asterisk users - Mar 2016 - Questions regarding ICE and STUN with Asterisk

Hi everyone

  I would like to get some help and clarification from the experienced 
ones, upon the following:

- we're using Asterisk 13.7.0, that is deployed on a host, that has a 
public IP *and* a couple of gray IPs (192.168.x.x & 10.10.x.x)

- we're using WebRTC web-page (jsSIP) as a client

Which is the proper setup of ICE/STUN related config (on the Asterisk 
and on the client) for the most reliable work in most cases ?

For example, now we're trying to use our own STUN server (from Debian's 
"stund" package), whose documentation says "You have to have 2
different
public IPs on the same server in order to run STUN server"

Is it really so? and what are the implications of using it with only one 
IP (which is possible, at least it runs seemingly well without that)

On the client side, we've configured jsSIP.UA to use our own STUN server 
via "pcConfig" object

On Asterisk, we have icesupport=yes both in sip.conf and rtp.conf. We've 
also enabled stunaddr=stun.l.google.com:19302 in rtp.conf.

Is it proper solution for this case ?

When I inspect SIP packets, I see that there are ICE candidates in both 
offers and answers. BUT: SDP bodies in the packets from server to client 
contain "gray" IPs of the Asterisk host:

a=ice-ufrag:636c49c84158d2b45840291c6724c0f9
a=ice-pwd:6b012c01092ec01275964eaa55a8784b
a=candidate:H904cc6da 1 UDP 2130706431 144.76.x.y 51604 typ host
a=candidate:Ha0a0202 1 UDP 2130706431 10.10.2.2 51604 typ host
a=candidate:S904cc6da 1 UDP 1694498815 144.76.x.y 51604 typ srflx raddr 
144.76.x.y rport 51604
a=candidate:H904cc6da 2 UDP 2130706430 144.76.x.y 51605 typ host
a=candidate:Ha0a0202 2 UDP 2130706430 10.10.2.2 51605 typ host
a=candidate:S904cc6da 2 UDP 1694498814 144.76.x.y 51605 typ srflx raddr 
144.76.x.y rport 51605

I am afraid it might be a potential problem, when a client will have his 
private IP in similar subnets. Or am I wrong here ?

So far we are not experiencing any issues, but this seems to be alarming..

Can this behaviour (namely, which IP addresses does Asterisk include 
into SDPs body) be configured somehow ?

Many thanks for any help with this question..

Kirill Marchuk

Well, after a more specific research I came to 2 conclusions:

1) no need to specify "stunaddr" option in Asterisk configs in this 
case, as we know that host definitely has a public IP

2) as of the inclusion of all local IP-addresses as candidates, this is 
(apparently) done in "rtp_add_candidates_to_ice" function of 
res_rtp_asterisk.c, where it has a code:
     /* Add all the local interface IP addresses */
..

And as fas as I can tell from basic ICE overview [1], this should NOT 
prevent proper session functioning, as long as candidate pairs 
(local/remote) are checked for connectivity first.

Still, I would think it to be useful, to have an option to EXCLUDE local 
IP-addresses from using as local candidates.

What does the community think on this ?

Thanks

Kirill Marchuk

[1] https://trac.pjsip.org/repos/wiki/Using_Standalone_ICE

18.03.2016 14:37, Kirill Marchuk ?????:
> Hi everyone
>
>  I would like to get some help and clarification from the experienced 
> ones, upon the following:
>
> - we're using Asterisk 13.7.0, that is deployed on a host, that has a 
> public IP *and* a couple of gray IPs (192.168.x.x & 10.10.x.x)
>
> - we're using WebRTC web-page (jsSIP) as a client
>
> Which is the proper setup of ICE/STUN related config (on the Asterisk 
> and on the client) for the most reliable work in most cases ?
>
> For example, now we're trying to use our own STUN server (from 
> Debian's "stund" package), whose documentation says "You
have to have
> 2 different public IPs on the same server in order to run STUN server"
>
> Is it really so? and what are the implications of using it with only 
> one IP (which is possible, at least it runs seemingly well without that)
>
> On the client side, we've configured jsSIP.UA to use our own STUN 
> server via "pcConfig" object
>
> On Asterisk, we have icesupport=yes both in sip.conf and rtp.conf. 
> We've also enabled stunaddr=stun.l.google.com:19302 in rtp.conf.
>
> Is it proper solution for this case ?
>
> When I inspect SIP packets, I see that there are ICE candidates in 
> both offers and answers. BUT: SDP bodies in the packets from server to 
> client contain "gray" IPs of the Asterisk host:
>
> a=ice-ufrag:636c49c84158d2b45840291c6724c0f9
> a=ice-pwd:6b012c01092ec01275964eaa55a8784b
> a=candidate:H904cc6da 1 UDP 2130706431 144.76.x.y 51604 typ host
> a=candidate:Ha0a0202 1 UDP 2130706431 10.10.2.2 51604 typ host
> a=candidate:S904cc6da 1 UDP 1694498815 144.76.x.y 51604 typ srflx 
> raddr 144.76.x.y rport 51604
> a=candidate:H904cc6da 2 UDP 2130706430 144.76.x.y 51605 typ host
> a=candidate:Ha0a0202 2 UDP 2130706430 10.10.2.2 51605 typ host
> a=candidate:S904cc6da 2 UDP 1694498814 144.76.x.y 51605 typ srflx 
> raddr 144.76.x.y rport 51605
>
> I am afraid it might be a potential problem, when a client will have 
> his private IP in similar subnets. Or am I wrong here ?
>
> So far we are not experiencing any issues, but this seems to be 
> alarming..
>
> Can this behaviour (namely, which IP addresses does Asterisk include 
> into SDPs body) be configured somehow ?
>
> Many thanks for any help with this question..
>
> Kirill Marchuk