenarios.
The SMM profile is applied to the Trunk Group as shown below:
% set addressContext default zone ZONE_IAD sipTrunkGroup TG_SIPART_IAD signaling messageManipulation outputAdapterProfile OUT_SMM_RULE
% set addressContext default zone ZONE_IAD sipTrunkGroup ATG_SIPART_IAD services natTraversal mediaNat disabled % set profiles media packetServiceProfile PSP_IAD rtcpOptions rtcp enable
The STUN handling for media NAT and ICE are mutually exclusive. Therefore, mediaNAT
is disabled when ICE is used.
For DTLS, an association is created for both RTP and RTCP. The RTCP control must be enabled for RTCP packets to flow.
To view the call detail status for an ICE enabled WRTC call:
% show status global callDetailStatus callDetailStatus 17334272 { mediaStreams audio; state Stable; callingNumber 777; calledNumber 444; addressTransPerformed none; origCalledNum ""; scenarioType SIP_TO_SIP; callDuration 8; mediaType passthru; associatedGcid1 17334272; associatedGcid2 17334272; associatedGcidLegId1 1; associatedGcidLegId2 0; ingressMediaStream1LocalIpSockAddr "10.54.4.176/ 1026"; ingressMediaStream1RemoteIpSockAddr "10.70.52.67/ 55658"; egressMediaStream1LocalIpSockAddr "10.54.6.176/ 1026"; egressMediaStream1RemoteIpSockAddr "10.70.52.67/ 5124"; ingressMediaStream1Security "rtp-Encrypted rtp-auth rtcp-encrypted rtcp-auth crypto-aescm hmacsha180"; egressMediaStream1Security "rtp-disabled rtcp-disabled"; ingressMediaStream1Bandwidth 135; egressMediaStream1Bandwidth 127; ingressMediaStream1IceState ST_ICE_COMPLETE; egressMediaStream1IceState NONE; ingressDtlsSrtpStream1 ENABLED; egressDtlsSrtpStream1 DISABLED; iceCallTypes "ing-lcl-FULL-ICE ing-rmt-FULL-ICE eg-lcl-NONE eg-rmt-NONE"; }
The following screen shows a successful DTLS handshake packet capture: