Version 6.2 481 February 2011
SIP User's Manual 8. IP Telephony Capabilities
8.4.1.1 NAT Traversal
The device supports NAT traversal, allowing, for example, communication with ITSPs with
globally unique IP addresses, for LAN-to-WAN VoIP signaling (and bearer), using two
independent legs. In addition, it also enables communication for "far-end" users located
behind a NAT on the WAN. The device supports this by:
Continually registering far-end users in its dynamic database
Maintaining remote NAT binding state by frequent registrations, thereby, off-loading
far-end registrations from the LAN IP PBX
Using Symmetric RTP (RFC 4961) to overcome bearer NAT traversal
8.4.1.2 VoIP Firewall
The device provides a firewall for VoIP:
SIP signaling:
• Deep and stateful inspection of all SIP signaling packets
• SIP dialog initiations may be rejected based on values of incoming SIP INVITE
message and other Layer-3 characteristics
• Packets not belonging to an authorized SIP dialog are discarded
RTP:
• Opening pinholes (ports) in the device's firewall based on Offer-Answer SDP
negotiations
• Deep packet inspection of all RTP packets
• Late rouge detection - if a SIP session was gracefully terminated and someone
tries to "ride on it" with rouge traffic from the already terminated RTP and SIP
context, the VoIP Firewall prevents this from occurring
• Disconnects call (after user-defined time) if RTP connection is broken
• Black/White lists for both Layer-3 firewall and SIP classification
8.4.1.3 Topology Hiding
The device supports topology hiding, limiting the amount of topology information displayed
to external parties. For example, IP addresses of ITSPs' equipment (e.g. proxies,
gateways, and application servers) can be hidden from outside parties.
The device's topology hiding is provided by implementing back-to-back user agent
(B2BUA) leg routing:
Strips all incoming SIP Via header fields and creates a new Via value for the outgoing
message
Each leg has its own Route/Record Route set
Modifies SIP To, From, and Request-URI host names
Generates a new SIP Call-ID header value (different between legs)
Changes the SIP Contact header to the device's own address
Layer-3 topology hiding by modifying source IP address in the SIP IP header
To Next Page
Loading...
