This profile specifies the type and behavior of security mechanism to apply to the Access Solution acting as a P-CSCF.

Note

When configuring SIP Security Profile on a particular SIP Trunk Group, ensure Authcode Headers transparency flag is not enabled on the same Trunk Group (see Common IP Attributes - Transparency Flags).

Note

When configuring a SIP Security Profile in P-CSCF mode, a Sip Security Mechanism is required.


IMPORTANT

Ribbon recommends using the Transparency Profile to configure transparency on the SBC Core for new deployments, as well as applying additional transparency configurations to existing deployments. Do not use IP Signaling Profile flags in these scenarios because the flags will be retired in upcoming releases.

Refer to the SBC SIP Transparency Implementation Guide for additional information.

To View SIP Security Profile

On the SBC main screen, go to Configuration > Profile Management > Category: Service Profiles > SIP Security Profile.


To Edit SIP Security Profile

To edit any of the SIP Security Profile in the list, click the radio button next to the specific SIP Security Profile name.

The Edit Selected SIP Security Profile window is displayed below.

Make the required changes and click Save.

To Create SIP Security Profile

To create a new SIP Security Profile, click New SIP Security Profile tab on the SIP Security Profile List panel.

The Create New SIP Security Profile window is displayed.


SIP Security Profile Parameters:

Parameter

Description

Name

The user name of this SIP Security Profile.

Sbx Sec Mode

Use this parameter to define the SBC security mode for this SIP Security Profile. 

  • Sbc-pcscf (default) – SBC acts as integrated SBC+PCSCF mode.
  • Sbc-only: SBC-only mode. The SBC disregards the configured security mechanism (ipsec-3gpp or tls) in the profile, if any.

When you configure Sbx Sec Mode as "Sbc-only", you must configure a Transparency Profile in an egress trunk group.

Force Client
Security

If Enabled, while selecting the Security Mechanism, the precedence is given to the order of occurrence of mechanism-name values in the Security-Client header.

  • Disabled (default)
  • Enabled

Reject Sec Unsupported Request

Enable this flag to reject the incoming REGISTER when it does not contain "sec-agree" header value (in Require or Proxy-Require headers) or does not contain any supported mechanism-name (ipsec-3gpp) in "Security-Client" header.
Use default setting "Disabled" to process messages using "Digest without TLS" security mechanism.

  • Disabled (default)
  • Enabled

Encryption Preference

Specify the SIP Security Profile encryption preference.

  • Always-encrypt – Use this option to reject REGISTER requests if the UE offers a NULL encryption algorithm. 
  • None (default) – If this option is configured the SBC compares the UE's offer of encryption algorithms with the list of supported encryption algorithms, and selects the first matched entry in the 401 response for the REGISTER request. The SBC accepts the NULL encryption algorithm if it is the first one in the UE's offer.
  • Null-forced –  Use this option to enforce NULL encryption irrespective of what encryption algorithm offered by the UE. The SBC acting as a Proxy For Call Session Control Function (P-CSCF) always disables encryption. 

To Delete SIP Security Profile

To delete any of the created SIP Security Profile, click the radio button next to the specific SIP Security Profile.

Click Delete at the end of the highlighted row. A delete confirmation message appears seeking your decision.

Click Yes to remove the specific SIP Security Profile.

  • No labels