4.
[ S N O M 4 S N A T F I L T E R ]
The Hide Routing flag will replace route sets with a unique route index when requests or responses are sent to a registered user agent. Via headers are also replaced with one Via header. This feature has sev- eral advantages. First of all, it will reduce the packet size significantly, especially when your core network uses several proxies or when it loops requests through the proxy several times. Usually, UDP packets will have a size significantly below the MTU size of 1492 bytes for Ethernet. This is a tremendous advantage that solves many problems with equipment that does not support UDP fragmentation.
Secondly, it hides important information about your network to- pology from the user agents. For example, when you are terminating calls with a PSTN gateway, the users are not able to see the IP address of the PSTN gateway in the routing path (if you turn “always relay” on, this ad- dress will also not occur in the SDP). Users will only “see” the filter as the only window to the outside world. This makes attacks much more difficult. It is much easier to protect only the filter against attacks than your whole SIP network.
The third big advantage is that it solves many problems with poor SIP implementations. Typically, immature SIP implementations can- not deal properly with strict and loose routing which results in compli- cated routing problems. The filter will take care of the routing problems; the user agent just has to route the request to the filter, which even the poorest implementations are able to do.
The disadvantage with this flag is that it adds more stateful information to the filter. The stateful does not affect the scalability of the overall system, but when restarting the filter, the information gets lost. However, we recommend turning this flag on.
4.3.8 Multiple 2xx Handling
The Filter INVITE 2xx deals with another problem that many poor SIP implementations have. In SIP, it is allowed to fork requests to several user agent servers. Several user agents sending a 2xx response back to the UAC at the same time typically creates a race condition. The proxy involved in this transaction cannot cancel the pending requests fast enough to solve this situation. The SIP designers have made the design decision that in this situation all 2xx responses must be sent back to the UAC which has to resolve the condition.
36 • Configuration