Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Pinhole Creation in ScreenOS Devices Overview

 

Both pinholes for the RTP and RTCP traffic share the same destination IP address. The IP address comes from the c= field in the SDP session description. Because the c= field can appear in either the session-level or media-level portion of the SDP session description, the parser determines the IP address based on the following rules (in accordance with SDP conventions):

  • First, the SIP ALG parser verifies if there is a c= field containing an IP address in the media level. If there is one, the parser extracts that IP address, and the SIP ALG uses it to create a pinhole for the media.

  • If there is no c= field in the media level, the SIP ALG parser extracts the IP address from the c= field in the session level, and the SIP ALG uses it to create a pinhole for the media. If the session description does not contain a c= field in either level, this indicates an error in the protocol stack, and the security device drops the packet and logs the event.

Table 1 displays the information the SIP ALG needs to create a pinhole. This information comes from the SDP session description and parameters on the security device:

Table 1: Information for Pinhole Creation

Field

Description

Protocol

UDP.

Source IP

Unknown.

Source port

Unknown.

Destination IP

The parser extracts the destination IP address from the c= field in the media or session level.

Destination port

The parser extracts the destination port number for RTP from the m= field in the media level and calculates the destination port number for RTCP using the following formula:

RTP port number + one

Lifetime

This value indicates the length of time (in seconds) during which a pinhole is open to allow a packet through. A packet must go through the pinhole before the lifetime expires. When the lifetime expires, the SIP ALG removes the pinhole. When a packet goes through the pinhole within the lifetime period, immediately afterwards the SIP ALG removes the pinhole for the direction from which the packet came.