DO NOT SHARE THESE DOCS WITH CUSTOMERS!
This is an LA release that will only be provided to a select number of PLM-sanctioned customers (PDFs only). Contact PLM for details.
In this section:
The SIP Security Profile feature defines the type and behavior of security mechanism to apply to the SBC acting as P-CSCF.
Ribbon recommends using the Transparency Profile to configure transparency on the SBC Core for new deployments, as well as applying additional transparency configurations to existing deployments. Do not use IP Signaling Profile flags in these scenarios because the flags will be retired in upcoming releases.
Refer to the SBC SIP Transparency Implementation Guide for additional information.
The CLI syntax to configure the SIP Security Profile is shown below:
% set profiles services sipSecurityProfile <profile name> encryptionPreference <always-encrypt | none | null-forced> forceClientSecurityPref <disabled | enabled> rejectSecUnsupportedRequest <disabled | enabled> sbxSecMode <sbc-only | sbc-pcscf> sipSecurityMechanism <ipsec-3gpp | tls> precedence <1-65535>
When SBC Security Mode (sbxSecMode
) is set to sbc-only
, configure a Transparency Profile for following headers in egress trunk group:
% set profiles services transparencyProfile <profile name> sipHeader Require % set profiles services transparencyProfile <profile name> sipHeader Proxy-Require % set profiles services transparencyProfile <profile name> sipHeader Security-Client % set profiles services transparencyProfile <profile name> sipHeader Security-Verify % set profiles services transparencyProfile <profile name> state enabled % set addressContext <AC name> zone <zone name> sipTrunkGroup <trunk group name> services transparencyProfile <profile name>
The following example configuration accomplishes the following:
"S-PROFILE1",
sets "forceClientSecurityPref
" and "rejectSecUnsupportedRequest
" to "enabled
", and sets SIP security mechanism "ipsec-3gpp
" to precedence of "1".S-PROFILE1
to SIP trunk group "STG-1
".% set profiles services sipSecurityProfile S-PROFILE1 forceClientSecurityPref enabled rejectSecUnsupportedRequest enabled sipSecurityMechanism ipsec-3gpp precedence 1 % set addressContext default zone MYZONE sipTrunkGroup STG-1 services sipSecurityProfile S-PROFILE1