ICE / TURN / STUN Tutorial

BRKCOL-2986

Kristof Van Coillie, Technical Leader, Services Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space

cs.co/ciscolivebot#BRKCOL-2986

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public Abstract This session will provide technical background and insights on Traversal Using Relay NAT (TURN) and Interactive Connectivity Establishment (ICE) and cover how these are used in the Collaboration Portfolio. Participants will learn why TURN is needed and how ICE finds the optimal media path. Troubleshooting guidance will be discussed demonstrating the serviceability tools available together with best practices.

• Why do we need TURN & ICE?

• TURN & ICE explained

• TURN & ICE in Cisco Collaboration

• Collaboration Solutions Analyzer Why do we need TURN & ICE ? Why do we need TURN & ICE? Media negotiation

10.10.10.10 SIP Registrar 10.10.10.20

INVITE INVITE Content-Type: application/sdp Content-Type: application/sdp c=IN IP4 10.10.10.10 c=IN IP4 10.10.10.10 m=audio 30000 RTP/SAVP … m=audio 30000 RTP/SAVP … … … 200 OK 200 OK Content-Type: application/sdp Content-Type: application/sdp c=IN IP4 10.10.10.20 c=IN IP4 10.10.10.20 m=audio 40000 RTP/SAVP … m=audio 40000 RTP/SAVP … Media 10.10.10.10: 30000 10.10.10.20: 40000

10.10.10.10 SIP Registrar

Media

10.10.10.20

10.10.10.10 173.38.154.85

Media 10.10.10.10:30000 Internet

SIP Registrar

10.10.10.10 173.38.154.85

Media Media Internet

SIP Registrar

10.10.10.10 SIP Registrar 173.38.154.85 = TURN Client

INVITE INVITE Content-Type: application/sdp Content-Type: application/sdp c=IN IP4 72.163.4.161 c=IN IP4 72.163.4.161 m=audio 24000 RTP/SAVP … m=audio 24000 RTP/SAVP … 200 OK 200 OK Content-Type: application/sdp Content-Type: application/sdp c=IN IP4 173.38.154.85 c=IN IP4 173.38.154.85 m=audio 40000 RTP/SAVP … m=audio 40000 RTP/SAVP … 72.163.4.161 Media :24000 Media 10.10.10.10 173.38.154.85:40000 = TURN Server BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11 Why do we need TURN & ICE Relaying the media, sometimes 72.163.4.161

10.10.10.10 173.38.154.85

Media Media Media Internet

10.10.10.20 Finding the best, working media path = ICE SIP Registrar

INVITE

Content-Type: application/sdp c=IN IP4 10.10.10.10 m=audio 30000 RTP/SAVP … a=candidate:1 1 UDP 2130706431 10.10.10.10 30000 typ host a=candidate:1 2 UDP 2130706430 10.10.10.10 30001 typ host a=candidate:3 1 UDP 352321535 72.163.4.161 24000 typ relay raddr 10.10.10.10 rport 30000 a=candidate:3 2 UDP 352321534 72.163.4.161 24001 typ relay raddr 10.10.10.10 rport 30001

• STUN is the protocol used between TURN Client and TURN Server (for most messages)

• ICE leverages STUN protocol

• TURN • Traversal Using Relays around NAT • Media Relay • RFC 5766

• ICE • Interactive Connectivity Establishment • Finds the best, working media path • RFC 5245

• STUN • Session Traversal Utilities for NAT • Protocol used by TURN & ICE • RFC 5389

= TURN Server CUCM Expr-E Endpoint Expr-C Media Internet

CMS

Office 365 = TURN Client

Expr-E 192.168.0.200 173.38.154.85 TURN Internet Server Office 365 CMS

TURN Client

192.168.0.71 INVITE

Content-Type: application/sdp c=IN IP4 192.168.0.71 m=audio 30000 RTP/SAVP … a=candidate:1 1 UDP 2130706431 192.168.0.71 30000 typ host a=candidate:1 2 UDP 2130706430 192.168.0.71 30001 typ host a=candidate:3 1 UDP 352321535 173.38.154.85 24000 typ relay raddr 192.168.0.71 rport 30000 a=candidate:3 2 UDP 352321534 173.38.154.85 24001 typ relay raddr 192.168.0.71 rport 30001

