In this section:
The SIP Security Profile feature defines the type and behavior of security mechanism to apply to the SBC acting as P-CSCF.
Ribbon recommends using the Transparency Profile to configure transparency on the SBC Core for new deployments, as well as applying additional transparency configurations to existing deployments. Do not use IP Signaling Profile flags in these scenarios because the flags will be retired in upcoming releases.
Refer to the SBC SIP Transparency Implementation Guide for additional information.
Command Syntax
The CLI syntax to configure the SIP Security Profile is shown below:
% set profiles services sipSecurityProfile <profile name> encryptionPreference <always-encrypt | none | null-forced> forceClientSecurityPref <disabled | enabled> rejectSecUnsupportedRequest <disabled | enabled> sbxSecMode <sbc-only | sbc-pcscf> sipSecurityMechanism <ipsec-3gpp | tls> precedence <1-65535>
Command Parameters
SIP Security Profile
Parameter | Description |
---|---|
|
|
| Use this parameter to define the encryption preference for this SIP Security Profile.
|
| Enable this flag to give precedence to the order of occurrence of "mechanism-name" value in the "Security-Client" header while selecting the Security Mechanism to apply.
|
| Enable this flag to reject the incoming REGISTER when it does not contain "sec-agree" header value (in Require or Proxy-Require headers) or does not contain any supported mechanism-name (ipsec-3gpp) in "Security-Client" header.
|
sbxSecMode | Use this parameter to define the SBC security mode for this SIP Security Profile.
When |
| Identifies the list of security mechanisms supported by SBC and the corresponding precedence level for each security mechanism.
|
Command Examples
When SBC Security Mode (sbxSecMode
) is set to sbc-only
, configure a Transparency Profile for following headers in egress trunk group:
% set profiles services transparencyProfile <profile name> sipHeader Require % set profiles services transparencyProfile <profile name> sipHeader Proxy-Require % set profiles services transparencyProfile <profile name> sipHeader Security-Client % set profiles services transparencyProfile <profile name> sipHeader Security-Verify % set profiles services transparencyProfile <profile name> state enabled % set addressContext <AC name> zone <zone name> sipTrunkGroup <trunk group name> services transparencyProfile <profile name>
The following example configuration accomplishes the following:
- Creates a SIP security profile named
"S-PROFILE1",
sets "forceClientSecurityPref
" and "rejectSecUnsupportedRequest
" to "enabled
", and sets SIP security mechanism "ipsec-3gpp
" to precedence of "1". - Assign
S-PROFILE1
to SIP trunk group "STG-1
".
% set profiles services sipSecurityProfile S-PROFILE1 forceClientSecurityPref enabled rejectSecUnsupportedRequest enabled sipSecurityMechanism ipsec-3gpp precedence 1 % set addressContext default zone MYZONE sipTrunkGroup STG-1 services sipSecurityProfile S-PROFILE1