Understanding the SCCP ALG

The Skinny Client Control Protocol (SCCP) is a Cisco proprietary protocol for call signaling. Skinny is based on a call-agent-based call-control architecture. The control protocol uses binary-coded frames encoded on TCP frames sent to well-known TCP port number destinations to set up and tear down RTP media sessions.

The SCCP protocol just as other call control protocols, negotiates media endpoint parameters—specifically the RTP port number and the IP address of media termination—by embedding information in the control packets. The SCCP ALG implemented on a J-series device (or firewall) parses these control packets and facilitates media and control packets to flow through the J-series device.

The SCCP ALG also implements rate limiting of calls and helps protect critical resources from overloading and denial of service attacks.

The following functions are implemented by the SCCP ALG in JUNOS software:

• Validation of SCCP protocol data units
• Translation of embedded IP address and port numbers
• Allocation of firewall resources (pinholes and gates) to pass media
• Aging out idle calls
• Configuration API for SCCP ALG parameters
• Operational mode API for displaying counters, status and statistics

In the SCCP architecture, a proxy, known as the CallManager, does most of the processing. IP phones, also called End Stations, run the SCCP client and connect to a primary (and, if available, a secondary) CallManager over TCP on port 2000 and register with the primary CallManager. This connection is then used to establish calls coming to or from the client.

The SCCP ALG supports the following:

• Call flow from a SCCP client, through the CallManager, to another SCCP client.
• Seamless failover—Switches over all calls in process to the standby firewall during failure of the primary.
• VoIP signaling payload inspection—Fully inspects the payload of incoming VoIP signaling packets. Any malformed packet attack is blocked by the ALG.
• SCCP signaling payload inspection—Fully inspects the payload of incoming SCCP signaling packets. Any malformed-packet attack is blocked by the ALG.
• Stateful processing—Invokes the corresponding VoIP-based state machines to process the parsed information. Any out-of-state or out-of-transaction packet is identified and properly handled.
• Network Address Translation (NAT)—Translates any embedded IP address and port information in the payload, based on the existing routing information and network topology, with the translated IP address and port number, if necessary.
• Pinhole creation and management for VoIP traffic—Identifies IP address and port information used for media or signaling and dynamically opens (and closes) pinholes to securely stream the media.

This topic covers:

• SCCP Security
• SCCP Components
• SCCP Transactions
• SCCP Control Messages and RTP Flow
• SCCP Messages
• Related Topics

Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice.