In the previous article of this series, I talked about the various verbs (commands) that SIP uses to accomplish its various tasks. In this article, I want to give you a crash course in the way that SIP routes packets.
As you know, SIP can be used to establish communications between PCs, telephones and other devices, each of which can potentially exist on separate networks. That being the case, SIP must have some mechanism for determining which path a packet needs to take in order to reach its destination. SIP embeds the packet routing information into headers. There are four primary types of headers that SIP uses: record route headers, route headers, via headers, and contact headers.
Record route headers
Although a record route header is a type of routing header, it is also a type of security mechanism. To understand why record route headers are used, think about the role that an Office Communications Server (OCS) plays within an organization. Oftentimes, messages between clients are routed through an OCS 2007 server, and the server may even act as a proxy for those messages.
Whenever a host acts as a proxy, it has the ability to place its own IP address or fully qualified domain name into the record route header. This tells the recipient that the host is to be used as the signaling path for all subsequent SIP packets within that session.
This feature can act as a mechanism to help prevent session hijacking, or it can be used for routing control. In some organizations, for example, record route headers ensure that SIP traffic passes through a designated server before passing through the perimeter firewall. That way, the firewall can be configured to allow only SIP traffic to flow to and from that server. This prevents end users from using unauthorized SIP-enabled applications such as some instant messaging clients.
As the name implies, route headers help in routing SIP traffic. The way that a route header works is really very simple. SIP compiles a list of the IP addresses or fully qualified domain names between the source host and the destination host. This list essentially acts as a route that the packet must take in order to reach its destination, with each entry on the list serving as a hop along the route.
When a host receives a message, it checks to see whether or not it is the final recipient. If not, the host removes its own IP address or fully qualified domain name from the route header and then forwards the message to the next host on the list. The process is repeated until the packet reaches its destination.
Via headers work similarly to route headers, except that they work in the opposite way. Suppose, for instance, that a source host and a destination host are geographically dispersed, and that SIP traffic must flow between multiple OCSs in route to the destination. In such a situation, each of the servers that the message passes through adds its own IP address or fully qualified domain name to the via header. The idea is that when the message arrives at its destination, the destination host can determine exactly what path the message took to reach its destination, and which hosts have handled the message along the way. In some instances, this information is also used to create a return path.
So far, all of the header types that I have talked about involve specific hosts. The problem is that when a user sends a SIP message, the message is typically sent to another user, not to a server (the user's account resides on the server, though). The contact header lets the recipient server determine to which user the message should be directed.
One last routing feature that I want to talk about is route signatures. Not every SIP application uses route signatures, but OCS 2007 does use them, so I wanted at least to mention them.
Earlier, I briefly mentioned route hijacking. This occurs when a hacker intercepts a message and redirects it so that it takes a different route (often through a hacker's own server) before reaching its destination. Route hijacking is commonly used as a technique to facilitate electronic eavesdropping or impersonation.
In order to protect against route hijacking, OCS 2007 uses route signatures. Route signatures are cryptographic signatures that can be applied to the record route, contact header, and via headers. The signature is placed in the route URI and is used to verify that the route has not been altered.
In this article, I have explained that various types of headers are used when delivering SIP messages. I then explained the uses of each of these headers.
About the author:
Brien M. Posey, MCSE, is a Microsoft Most Valuable Professional for his work with Windows 2000 Server and IIS. Brien has served as CIO for a nationwide chain of hospitals and was once in charge of IT security for Fort Knox. As a freelance technical writer, he has written for Microsoft, CNET, ZDNet, TechTarget, MSD2D, Relevant Technologies and other technology companies. You can visit Brien's personal website at www.brienposey.com.