Versions Compared

Old Version 1

changes.mady.by.user Ribbon Communications

Saved on

compared with

New Version Current

changes.mady.by.user Ribbon Communications

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


Panel

In this section:

Table of Contents
maxLevel3


New CLI in

11

12.

1

0.0R0

SBX-

86522

75851 Support

for TLS 1.3 on SBC CoreThe flag v1_3 is added to the TLS Profile to configure TLS 1.3 support. In addition, three Ciphersuites are added to support TLS 1.3.

RFC 7044 for SIP History-Info

Four flags and an Ingress IP heading are added to the IP Signaling Profile.

Two flags are set at Egress:

  • supportRFC7044
  • applyHistoryInfoPrivacy

Two flags are set at Ingress:

  • supportRFC7044Ingress
  • applyHistoryInfoPrivacyIngress

Lastly, an Ingress IP heading is added to support the above two Ingress flags:

  • ingressHistoryInformation

Command Syntax

Code Block
titleExamplesupportRFC7044
% set profiles security tlsProfile <tls profile name> v1_3 <disabled | enabled>
 signaling ipSignalingProfile <profile name> egressIpAttributes sipHeadersAndParameters callForwarding historyInformation includeHistoryInformation <disable | enable> supportRFC7044 <disable | enable>


Code Block
titleapplyHistoryInfoPrivacy
% set profiles signaling ipSignalingProfile <profile name> egressIpAttributes sipHeadersAndParameters callForwarding historyInformation includeHistoryInformation <disable | enable> applyHistoryInfoPrivacy <disable | enable>


Code Block
titlesupportRFC7044Ingress
% set profiles signaling ipSignalingProfile <profile name> ingressIpAttributes ingressHistoryInformation supportRFC7044Ingress <disable | enable>


Code Block
titleapplyHistoryInfoPrivacyIngress
% set profiles signaling ipSignalingProfile <profile name> ingressIpAttributes ingressHistoryInformation applyHistoryInfoPrivacyIngress <disable | enable> security tlsProfile <tls profile name> cipherSuite <cipherSuite1/2/3>
   tls_aes_128_gcm_sha256
   tls_aes_256_gcm_sha384
   tls_chacha20_poly1305_sha256

Command Parameters

Parameter
Length/RangeDefault
DescriptionM/O
v1_3

n/a

disabled

supportRFC7044

Enable this flag to set the History-Info header's behavior in accordance with RFC-7044.

  • disable (default)
  • enable
O

applyHistoryInfoPrivacy

Enable this flag to

configure the SBC to support TLS 1.3 on the ingress and egress legs.
  • disabled
  • enabled
Otls_aes_128_gcm_sha256n/an/aTLS 1.3 CiphersuiteOtls_aes_256_gcm_sha384n/an/aTLS 1.3 CiphersuiteO

anonymize the History-Info header.

  • disable (default)
  • enable
O

supportRFC7044Ingress

Enable this flag to set the History-Info header's behavior in accordance with RFC-7044 towards the Ingress leg.

  • disable (default)
  • enable
O

applyHistoryInfoPrivacyIngress

Enable this flag to anonymize the History-Info header towards the Ingress leg.

  • disable (default)
  • enable
O
ingressHistoryInformation

Use this heading to enable the following flags:

  • supportRFC7044Ingress
  • applyHistoryInfoPrivacyIngress
tls_chacha20_poly1305_sha256n/an/aTLS 1.3 Ciphersuite
O

Configuration Examples

Code Block
languagetitlenoneExample: supportRFC7044
set profiles securitysignaling tlsProfileipSignalingProfile defaultTlsProfile v1_3 enabled
set profiles security tlsProfile defaultTlsProfile cipherSuite1 tls_aes_128_gcm_sha256
DEFAULT_SIP egressIpAttributes sipHeadersAndParameters callForwarding historyInformation includeHistoryInformation enable supportRFC7044 enable
commit