• Collecting candidates Step 1

• Exchanging candidates Step 2

• Connectivity checks Step 3

• Deciding candidate pair to use Step 4

192.168.0.71 :3478 Allocate Request

Allocate Error Response: 401 Unauthorized nonce realm: ciscotac.net STUN Allocate Request Messages user: turnuser, realm: ciscotac.net, nonce: 9ae6…de7

Allocate Success Response XOR-RELAYED-ADDRESS 173.38.154.85:24000 XOR-MAPPED-ADDRESS 192.168.0.71:58952 Relay candidate

STUN RTP Step 1: Collecting candidates :58952 :3478 :24000 Allocations

Relayed transport • Relayed transport address 173.38.154.85:24000 address

• Client’s IP address & port 192.168.0.71:58952 5-tuple • Server IP address & port 192.168.0.200:3478 • Transport protocol UDP

Authentication • Username, realm, password, nonce turnuser, password, …

Time to expiry • How long allocation is still valid 600 seconds

• Initially empty Permissions • See later

Channel to peer • Initially empty bindings • See later

Authentication

Attributes of the allocation

Purpose of allocation

• An allocation is needed per stream: • Audio RTP / RTCP • Video RTP / RTCP • Content

• TURN service discovery possible (SRV) • Depends on product support

• Messages between TURN client and TURN server can be UDP, TCP or TLS over TCP • Depend on product support

TURN Client PAT (NAT) 192.168.0.71 173.38.154.85

192.168.0.71:50000 Allocate Request 173.38.154.83:50000 Allocate Request :3478

Allocate Success Response Allocate Success Response

XOR-RELAYED-ADDRESS 173.38.154.85:24000 XOR-RELAYED-ADDRESS 173.38.154.85:24000 XOR-MAPPED-ADDRESS 173.38.154.83:50000 XOR-MAPPED-ADDRESS 173.38.154.83:50000

TURN TURN Client 173.38.154.83 Server Relay Host Server reflexive candidate candidate candidate 192.168.0.71 173.38.154.85

192.168.0.71:50000

173.38.154.85:24000

173.38.154.83:50000

• Collecting candidates Step 1

• Exchanging candidates Step 2

• Connectivity checks Step 3

• Deciding candidate pair to use Step 4

TURN Client

192.168.0.71 INVITE

Content-Type: application/sdp Default candidate c=IN IP4 192.168.0.71 m=audio 30000 RTP/SAVP … Host candidate a=candidate:1 1 UDP 2130706431 192.168.0.71 58952 typ host a=candidate:1 2 UDP 2130706430 192.168.0.71 58953 typ host a=candidate:3 1 UDP 352321535 173.38.154.85 24000 typ relay raddr 192.168.0.71 rport 58952 a=candidate:3 2 UDP 352321534 173.38.154.85 24001 typ relay raddr 192.168.0.71 rport 58953 Relay candidate

CMS Office 365 Internet TURN Client

192.168.0.71 178.119.234.102 192.168.1.30 200 OK

Content-Type: application/sdp Default candidate c=IN IP4 52.112.132.17 m=audio 59229 RTP/SAVP … Host candidate a=candidate:1 1 UDP 2130706431 192.168.1.30 50012 typ host a=candidate:1 2 UDP 2130705918 192.168.1.30 50013 typ host a=candidate:4 1 UDP 184547839 52.112.132.17 59229 typ relay raddr 178.119.234.102 rport 50010 Relay candidate a=candidate:4 2 UDP 184547326 52.112.132.17 59365 typ relay raddr 178.119.234 a=candidate:10 1 UDP 1694232063 178.119.234.102 50010 typ srflx raddr 192.168.1.30 rport 50010 a=candidate:10 2 UDP 1694231550 178.119.234.102 50011 typ srflx raddr 192.168.1.30 rport 50011 Server reflexive candidate

• The agent that generated the offer which started ICE processing = CONTROLLING AGENT

• The other agent = CONTROLLED AGENT

• Controlling agent is responsible for the choice of the final candidate pair for communication

If no candidates are seen in the offer/answer -> allocations of that party failed

