HP ProCurve 7102dl Reference Manual page 402

SROS Command Line Interface Reference Guide Global Configuration Mode Command Set
Usage Examples
The following example disables ALG for FTP:
ProCurve(config)#no ip firewall alg ftp
Technology Review
SIP is one protocol in a suite of protocols that was designed to replace H.323 for IP telephony. SIP
operates in Layer 7 of the OSI model (Application layer) to create, modify, and terminate sessions between
nodes. SIP not only provides recommendations for IP telephony, but multimedia distribution and
conferences as well. SIP version 1.0 was defined in RFC2453, and was refined to SIP version 2.0 in
RFC3261.
SIP operations occur between SIP UAs and SIP servers. Types of SIP servers include proxy, redirect,
registrar, and presence. The part of a SIP UA that sends messages is known as the User Agent Client
(UAC). The part of a SIP UA that receives messages is known as a User Agent Server (UAS).
SIP was originally designed for use over UDP. SIP servers, by default, listen on port 5060. Due to security
concerns, SIP is now transitioning to TCP and Transport Layer Security (TLS). SIP servers using
TLS-over-TCP listen on port 5061. SIP UAs listen on a range of ports. The listening UDP port can be
manually changed using the ip firewall alg sip udp command.
SIP uses the Session Description Protocol (SDP) to format the SIP message body in order to negotiate a
Real-time Transport Protocol (RTP)/Real-time Transport Control Protocol (RTCP) connection between two
or more UAs. The ports used for this will always be selected in a pair, with the even port used for RTP and
the odd port for RTCP. SIP, because it uses SDP and RTP, causes many problems for standard firewalls.
Neither SIP nor RTP are guaranteed to be symmetric, thus causing problems for stateful-inspection
firewalls that rely on symmetric flows. SIP and SDP carry IP addresses and ports embedded in the packet
and standard NAT implementations only modify the IP and TCP/UDP headers. A true SIP ALG is required
to both modify the packets as needed for NAT, but also open holes in the firewall as needed for traffic flow
based on the information carried in the SIP header.
Enabling the SROS SIP ALG (using the ip firewall alg sip command) configures the firewall to examine
the ALL SIP packets it identifies and maintain knowledge of SIP transmissions on the network. Since SIP
packet headers include port information for the call setup, the ALG must intelligently read the packets and
remember the information. To accomplish this, the SIP ALG enables two other SIP functions, the SIP stack
(ip sip command) and the SIP proxy server (ip sip proxy). This operation allows dynamic configuration of
the SIP network, because UAs on the network do not need to be manually added to the router's location
database. If there is a SIP node on the network that transmits traffic, the router will identify the traffic as SIP
traffic and maintain the appropriate information. This mode can be considered "transparent-proxy." A
ProCurve Secure Router running in transparent-proxy mode can be added to a previously configured
network (without requiring specific SIP location database configuration) and can be expected to
intelligently route SIP packets.
As an alternative to running in transparent-proxy mode, the Secure Router SIP proxy server can be
configured to restrict SIP knowledge to only nodes entered into the location database (using the no ip
firewall alg sip command). Just as a router uses an IP route table to determine the destination for IP
packets it receives, a SIP proxy server uses the location database to determine the appropriate destination
UA. Manually configuring the location database can be cumbersome for a large SIP network. To avoid
losing pertinent information in the event of a power loss, use the ip sip database local command to create
a persistent database on the local router memory that is maintained across a power loss.
5991-2114 © Copyright 2007 Hewlett-Packard Development Company, L.P. 400