Correct me if I'm wrong, but last time I looked, Linux's netfilter kernel module for SIP, ip_conntrack_sip, still is ignorant of SDP entirely. Scott Berkman <scott at sberkman.net> wrote:
How reliable and predictable an ALG is really varies vendor by vendor. Most standard firewalls' and routers' ALG do cause more problems (for example most Cisco stuff), but the SIP specific vendors usually do a much better job. My personal favorite is Edgewater Edgemarcs.
Most generally what they do is provide layer 5+ (OSI) NAT, intelligently replacing addresses in the SIP and SDP headers. In most cases they will also handle RTP, doing things like making sure outside ports are unique and open based on following the SDP on the signaling side.
-Scott
-----Original Message----- From: voiceops-bounces at voiceops.org [mailto:voiceops-bounces at voiceops.org] On Behalf Of Tim Bray Sent: Thursday, February 28, 2013 6:45 AM To: voiceops at voiceops.org Subject: Re: [VoiceOps] What does an ALG actually do?
On 27/02/13 21:33, John Levine wrote:
I realize that an ALG is a hack in a router that is supposed to allow
SIP packets to go through a NAT router. I also realize that for modern SIP equipment, ALG usually causes more problems than it solves, and that it's described in RFCs 2663, 3424, and others.
What I can't find anywhere is what a SIP ALG actually does to the packets. Is that written down anywhere, or is it just network folklore?
The simple answer is `break stuff`.
The marketing answer is `Sip is the next big thing, and we want to say we are "SIP READY" so we put an ALG in`.
Technically.
The OKish ALGs are passive and sniff the ports for Qos etc.
Most NAT passing ones just search and replace the IP addresses in the SIP and SDP. Mainly though, I've seen them swap one IP, but not the other. Or misread the port number. Very basic search and replace rather than properly parsing the messages. Bad idea.
-- Sent from my mobile, and thus lacking in the refinement one might expect from a fully-fledged keyboard. Alex Balashov - Principal Evariste Systems LLC 235 E Ponce de Leon Ave Suite 106 Decatur, GA 30030 United States Tel: +1-678-954-0670 Web: http://www.evaristesys.com/, http://www.alexbalashov.com/