Manual Chapter : SIP Overview

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 15.0.0, 14.1.0, 14.0.0
Manual Chapter

SIP Overview

SIP Overview

Capabilities

This section provides a concise summary of the BIG-IP® MRF SIP solution.

Load Balancing

  • Route SIP control messages, without modifying SIP headers.
  • The following headers can be configured to be automatically modified.
    • VIA Header inserted
    • Record Router Header inserted
    • Decrementing max forwards
  • Any header attribute can be modified via iRule.
  • Natively route messages based on:
    • From URI
    • To URI
    • Request URI
    • Originating Virtual Server
  • Route messages via iRule on any attribute of the message.
  • Response routing natively using data added to the inserted VIA Header.
  • Response routing available via iRule:
    • Add private header to request
    • Insertion of VIA Header to request via iRule
    • Route to upstream device using received VIA Header
    • Remember data from request processing
  • Bi-directional persistence support.
    • Persistence key selection via configuration or custom key via iRule
  • Connection Re-Use Support
  • High Availability (HA)
    • Connection mirroring
    • Persistence table replication

ALG without SNAT (No Address Translation)

  • Snoop control messages flowing through to manage media flows.
  • iRule can be used to rewrite headers.
  • Create media records in session db.
  • Create deny listeners to drop media packets received before the callee responds with its media details.
  • Create media flows to forward packets between caller and callee.
  • High Availability (HA)
    • Call table replication (supports failback)
    • Control connection mirroring (can be recreated on failback by endpoint)
    • Media flow mirroring
SRTP Compliance (RFC 3711)

We do not support SRTP in ALG without SNAT mode.

Security Advisory

When operating in ALG mode, the system does not have access to any verifiably authoritative source of information about which endpoints or users should be allowed access to media connections, and does not actively control or restrict the messaging in media channels. It is therefore possible for an attacker with access to a device inside a BIG-IP® system and a related SIP-proxy outside the BIG-IP system (e.g. on the Internet) to use the SIP-ALG feature to create arbitrary communications channels between those two devices via carefully crafted SIP messages, or to route non-call data via SIP-negotiated media channels.

Customers are expected to provide external control of SIP messaging that would make use of the SIP ALG feature, mitigating this concern by transferring the risk to their SIP controller.