How the SIP ALG creates RTP pinholes

How the SIP ALG creates RTP pinholes

The SIP ALG requires the following information to create a pinhole. The SIP ALG finds this information in SIP messages and some is provided by the SIP ALG:

Protocol                    UDP (Extracted from SIP messages by the SIP ALG.)

Source IP                  Any

Source port              Any

Destination IP

The SIP ALG extracts the destination IP address from the c= line in the SDP profile. The c= line can appear in either the session or media part of the SDP profile. The SIP ALG uses the IP address in the c= line of the media part of the SDP profile first. If the media part does not contain a c= line, the SIP ALG checks the c= line in the session part of the SDP profile. If the session part of the profile doesn’t contain a c= line the packet is dropped. Pinholes for RTP and RTCP sessions share the same destination IP address.

 

Destination port      The SIP ALG extracts the destination port number for RTP from the m= field and adds 1 to this number to get the RTCP port number.

 

Lifetime                     The length of time during which the pinhole will be open. When the lifetime ends, the SIP ALG removes the pinhole.

The SIP ALG keeps RTP pinholes open as long as the SIP session is alive. When the associated SIP session is terminated by the SIP ALG or the SIP phones or servers participating in the call, the RTP pinhole is closed.

The figure below shows a simplified call setup sequence that shows how the SIP ALG opens pinholes. Phone A and Phone B are installed on either side of a FortiGate unit operating in Transparent mode. Phone A and Phone B are on the same subnet. The FortiGate unit includes a security policy that accepts SIP sessions from port1 to port2 and from port2 to port1. The FortiGate unit does not require an RTP security policy, just the SIP policy.

You can see from this diagram that the SDP profile in the INVITE request from Phone A indicates that Phone A is expecting to receive a media stream sent to its IP address using port 4000 for RTP and port 4001 for RTCP. The SIP ALG creates pinhole 1 to allow this media traffic to pass through the FortiGate unit. Pinhole 1 is opened on the Port2 interface and will accept media traffic sent from Phone B to Phone A.

When Phone B receives the INVITE request from Phone A, Phone B will know to send media streams to Phone A using destination IP address 10.31.101.20 and ports 4000 and 4001. The 200 OK response sent from Phone B indicates that Phone B is expecting to receive a media stream sent to its IP address using ports 8000 and 8001. The SIP ALG creates pinhole 2 to allow this media traffic to pass through the FortiGate unit. Pinhole 2 is opened on the Port1 interface and will accept media traffic sent from Phone A to Phone B.

 

 

SIP call setup with a FortiGate unit in Transparent mode

 

 

 

ort1                                                  Po

 

 

 

 

FortiGate unit

P   t                                                    Port2

SIP Phone A (PhoneA@10.31.101.20)

in Transparent mode

SIP Phone B (PhoneB@10.31.101.30)

  1. Phone A sends an INVITE request to Phone B (SDP 10.31.101.20:4000)
  1. SIP ALG creates Pinhole 1. Accepts traffic on Port2 with destination address:port numbers 10.31.101.20:4000 and 4001
  1. The SIP ALG forwards the INVITE request Phone B.
  1. Phone B sends a 200 OK response to Phone A (SDP: 10.31.101.30:8000)
  1. SIP ALG creates Pinhole 2. Accepts traffic on Port1 with destination address:port numbers 10.31.101.30:8000 and 8001
  1. Phone B sends RTP and RTCP media sessions to Phone A through pinhole 1. Destination address:port number 172.20.120.20:4000 and 4001 Pinhole 1
  1. Phone A sends RTP and RTCP media sessions to Phone B through pinhole 2. Destination address:port number 172.20.120.30:8000 and 8001 Pinhole 2
This entry was posted in FortiGate, FortiOS, FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.