38 • Confi guration
[
S N O M
4 S N A T F
I L T E R
]
not deal properly with strict and loose routing which results in compli-
cated routing problems. The filter will take care of the routing problems;
the user agent just has to route the request to the filter, which even the
poorest implementations are able to do.
The disadvantage with this flag is that it adds more stateful
information to the filter. The stateful does not affect the scalability of the
overall system, but when restarting the filter, the information gets lost.
However, we recommend turning this flag on.
4.3.7 Multiple 2xx Handling
The
Filter INVITE 2xx
deals with another problem that many
poor SIP implementations have. In SIP, it is allowed to fork requests to
several user agent servers. Several user agents sending a 2xx response
back to the UAC at the same time typically creates a race condition. The
proxy involved in this transaction cannot cancel the pending requests fast
enough to solve this situation. The SIP designers have made the design
decision that in this situation all 2xx responses must be sent back to the
UAC which has to resolve the condition.
Unfortunately, only a small percentage of existing user agents
deal properly with this situation. When you turn the flag on, the filter will
only let the first 2xx response pass through to the user agent. Subsequent
2xx responses will be blocked by the filter; instead the filter will send an
ACK to the response and immediately terminate the dialog with a BYE
message. This is the behaviour of most user agents when receiving mul-
tiple 2xx. However, if you are sure that the user agents in your network
handle multiple 2xx properly and implement a different behaviour, you
should turn this behaviour off.
4.3.8 Trusted Addresses
The list of
Trusted IP Addresses
is used when sensitive infor-
mation is extracted from SIP packets. For example, the filter may get
an explicit hint on how long the conversation may last at most. If a user
agent would send this information, it could easily bypass AAA and make
telephone calls even when the prepaid card has expired. If you list the IP
addresses of your proxies, you can enhance the security significantly.
4.