SightSpeed and NAT Traversal
My friends at SightSpeed are smart people. Aswath Rao is also a smart dude. And, of course, it took a smart guy like Aswath to get to the bottom of something I remember seeing in “release note” or something similar–improved ability to traverse NAT. I feel the need to explain Network Address Translation as a whole as it’s something that we commonly throw around but don’t really describe in any detail. Your eyes might glaze over here, so skip ahead to the last two paragraphs if you don’t really care about the technical details of NAT.
Note that I am approaching this from a consumer perspective, it basically works a similar way in a corporate environment.
The basic problem is that there is a limited number of IP addresses that are available on the Internet. ISPs typically will only allocate your home a single, reachable IP address, unless you pay for more. How many people have more than one computer at home these days? Is one IP address going to cut it? Don’t think so.
The next thing you do is go buy a router from your local tech store. You know, from companies like Linksys, D-Link, Belkin, and probably a host of others. They’re cheap and cheerful, they advertise the ability to share your Internet connection with more computers than you’ll likely to ever need, and may also include access via WiFi. You unplug your computer from the Internet connection and plug in this router. Your computer now plugs into the included switch on the router. It gets an IP address, you can connect to Goggle, and you’re happy.
What’s going on behind the scenes is something called Network Address Translation, or NAT. It is a technology that allows hosts to transparently talk to one another with addresses that are agreeable to each other. To put it another way, NAT allows hosts with private or otherwise unusable IP addresses to talk with hosts on a public network and vice-versa. It is a godsend for the typical home user who is dealing with the typical ISP that only gives you one IP address and may have several computers that need access to the Internet.
Notice I said private IP address above. What is a private IP? The folks in the Internet Engineering Task Force realized long ago it was important to have some IP addresses set aside for “private use.” For the geeks, it’s defined in RFC1918. These private IP addresses can be used within, say, a local network. However, those IP addresses will be meaningless on the Internet. Your router you bought will typically give you an IP address of 192.168.x.y, where x and y are numbers between 0 and 255. This is one set of private IP addresses, the others are of the form 10.x.y.z (where z is between 0 and 255) and 172.a.x.y (a in this case is a number between 16 and 31).
When your PC with a private IP address now tries to access Google through the router, the communications are getting rewritten on the fly so that they appear to be coming from the public IP address allocated to you by your ISP. There are two places where the private IP address may appear: within the IP headers themselves (think of IP headers as an “envelope” that says who sent the data and where it is going), and within the data portion of the packet (i.e. the contents of the “envelope.”) The vast majority of home routers do not change the IP address in the data portion of the packet except in a couple of very limited circumstances.
When applications rely on the data portion of the packet containing a valid IP address, they fail when subjected to NAT. SIP, the underlying protocol SightSpeed is using to deliver audio and video, is no exception. The application must be smart enough to detect that NAT is involved so it can add other hints to make the communication work when NAT is involved.
Furthermore, this kind of NAT also makes it difficult to allow an externally initiated communication inside to your PC. This is actually a useful security feature, but it wreaks additional havoc with SIP-based applications such as SightSpeed and a number of other applications.
In the case of SightSpeed, it is especially important that the vast majority of the communication between any two parties making a video call happen peer-to-peer, just for bandwidth reasons. If both parties are behind NAT–increasingly likely these days–this becomes a huge challenge.
Applications like SightSpeed must employ something called NAT Traversal to figure out how to communicate despite one or more NAT devices complicating the communication. There are a number of different methods for traversing a NAT, but they don’t work in all cases. This is because each device that does NAT implements it a little different. Methods that work with one NAT device won’t work with another. The most challenging variety is called symmetric NAT and none of the “standard” ways of traversing NAT work with symmetric NAT.
Apparently, the SightSpeed folks have figured out a way to traverse more NAT devices, including ones that employ symmetric NAT. They have studied a number of devices and corporate firewalls and have a method to traverse more NAT devices than ever before! For the rare times where SightSpeed cannot traverse your NAT, the connection will be proxied through SightSpeed.’s servers as was done in the past. Note that in a multi-party video conference, the call is always proxied through SightSpeed.
I saw this improvement for myself. On an earlier version of SightSpeed, I was testing a connection between my DSL and Cable mode connections. I was unable to make a video call between these two computers with the older version of SightSpeed (pre 5.0), or when I was, the quality was not so great. Once I had the 5.0 beta (at that time) loaded, I was able to make calls and the quality was much better.