70 likes | 221 Views
Application-Layer Policy Enforcement at SIP Firewalls ( draft-jfp-sipfw-policy-00.txt). SIP WG 48th IETF Jon Peterson <jon.peterson@level3.com> Level(3) Communications. One-Edged Network. Public Internet. Enterprise Network (w/ SIP). PS. FW. Public Internet. FW. PS. Carrier
E N D
Application-Layer Policy Enforcement at SIP Firewalls(draft-jfp-sipfw-policy-00.txt) SIP WG 48th IETF Jon Peterson <jon.peterson@level3.com> Level(3) Communications
One-Edged Network Public Internet Enterprise Network (w/ SIP) PS FW SIP WG - 48th IETF - JFP L3
Public Internet FW PS Carrier Network (w/ SIP) Peer Carrier A Peer Carrier B FW FW PS FW ASP AS Multi-edge Network SIP WG - 48th IETF - JFP L3
Typical Firewall with ALG “Inside” Network “Outside” Network PS ALG Signaling Media FW see: draft-rosenberg-sip-firewalls-00.txt SIP WG - 48th IETF - JFP L3
Policies might intervene (logically) between the PS and the ALG PS Policy 1 Policy 2 ALG FW Inbound Signaling SIP WG - 48th IETF - JFP L3
A simple policy example: One-way edge Blocked! “Inside” Network “Outside” Network POL PS ALG FW INVITE Calls allowed in this direction SIP WG - 48th IETF - JFP L3
In Summary • There may be reasons why it would be important for a SIP session to traverse a particular network edge on its way to its final destination • Some application-layer policies are best enforced at an edge • Know of any other examples? SIP WG - 48th IETF - JFP L3