Code Block
titleExample: applyHistoryInfoPrivacy
set profiles securitysignaling tlsProfileipSignalingProfile defaultTlsProfileDEFAULT_SIP cipherSuite2 tls_aes_256_gcm_sha384
set profiles security tlsProfile defaultTlsProfile cipherSuite3 tls_chacha20_poly1305_sha256
commit

SBX-93114 SIP Registrar Functionality Support

The SBC Core is enhanced to support SIP Registrar functionality for SIP end points. This feature allows the Ribbon SBC to act as an Access SBC with Registrar functionality in a single deployment.

SIP TG - Signaling - SIP Local Registrar - CLI

The CLI object sipLocalRegistrar to support the SIP Registrar functionality is added to the CLI in this release.

Command Syntax

The following CLI shows how to enable the SIP Local Registrar functionality.

Code Block
titlesipTrunkGroup - signaling - sipLocalRegistrar - CLI
set addressContext <name> zone <name> sipTrunkGroup <name> signaling sipLocalRegistrar <disabled | enabled>
Command Parameters
ParameterLength/RangeDefaultDescriptionsipLocalRegistrarN/Adisabled

Use this flag to enable the SIP Local Registrar functionality. When enabled, messages are sent to the SIP Local Registrar.

  • disabled (default)
  • enabled
egressIpAttributes sipHeadersAndParameters callForwarding historyInformation includeHistoryInformation enable applyHistoryInfoPrivacy enable
commit



Code Block
titleExample: supportRFC7044Ingress
set profiles signaling ipSignalingProfile DEFAULT_SIP ingressIpAttributes ingressHistoryInformation supportRFC7044Ingress enable
commit



Code Block
titleExample: applyHistoryInfoPrivacyIngress
set profiles signaling ipSignalingProfile DEFAULT_SIP ingressIpAttributes ingressHistoryInformation applyHistoryInfoPrivacyIngress enable
commit


SBX-116105 Support for Linear 16 (L16) on SBC

Codec Entry

The codec "l16-16" is added to Codec Entry. Select "l16-16" to enable transcoding for the L16 codec.

Command Example
Code Block
titlesipTrunkGroup - signaling - sipLocalRegistrar - CLI Example
set addressContext <name> zone <name> sipTrunkGroup <name> signaling sipLocalRegistrar <disabled | enabled>

For more information, refer to SIP TG - Signaling - SIP Local Registrar - CLI.

Signaling - Global - CLI - SIP Local Registrar Object

Command Syntax

Code Block
titleSIP Local RegistrarExample
% set globalprofiles signalingmedia sipLocalRegistrar
codecEntry <name> 
  expires <15-65535>
 codec <codec type: minExpires<15l16-65535>16>
    sipRegSubscriberProfile <aor Name>
        sipRegAdminState <active | inactive>packetSize <10 | 20>
        sipRegSendChallenge <challengeForNone | challengeForRegister | challengeForRegisterAndInvite>
        sipRegAuthRealm <authentication Realm>
        sipRegAuthUserName <authentication UserName>
        sipRegAuthPassword <authentication Password>

% show global signaling sipLocalRegistrar
	sipRegSubscriberProfile <aor Name>
	expires 
	minExpirespreferredRtpPayloadType <0-127>

Command Parameters

ParameterLength/RangeDefault

Codec

Description

M/O

expires15

l16-

655353600The Expiry value used for Registration

16

Select to allow transcoding for the L16 codec.

O

minExpires15-6553530

The Min-Expiry value used for Registration.

If REGISTER is received with Expires value less than this field, 423 Error is generated

OsipRegSubscriberProfile1-127 charactersN/AThis represents the Address Of Record (AOR) of the user. This is the mandatory key against which the binding is created. The AOR uses the "user@host" format. For example, testUser@example.com. Also see CLI example below.MsipRegAdminStateN/Aactive 

Defines if Subscriber state is active or inactive. The choices are:

  • active (default)
  • inactive
OsipRegSendChallengeN/AchallengeForNone

Defines how the Authentication Challenge is sent.

