Application Protocol Inspection Overview
SIP Inspection
Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide
3-18
Session Initiation Protocol (SIP) is used for call handling sessions, especially
two-party conferences. SIP works with SDP for call signaling.
SIP inspection provides the following operations:
Translates the SIP text-based messages, recalculates the content length for
•
the SDP portion of the message, and recalculates the packet length and
checksum.
Dynamically opens media connections for ports specified in the SDP portion
•
of the SIP message as addresses and ports on which the endpoint should
listen.
Opens RTP and RTCP connections between the two endpoints using media
•
addresses and ports that are maintained in a SIP inspection database with
CALL_ID, FROM, and TO indices from the SIP header. These indices
identify the call, the source, and the destination.
Performs RFC 3261 compliance checks, including checking the Request
•
Message to ensure it is one of the predefined methods: OPTIONS, INVITE,
REGISTER, ACK, CANCEL, BYE and validates their syntax.
Checks whether a SIP message is compliant with the following RFC
•
extensions:
RFC 2976 (INFO)
–
–
RFC 3262 (PRACK)
RFC 3265 (SUBSCRIBE/NOTIFY)
–
RFC 3311 (UPDATE)
–
RFC 3515 and RFC 3892 (REFER)
–
RFC 3428 (MESSAGE)
–
•
Enforces the mandatory header fields (From, To, Call-Id, CSeq, Via,
Max-Forwards) presence and validity.
Enforces forbidden header fields.
•
Checks URI in Header fields against a permit or deny list of callers or callees.
•
If the user is not entitled to talk to any host on the protected network, the SIP
ACE appliance will generate a SIP message (Response 603 Decline).
Checks the Via field to deny messages from specific SIP proxy servers.
•
Chapter 3
Configuring Application Protocol Inspection
OL-16202-01