• Collecting candidates Step 1

• Exchanging candidates Step 2

• Connectivity checks Step 3

• Deciding candidate pair to use Step 4

192.168.1.30:50012 (host) Local 192.168.0.71:58952 (host) candidates 52.112.132.17:59229 (relay) 173.38.154.85:24000 (relay) 178.119.234.102:50010 (srflx)

host 192.168.0.71:58952 ← → 192.168.1.30:50012 host

host 192.168.0.71:58952 ← → 52.112.132.17:59229 relay

host 192.168.0.71:58952 ← → 178.119.234.102:50010 srflx

relay 173.38.154.85:24000 ← → 192.168.1.30:50012 host

relay 173.38.154.85:24000 ← → 52.112.132.17:59229 relay

relay 173.38.154.85:24000 ← → 178.119.234.102:50010 srflx

• Check is generated by sending a STUN binding request from a local candidate to remote candidate

• Check is considered successful if: • Success response received • Src ip:src port of response = dst ip:dst port of request • Dst ip:dst port of response = src ip:src port of request

• First we need to understand how relaying packet works

BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36 Allocation 192.168.0.71:58952 192.168.0.200:3478 5-tuple Relaying packets UDP 173.38.154.85:24000 Relayed transport address Expr-E CMS STUN Data 192.168.0.200 173.38.154.85 Data TURN Client :58952 Where to send data to :3478 :24000 dst ip: port 192.168.0.71 STUN Data TURN Data Server :24000 Where data comes from

• What about security • Can anyone send data and it will be relayed?

173.38.154.85:24000 Relayed transport address Expr-E CMS :58952 :3478 192.168.1.30 Permission 192.168.0.200 173.38.154.85 TURN Create Permission Request Client XOR-PEER-ADDRESS: 192.168.1.30:50012 192.168.0.71 Remote candidate Create Permission Success TURN Server

• Using this allocation packets can be send to / received from 192.168.1.30 now

• This is one method to create permissions

BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 1: outgoing packets (send indication) UDP 173.38.154.85:24000 Relayed transport address 192.168.1.30 Permission

CMS :58952 :3478 Expr-E :24000 192.168.1.30:50012 192.168.0.200 173.38.154.85 Data TURN Send indication Client XOR-PEER-ADDRESS: 192.168.1.30:50012 DATA: Application data 192.168.0.71 TURN Server

* Check for . Permission . Relayed transport address

BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 1: incoming packets (data indication) UDP 173.38.154.85:24000 Relayed transport address 192.168.1.30 Permission

CMS :58952 :3478 Expr-E :24000 192.168.1.30:50012 192.168.0.200 173.38.154.85 Data TURN Data indication Client XOR-PEER-ADDRESS: 192.168.1.30:50012 DATA: Application data 192.168.0.71 TURN Server

* Check for . Permission . 5-tuple

BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 40 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 1 UDP 173.38.154.85:24000 Relayed transport address • Drawback 192.168.1.30 Permission • Overhead (especially for small audio packets) Channel to peer bindings

Msg Type (2 bytes) Msg Length (2 bytes) Msg Cookie (4 bytes)

Msg Transaction ID (12 bytes)

XOR-PEER-ADDRESS (12 bytes)

DATA (96 bytes) …

BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 41 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 2: Channels UDP 173.38.154.85:24000 Relayed transport address • Goal: less overhead 192.168.1.30 Permission

• Channel binding to be created by TURN client Channel to peer • Channel-number (0x4000 – 0x7FFF) bindings • Transport address (of the peer) • Time to expiry timer

BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 42 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 2: Channel Bind Request UDP 173.38.154.85:24000 Relayed transport address 192.168.1.30 Permissions

0x4000 Channel to peer CMS :3478 Expr-E bindings :58952 192.168.1.30:50012 192.168.0.200 173.38.154.85 TURN Channel-Bind Request time-to-expiry Client XOR-PEER-ADDRESS: 192.168.1.30:50012 CHANNEL-NUMBER: 0x4000 … 192.168.0.71 TURN Server Channel-Bind Success Response

• Channel-Bind Request creates permission as well • This is the 2nd method to create permissions

• Multiple channel to peer bindings possible per allocation (all peer candidates)

BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 43 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 2: outgoing packets (channel) UDP 173.38.154.85:24000 Relayed transport address 192.168.1.30 Permissions

0x4000 Channel to peer bindings 192.168.1.30:50012 time-to-expiry

CMS :58952 :3478 Expr-E :24000 192.168.1.30:50012 ChannelData 192.168.0.200 173.38.154.85 Data TURN Client Channel number: 0x4000 DATA: Application data 192.168.0.71 TURN Server

* Check for . Channel binding . Relayed transport address

BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 44 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 2: incoming packets (channel) UDP 173.38.154.85:24000 Relayed transport address 192.168.1.30 Permissions

0x4000 Channel to peer bindings 192.168.1.30:50012 time-to-expiry

CMS :58952 :3478 Expr-E :24000 192.168.1.30:50012 ChannelData 192.168.0.200 173.38.154.85 Data TURN Client Channel number: 0x4000 DATA: Application data 192.168.0.71 TURN Server

* Check for . Permission . Channel binding . 5-tuple

BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 45 Allocation 192.168.0.71:58952 Relaying packets 192.168.0.200:3478 5-tuple Method 2: ChannelData UDP 173.38.154.85:24000 Relayed transport address 192.168.1.30 Permissions

0x4000 Channel to peer • Less overhead (4 bytes vs 32 bytes) bindings 192.168.1.30:50012 • ChannelData message time-to-expiry

Channel Nr (2 bytes) Msg Length (2 bytes)

DATA (96 bytes) …

Expr-E Office 365 192.168.0.200 173.38.154.85 Internet TURN Server

CMS 178.119.234.102 192.168.1.30

192.168.0.71 STUN Binding request

192.168.0.71:58952 192.168.1.30:50012 STUN Binding request

192.168.0.71:58952 192.168.1.30:50012

host 192.168.0.71:58952 ← → 192.168.1.30:50012 host

Used to correlate request/response Used to order connectivity checks and relative preference for candidate

Controlling agent is responsible for choosing final candidate pair used for communication

Checks are authenticated using short-term credential mechanism for STUN

Expr-E CMS :58952 :3478 :24000 192.168.1.30:50012 TURN Send Indication 192.168.0.200 173.38.154.85 STUN Binding request Client XOR-PEER-ADDRESS: 192.168.1.30:50012 DATA: STUN Binding request 192.168.0.71 TURN Server • Between client and server this is a Send Indication packet • Wireshark shows this as send indication • The data is a STUN Binding Request

relay 173.38.154.85:24000 ← → 192.168.1.30:50012 host

Expr-E CMS :58952 :3478 :24000 192.168.1.30:50012 TURN ChannelData 192.168.0.200 173.38.154.85 STUN Binding request Client Channel number: 0x4000 DATA: STUN Binding request 192.168.0.71 TURN Server • Between client and server this is a ChannelData packet • Wireshark shows this as ChannelData • The data is a STUN Binding Request

relay 173.38.154.85:24000 ← → 192.168.1.30:50012 host

Expr-E 178.119.234.102 CMS :58952 :3478 :24000 :50010 Office 365 TURN ChannelData 192.168.0.200 173.38.154.85 STUN Binding request Client Channel number: 0x4004 DATA: STUN Binding request 192.168.0.71 TURN 192.168.1.30 ChannelData Server STUN Binding success response Channel number: 0x4004 DATA: STUN Binding success response

ChannelData STUN Binding request Channel number: 0x4004 DATA: STUN Binding request

ChannelData STUN Binding success response Channel number: 0x4004 DATA: STUN Binding success response

relay 173.38.154.85:24000 ← → 178.119.234.102:50010 srflx Working pair

Outgoing bind request

Encapsulated

Use-candidate

Allocate Request 0x0003 Can be used to filter in Wireshark: stun.type == 0x0003 Allocate Success Response 0x0103 Allocate Error Response 0x0113 Create Permission Request 0x0008 Create Permission Success 0x0108 Response Channel-Bind Error Response 0x0119 Binding Request 0x0001