  • challengeForNone - Authentication challenge is not initiated for any of the messages.
  • challengeForRegister - Authentication challenge is initiated for REGISTER messages only.
  • challengeForRegisterAndInvite - Authentication challenge is initiated for REGISTER/INVITE messages (re-INVITE would not be challenged).
OsipRegAuthRealm   1-127 charactersN/ATh Authorization realm for SIP registration.OsipRegAuthUserName1-127 charactersN/AThe Authorization user name for SIP registration.OsipRegAuthPassword   6-32 charactersN/A

DES3 (triple Digital Encryption Standard) encrypted string authentication password for SIP local registration. All ASCII characters from 33 to 126 (except 34 - double quotes) are allowed.

Note:

If Authentication Password contains ASCII characters, enclose the entire password string with double quotes (" ") .

Example using double quotes: 

"Password1:@\#:########~%&*@#"

Since the SBC Registrar supports bulk load configuration, the length of the password string is not validated at the time of entry into the database. The Admin must make sure that length is within the prescribed range (6-32 characters). For such out of bound passwords, authentication can fail with 403 error response.

O
Command Example
Code Block
titlesipLocalRegistrar Configuration Examples
set global signaling sipLocalRegistrar expires 3500
set global signaling sipLocalRegistrar minExpires 300

set global signaling sipLocalRegistrar sipRegSubscriberProfile testUser@example.com sipRegAdminState active sipRegSendChallenge challengeForRegisterAndInvite sipRegAuthRealm example.com sipRegAuthUserName testUser sipRegAuthPassword password1

show global signaling sipLocalRegistrar sipRegSubscriberProfile testUser@example.com
      sipRegAuthUserName  testUser;
      sipRegAuthRealm     example.com;
      sipRegAuthPassword  $7$FZ5ju2oDUvNyLs8MvuBYmoCo55fOBhnu;
      sipRegAdminState    active;
      sipRegSendChallenge challengeForRegisterAndInvite;

show global signaling sipLocalRegistrar expires
expires 3500

show global signaling sipLocalRegistrar minExpires
minExpires 300

show status global sipLocalRegistrar
sipLocalRegistrarRegStatus 53056@10.xx.xx.70 {
    state          active;
    contactURI     sip:53056@10.xx.1xx.xx:5xx0;
    expirationTime 3600;
    creationTime   2022-09-08T10:23:29+00:00;
    refreshTime    0000-00-00T00:00:00+00:00;
    remainingTime  3493;
}
sipLocalRegistrarRegCountStatistics entry {
    sipRegAttemptCount      1;
    sipRegChallengedCount   1;
    sipRegStableCount       1;
    sipRegFailed403Count    0;
    sipRegFailed404Count    0;
    sipRegFailed503Count    0;
    sipRegFailedOthersCount 0;
}

request global sipLocalRegistrar sipRegCountReset

request global sipLocalRegistrar sipRegistrationDeleteByAor sipRegAor 53056@10.xx.xx.70
result success

For more information, refer to Signaling - Global - CLI.

Configuration Examples

Code Block
languagenone
set profiles media codecEntry NewCodec codec l16-16 packetSize 20 preferredRtpPayloadType 96
commit


Codec Routing Priority

The codec "L16" is added to Codec Routing Priority. Select "L16" to enable codec routing priority for the L16 codec.

Command Syntax

Code Block
titleExample
% set profiles media codecRoutingPriority <codec: L16>

Command Parameters

Codec

Description

M/O

L16

Select to enable codec routing priority for the L16 codec.

O

Configuration Examples

Code Block
languagenone
set profiles media codecRoutingPriority L16 entry L16
commit


Packet Service Profile Entity

The codec "l16" is added to the Codec list for Packet Service Profile Entity. Select "l16" at "This Leg" and/or "Other Leg" to enable transcoding for the L16 codec.

