9 challenging, 10 trusted addresses, 11 maximum packet size – Snom 4S User Manual
Page 37
snom technology AG • 37
[
S N O M
4 S N A T F
I L T E R
]
Unfortunately, only a small percentage of existing user agents
deal properly with this situation. When you turn the flag on, the filter will
only let the first 2xx response pass through to the user agent. Subsequent
2xx responses will be blocked by the filter; instead the filter will send an
ACK to the response and immediately terminate the dialog with a BYE
message. This is the behaviour of most user agents when receiving mul-
tiple 2xx. However, if you are sure that the user agents in your network
handle multiple 2xx properly and implement a different behaviour, you
should turn this behaviour off.
4.3.9 Challenging
Challenging inside a dialog may be problematic when the call
destination does not have any credentials for the system. In this case, it
may for example not be able to disconnect a call (BYE gets challenged).
Therefore, the SBC may omit the challenging if the setting Challenge
Inside Dialog is set to off.
Challenging every request may cause almost double packet traf-
fic on the SBC for registrations. It gives you the maximum security, but
in most situations it is reasonable to challenge only the requests that will
be forwarded to the registrar. The setting Challenge Refresh Registra-
tions controls this behaviour.
4.3.10
Trusted Addresses
The list of Trusted IP Addresses is used when sensitive infor-
mation is extracted from SIP packets. For example, the filter may get
an explicit hint on how long the conversation may last at most. If a user
agent would send this information, it could easily bypass AAA and make
telephone calls even when the prepaid card has expired. If you list the IP
addresses of your proxies, you can enhance the security significantly.
4.3.11
Maximum Packet Size
The Max MTU tells the filter what the maximum packet size
should be. Typically, on Ethernet networks, packets with more than
1492 bytes payload cannot be transported without splitting them up into
several packets. As described in the hide routing feature, this can lead to
big problems in today’s DSL networks.
4.