Bind Success Response 0x0101 Bind Error Response 0x0111

ChannelData 0x4004

Send Indication 0x0016

Data Indication 0x0017

host 192.168.0.71:58952 ← → 192.168.1.30:50012 host

host 192.168.0.71:58952 ← → 52.112.132.17:59229 relay

host 192.168.0.71:58952 ← → 178.119.234.102:50010 srflx

relay 173.38.154.85:24000 ← → 192.168.1.30:50012 host

relay 173.38.154.85:24000 ← → 52.112.132.17:59229 relay Working pair

relay 173.38.154.85:24000 ← → 178.119.234.102:50010 srflx Working pair

• Collecting candidates Step 1

• Exchanging candidates Step 2

• Connectivity checks Step 3

• Deciding candidate pair to use Step 4

• Controlling Agent nominates which (valid) candidate pair will be used • Normal nomination • Aggressive nomination

• Controlling Agent sends updated offer if selected candidates don’t match the default candidates

• Controlling agent picks amongst valid pairs • Send 2nd bind request, with USE-CANDIDATE flag • Both sides stop checks for this media stream • Media is now send over this pair

TURN 178.119.234.102 CMS :58952 :3478 Server :24000 :50010 Office 365 TURN ChannelData 192.168.0.200 173.38.154.85 STUN Binding request Client

ChannelData STUN Binding success response 192.168.0.71 192.168.1.30

ChannelData STUN Binding request

ChannelData STUN Binding success response

ChannelData STUN Binding request

Channel number: 0x4004 USE-CANDIDATE DATA: STUN Binding request USE-CANDIDATE ChannelData STUN Binding success response

• Controlling-Agent sends USE-CANDIDATE flag in every STUN Request

• Once a check succeeds, ICE processing is complete for that media stream

• Selected pair will be the highest-priority valid pair whose check succeeded.

• + Faster

• - Less flexibility

TURN 178.119.234.102 CMS Server Office 365

TURN 192.168.0.200 173.38.154.85 Client

192.168.0.71 192.168.1.30 192.168.1.30:50012 STUN Binding request :58952 USE-CANDIDATE

STUN Binding request 178.119.234.102:50010

USE-CANDIDATE ChannelData 192.168.0.200:3478

Channel number: 0x4004 DATA: STUN Binding request USE-CANDIDATE

BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 63 Step 4: Deciding what candidate pair to use Sending updated offer INVITE CMS Content-Type: application/sdp c=IN IP4 192.168.0.71 200 OK m=audio 30000 RTP/SAVP … 192.168.0.71 Content-Type: application/sdp c=IN IP4 52.112.132.17 m=audio 59229 RTP/SAVP …

ICE Connectivity checks INVITE

Content-Type: application/sdp Selected pair c=IN IP4 173.38.154.85 200 OK m=audio 24000 RTP/SAVP … Content-Type: application/sdp c=IN IP4 178.119.234.102 m=audio 50010 RTP/SAVP …

1. Allocating candidates

2. Exchanging candidates (SDP)

3a. Creating permissions, creating channel bindings

3b. Connectivity checks Peer candidates

4. Updating signaling with chosen candidates (mid-call invite)

STUN SIP

• Everything covered so far: UDP Allocations TURN TURN client Server STUN (UDP / TCP / TLS) UDP Peer

• Some applications require TCP connection with peer to send/receive data TURN TURN client Server STUN (TCP / TLS) TCP Peer

• RFC 6062: TURN Extensions for TCP Allocations

• Example: content sharing with Microsoft

TURN Client

192.168.0.71 INVITE

Content-Type: application/sdp c=IN IP4 192.168.0.71 m=applicationsharing 40463 TCP/RTP/AVP 127 a=candidate:1 1 TCP-PASS 2130706431 192.168.0.71 40463 typ host a=candidate:1 2 TCP-PASS 2130706431 192.168.0.71 40463 typ host a=candidate:3 1 TCP-PASS 352321535 173.38.154.85 24000 typ relay raddr 192.168.0.71 rport 34434 a=candidate:3 2 TCP-PASS 352321535 173.38.154.85 24000 typ relay raddr 192.168.0.71 rport 34434

TCP Candidates

BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 68 TURN TCP Allocations Control connection which was used to allocate Receiving a connection the relay address: 173.38.154.85:24000