Command Syntax

Code Block
titleExample
% set profiles media packetServiceProfile <unique_profile_name> packetToPacketControl
	codecsAllowedForTranscoding
        otherLeg <l16>
        thisLeg <l16>

Command Parameters

Codec

Description

M/O

l16

Select to allow transcoding for the L16 codec.

O

Configuration Examples

Code Block
languagenone
set profiles media packetServiceProfile TEST_1 packetToPacketControl codecsAllowedForTranscoding otherLeg l16
set profiles media packetServiceProfile TEST_1 packetToPacketControl codecsAllowedForTranscoding thisLeg l16
commit

SBX-118127 SHAKEN Fields in CDR for Identity Header Passthrough

This feature adds the CLI parameter storeIdentityHdrtoCdr to the SIP Trunk Group > Services CLI. This CLI configuration is used to decide which identity headers are captured in the CDR.

SIP Local Registrar - Request CLI

Command Syntax

Code Block
titlesipLocalRegistrar storeIdentityHdrtoCdr - Request CLI
% requestset addressContext global<address sipLocalRegistrarcontext sipLocalRegistrarRegDeleteByAorname> <aor Name>

% request global sipLocalRegistrar sipRegCountResetzone <ZONE> sipTrunkGroup <TG> services storeIdentityHdrtoCdr

Command Parameters

ParameterLength/RangeDefaultDescriptionM/O
sipLocalRegistrarRegDeleteByAor
storeIdentityHdrtoCdr

N/A

N/A

Use this  flag to delete an AOR entry from the Registrar.

sipRegCountResetN/AN/A

Use this parameter to reset the count of statistics.

Info
titleNote
This resets all the counters except for stable registration. Stable registrations are displayed per real time numbers.
none

The SBC stores the base64 decoded Identity headers received and sent in the SIP INVITE message. Use this flag to specify the Identity headers to store in the CDR record.

  • all
  • div
  • none (default)
  • other
  • rcd
  • rph
  • shaken
Info
titleNote

The aor Name in the CLI above represents the AOR of the user (1-127 characters).

For more information, refer to Request Global - CLI.

SIP Local Registrar - Show CLI

Command Syntax
Code Block
titlesipLocalRegistrar - Show CLI
% show status global sipLocalRegistrar 
	sipActiveLocalRegistrarRegStatus
	sipLocalRegistrarRegCountStatistics
	sipLocalRegistrarRegCountCurStats
	sipLocalRegistrarRegCountIntStats


% show table global sipLocalRegistrar sipLocalRegistrarRegCountStatistics
Command Parameters
ParameterLength/RangeDefaultDescriptionsipActiveLocalRegistrarRegStatusN/AN/A

Shows the status of the AOR registered with the Registrar. If the AOR name is not provided, this shows the data for all the AORs registered at Registrar.

sipLocalRegistrarRegCountStatisticsN/AN/A

Shows the attempt/stable/failed counts for registrations received at the Registrar.

The statistics displays the following fields.

  • sipRegAttemptCount – The total count of the register attempts.
  • sipRegChallengedCount – The count of the challenged register attempts.
  • sipRegStableCount – The count of the currently active and stable registered users.
  • sipRegFailed403Count – The count of the registers failed with a 403 SIP response code.
  • sipRegFailed404Count – The count of the registers failed with a 404 SIP response code.
  • sipRegFailed503Count – The count of the registers failed with a 503 SIP response code.
  • sipRegFailedOthersCount – The count of the registers failed with other SIP response codes.
sipLocalRegistrarRegCountCurStatsN/AN/AThe high water mark of total number of stable registrations for the current interval.sipLocalRegistrarRegCountIntStatsN/AN/A

The high water mark of total number of stable registrations for the reporting interval.

For more information, refer to Show Status Global.

