Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Added workflow

Add_workflow_for_techpubs
AUTH1
JIRAIDAUTHSBX-52223
REV5
REV6
REV3
REV1

Panel

In this section:

Table of Contents

Info
iconfalse

Related articles:

 

The SIP Security Profile feature defines the type and behavior of security mechanism to apply to the 

Spacevars
0product
acting as P-CSCF.

Note
iconfalse
titleNote

When configuring sipSecurityProfile on a particular sipTrunkGroup, ensure authcodeHeaders transparency flag (refer to Common IP Attributes - SIP - CLI) is not enabled on the same Trunk Group.

Excerpt
Note
iconfalse
titleNote

When configuring a SIP Security Profile in P-CSCF mode, a Sip Security Mechanism is required.

Include Page
Transparency_Profile_Note
Transparency_Profile_Note

Command Syntax

The CLI syntax to configure the SIP Security Profile is shown below:

Code Block
languagenone
% set profiles services sipSecurityProfile <profile name>
	encryptionPreference <always-encrypt | none | null-forced>
	forceClientSecurityPref <disabled | enabled> 
	rejectSecUnsupportedRequest <disabled | enabled>
	sbxSecMode <sbc-only | sbc-pcscf>
	sipSecurityMechanism <ipsec-3gpp | tls> precedence <1-65535> 

Command Parameters

Caption
0Table
1SIP Security Profile

Parameter

Description

sipSecurityProfile

<profile name> – Security profile name (1-23 characters).

encryptionPreference

Use this parameter to define the encryption preference for this SIP Security Profile.

  • always-encrypt – The
    Spacevars
    0product
    rejects REGISTER requests if the UE offers a NULL encryption algorithm. 
  • none (default) – The 
    Spacevars
    0product
    compares the UE's offer of encryption algorithms with the list of supported encryption algorithms, and selects the first matched entry in the 401 response for the REGISTER request. The
    Spacevars
    0product
    accepts the NULL encryption algorithm if it is the first one in the UE's offer.
  • null-forced Enforce NULL encryption irrespective of what encryption algorithm offered by the UE. The SBC acting as a Proxy For Call Session Control Function (P-CSCF) always disables encryption. 

forceClientSecurityPref

Enable this flag to give precedence to the order of occurrence of "mechanism-name" value in the "Security-Client" header while selecting the Security Mechanism to apply.

  • disabled (default)
  • enabled

rejectSecUnsupportedRequest

Enable this flag to reject the incoming REGISTER when it does not contain "sec-agree" header value (in Require or Proxy-Require headers) or does not contain any supported mechanism-name (ipsec-3gpp) in "Security-Client" header.
Use default setting "disabled" to process messages using "Digest without TLS" security mechanism.

  • disabled (default)
  • enabled
sbxSecMode

Use this parameter to define the

Spacevars
0product
security mode for this SIP Security Profile.

  • sbc-only –
    Spacevars
    0product
    -only mode. The
    Spacevars
    0product
    disregards the configured security mechanism (ipsec-3gpp or tls) in the profile, if any.
  • sbc-pcscf (default) – Integrated
    Spacevars
    0product
    +PCSCF mode.

When sbxSecMode is configured as sbc-only, you must configure a Transparency Profile for following headers in an egress trunk group. See example configuration below.

sipSecurityMechanism

Identifies the list of security mechanisms supported by 

Spacevars
0product
and the corresponding precedence level for each security mechanism.

  • ipsec-3gpp precedence <1-65535> – The precedence to assign to IMS AKA security mechanism. A lower value represents a higher precedence.
  • tls precedence <1-65535> –  The precedence to assign to TLS security mechanism. A lower value represents a higher precedence.

Command Examples

Anchor
sbxSecMode
sbxSecMode
When
Spacevars
0product
 Security Mode (sbxSecMode) is set to sbc-only, configure a Transparency Profile for following headers in egress trunk group:

Code Block
languagenone
% set profiles services transparencyProfile <profile name> sipHeader Require
% set profiles services transparencyProfile <profile name> sipHeader Proxy-Require
% set profiles services transparencyProfile <profile name> sipHeader Security-Client
% set profiles services transparencyProfile <profile name> sipHeader Security-Verify
% set profiles services transparencyProfile <profile name> state enabled
% set addressContext <AC name> zone <zone name> sipTrunkGroup <trunk group name> services transparencyProfile <profile  name>

 

The following example configuration accomplishes the following:

  • Creates a SIP security profile named "S-PROFILE1", sets "forceClientSecurityPref" and "rejectSecUnsupportedRequest" to "enabled", and sets SIP security mechanism "ipsec-3gpp" to precedence of "1".
  • Assign S-PROFILE1 to SIP trunk group "STG-1".
Code Block
languagenone
% set profiles services sipSecurityProfile S-PROFILE1 forceClientSecurityPref enabled rejectSecUnsupportedRequest enabled sipSecurityMechanism ipsec-3gpp precedence 1 
% set addressContext default zone MYZONE sipTrunkGroup STG-1 services sipSecurityProfile S-PROFILE1 

Pagebreak