TURN CMS Server

TURN 192.168.0.200 173.38.154.85 Client :34434 Control connection :3478 192.168.0.71 :24000 Connection to relayed address ConnectionAttempt Indication 178.119.249.244:50058

XOR-PEER-ADDRESS 178.119.249.244:50058 CONNECTION-ID: 0x002a

:34087 New TCP Connection :3478

ConnectionBind Request Client data connection per peer candidate CONNECTION-ID: 0x002a

ConnectionBind Success Response CONNECTION-ID: 0x002a Client data connection for peer Data

CMS TURN Server TURN 192.168.0.200 Client 173.38.154.85

192.168.0.71

BRKCOL-2986 © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 70 TURN TCP Allocations Control connection which was used to allocate Initiating a connection the relay address: 173.38.154.85:24000

TURN CMS Server

TURN 192.168.0.200 173.38.154.85 Client :34434 Control connection :3478 192.168.0.71 ConnectionRequest

XOR-PEER-ADDRESS 178.119.249.244:50058 :24000 Initiate outgoing TCP connection 178.119.249.244:50058 ConnectionRequest Success response

CONNECTION_ID: 0x002a :34087 New TCP Connection :3478

ConnectionBind Request Client data connection per peer candidate CONNECTION-ID: 0x002a

ConnectionBind Success Response CONNECTION-ID: 0x002a Client data connection for peer Data

• Sorting candidates

• Frozen candidates

• Lite implementation

• Refresh

• Peer reflexive candidates

• …

• ICE RFC

• Microsoft Interop

• WebRTC

• Cisco Meeting Application

• MRA (coming soon)

• Expressway and Collaboration Endpoints

• Jabber Guest

CUCM Expr-E Endpoint Expr-C

Internet

SIP

CMS MS SIP STUN RTP • CMS: Turn Client

• Expr-E: Turn Server

WebRTC Expr-C Expr-E Client

Internet

HTTPS

CMS STUN

RTP

• CMS: Turn Client

• WebRTC Client: Turn Client

• Expr-E: Turn Server

CMS Expr-E WebRTC Client 192.168.0.71 192.168.0.200 192.168.1.200 173.38.154.85 10.10.10.10

Internet

Candidates Candidates 10.10.10.10:40000 192.168.0.71:36000 Candidate pairs 173.38.154.85:24010 173.38.154.85:24000 192.168.0.71:36000 ← → 10.10.10.10:40000

192.168.0.71:36000 ← → 173.38.154.85:24010

173.38.154.85:24000 ← → 10.10.10.10:40000

173.38.154.85:24000 ← → 173.38.154.85:24010 Working pair

NAT Reflection required when using static NAT Send to remote candidate 173.38.154.85:24000 Expr-E CMS 192.168.0.200 192.168.1.200 WebRTC Client 192.168.0.71 :3478 173.38.154.85 STUN|RTP 10.10.10.10 :24010 STUN|RTP :3478 RTP :24000 Internet

Enhancement to keep media local: CSCve37570

Selected pair

173.38.154.85:24000 ← → 173.38.154.85:24010

CMA CMS Core CMS Edge Client

Internet

XMPP STUN RTP

• CallBridge (CMS Core): Turn Client

• CMA Client: Turn Client

• CMS Edge: Turn Server

CUCM Expr-C Expr-E

Internet MRA device

SIP RTP

• Media is hair pinned on Expr-C

CUCM Expr-C Expr-E

Internet MRA device

SIP RTP

• MRA device: Turn Client

• Expr-E: Turn Server

• RTP stream can go direct if there is connectivity

Relayed transport address Client information Time to expiry

Permissions (for each peer candidate) Channels created

Details on created permissions Details on created channels Counters

Questions? Use Cisco Spark to communicate with the speaker after the session

How 1. Find this session in the Cisco Live Mobile App 2. Click “Join the Discussion” 3. Install Spark or go directly to the space 4. Enter messages/questions in the space

cs.co/ciscolivebot#BRKCOL-2986

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public • Please complete your Online Complete Your Online Session Evaluations after each session Session Evaluation • Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt • All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Tech Circle

• Meet the Engineer 1:1 meetings

• Related sessions