Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Add_docset_workflow
APPRJIDSBX-27564
AUTH1bscoggins
DEV1akuriakose
LDEV1sgardell
SVT1dbheeman
LSVT1radaikalam
AUTHJIDSBX-27564

...

Panel

...

borderColorgreen
bgColortransparent
borderWidth2

...

Back to Table of Contents

Back to CLI Configure Mode

Back to Profiles - CLI

Back to Services - CLI

In this section:

Table of Contents

...

Info

...

icon

...

false

...

Related articles:

 

The SIP Security Profile feature defines the type and behavior of security mechanism to apply to the 

Spacevars
0product
acting as P-CSCF.

Note
iconfalse
titleNote

When configuring sipSecurityProfile on a particular sipTrunkGroup, ensure authcodeHeaders transparency flag (

...

refer to Common IP Attributes - SIP - CLI) is not enabled on the same Trunk Group.

Excerpt
Note
iconfalse
titleNote

When configuring a SIP Security Profile in P-CSCF mode, a Sip Security Mechanism is required.

Include Page
Transparency_Profile_Note
Transparency_Profile_Note

Command Syntax

The CLI syntax to configure the SIP Security Profile is shown below:

Code Block
languagenone
% set profiles services sipSecurityProfile <profile name>
	encryptionPreference <always-encrypt | none | null-forced>
	forceClientSecurityPref <disabled | enabled> 
	rejectSecUnsupportedRequest <disabled | enabled>
	sbxSecMode <sbc-only | sbc-pcscf>
	sipSecurityMechanism <ipsec-3gpp | tls> precedence <1-65535> 

Command Parameters

Caption
0Table
1SIP Security Profile

Parameter

...

Description

sipSecurityProfile

...

<profile name> – Security profile name (1-23 characters).

encryptionPreference

Use this parameter to define the encryption preference for this SIP Security Profile.

...

forceClientSecurityPref

...

N/A

  • always-encrypt – The
    Spacevars
    0product
    rejects REGISTER requests if the UE offers a NULL encryption algorithm. 
  • none (default) – The 
    Spacevars
    0product
    compares the UE's offer of encryption algorithms with the list of supported encryption algorithms, and selects the first matched entry in the 401 response for the REGISTER request. The
    Spacevars
    0product
    accepts the NULL encryption algorithm if it is the first one in the UE's offer.
  • null-forced Enforce NULL encryption irrespective of what encryption algorithm offered by the UE. The SBC acting as a Proxy For Call Session Control Function (P-CSCF) always disables encryption. 

forceClientSecurityPref

Enable this flag to give precedence to the order of occurrence of "mechanism-name" value in the "Security-Client" header while selecting the Security Mechanism to apply.

  • disabled (default)
  • enabled

rejectSecUnsupportedRequest

...

Enable this flag to reject the incoming REGISTER when it does not contain "sec-agree" header value (in Require or Proxy-Require headers) or does not contain any supported mechanism-name (ipsec-3gpp) in "Security-Client" header.
Use default setting "disabled" to process messages using "Digest without TLS" security mechanism.

  • disabled (default)
  • enabled
sbxSecMode

...

Use this parameter to define the

...

Spacevars
0product
security mode for this SIP Security Profile.

  • sbc-only –

...

  • Spacevars
    0product
    -only mode.

...

  • The
    Spacevars
    0product
    disregards the configured security mechanism (ipsec-3gpp or tls) in the profile, if any.
  • sbc-pcscf (default) – Integrated

...

  • Spacevars
    0product
    +PCSCF mode.

When sbxSecMode is configured as sbc-only, you must configure a Transparency Profile for following headers in an egress trunk group. See example configuration below.

sipSecurityMechanism

...

N/A

Identifies the list of security mechanisms supported by 

Spacevars
0product
and the corresponding precedence level for each security mechanism.

  • ipsec-3gpp precedence <1-65535> – The precedence to assign to IMS AKA security mechanism. A lower value represents a higher precedence.
  • tls precedence <1-65535> –  The precedence to assign to TLS security mechanism. A lower value represents a higher precedence.

Command Examples

Anchor
sbxSecMode
sbxSecMode
When

...

Spacevars
0product
 Security Mode (sbxSecMode) is set to sbc-only, configure a Transparency Profile for following headers in egress trunk group:

Code Block
languagenone
% set profiles services transparencyProfile <profile name> sipHeader Require
% set profiles services transparencyProfile <profile name> sipHeader Proxy-Require
% set profiles services transparencyProfile <profile name> sipHeader Security-Client
% set profiles services transparencyProfile <profile name> sipHeader Security-Verify
% set profiles services transparencyProfile <profile name> state enabled
% set addressContext <AC name> zone <zone name> sipTrunkGroup <trunk group name> services transparencyProfile <profile  name>

 

The following example configuration accomplishes the following:

  • Creates a SIP security profile named "S-PROFILE1", sets "forceClientSecurityPref" and "rejectSecUnsupportedRequest" to "enabled", and sets SIP security mechanism "ipsec-3gpp" to precedence of "1".
  • Assign S-PROFILE1 to SIP trunk group "STG-1".
Code Block
languagenone
% set profiles services sipSecurityProfile S-PROFILE1 forceClientSecurityPref enabled rejectSecUnsupportedRequest enabled sipSecurityMechanism ipsec-3gpp precedence 1 
% set addressContext default zone MYZONE sipTrunkGroup STG-1 services sipSecurityProfile S-PROFILE1 

Pagebreak