SBX-111375 LDAP AD authentication support

The parameter ldapConfigurationMode is added to the ldapAuthentication configuration for the user to choose the "advanced" mode option to configure the newly-added parameters.

Command Syntax
Code Block
titleNew ldapConfigurationMode Syntax
% set oam ldapAuthentication ldapConfigurationMode <advanced | legacy>
Code Block
title ldapServer Syntax (Legacy Mode)
% set oam ldapAuthentication ldapServer <serverName> 
	bindMethod <sasl | simple>
	binddn <name>   
	groupNameAttribute <groupName, or empty string>
	ldapServerAddress <IPv4, IPv6 or FQDN> 
	ldapServerPort <valid port>
	priority <1-25>
	saslMechanism <digest-md5 | plain>
	searchbase <1-255 characters>
	state <disabled | enabled>
	transport <ldaps | tcp | tls>
Code Block
title ldapServer Syntax (Advanced Mode)
% set oam ldapAuthentication ldapServer <serverName> 
	bindMethod <sasl | simple>
	binddn <name>
	ldapServerAddress <IPv4, IPv6 or FQDN>
	ldapServerPort <valid port>
	priority <1-25>
	returnAttribute <1-255 characters>
	saslMechanism <digest-md5 | plain>
	searchFilter <1-255 characters>
	searchbase <1-255 characters>
	state <disabled | enabled>
	systemPassword <password>
    systemUsername <1-255 characters>
	transport <ldaps | tcp | tls>
Command Parameters

ldapAuthentication (New Parameter)

The ldapConfigurationMode parameter is added to the LDAP Authentication configuration to specify legacy or advanced modes.

ParameterLength/RangeDefaultDescriptionM/OldapConfigurationMode

n/a

legacy

The configuration mode for the LDAP client.

  • legacy Use this option for legacy LDAP behavior.
  • advanced Use this option to support Microsoft Active Directory (AD) services. 
O

ldapServer (Updated Parameters)

The following parameters are updated in this release (for both 'legacy' and 'advanced' modes):

ParameterLength/RangeDescriptionM/O

ldapServerAddress     

IPv4 address

IPv6 address

FQDN

The IPv4 address, IPv6 address or FQDN of the server as a hostname. The supported formats are:

  • IPv4 address (In dot notation)
  • IPv6 address (In hex-colon notation)
  • FQDN
Mpriority1-25<priority #> – The server priority, where '1' is the highest priority.MsaslMechanismN/A

The SASL mechanism to use.

  • digest-md5 – Use this option to send the username and password as a hash so they are now viewable on the wire even if the transport is TCP.
  • plain (default)
O

ldapServer (New Parameters)

The following new LDAP Sever parameters are available when ldapConfigurationMode is set to advanced:

ParameterLength/RangeDescriptionM/O

returnAttribute

1-255 characters

The attribute returned from the search for the group name of the LDAP user.

For example, in the above query, if cn is specified as the return attribute, then the returned attribute will be: users. The query may return multiple users

O

searchFilter

1-255 characters

The LDAP filter used to search for the group name of the LDAP user. Specify {0} in the search filter to specify the user in the searchFilter. 

For example: (&(objectClass=group)(member=cn={0},CN=Users,DC=example,DC=tst))

O

systemPassword

string

The password for the LDAP user with Administrative privileges systemUser). Leave blank if the systemUsername is not specified.

O

You can specify all the identity headers in the list to store them in the CDR, or choose the ones you require. However, if you select 'none' and another option, for example 'shaken', 'none' takes precedence and no identity headers are stored in the CDR. 

Similarly, if you select 'all' and another identity header, for example 'shaken'. The choice 'all' takes precedence and all the identity headers in the list are stored in the CDR.


The values are a comma-separated list of categories. The priority order for writing in the CDR from the highest to the lowest is, SHAKEN, RPH, RCD, DIVs and OTHER. A maximum of nine identity headers are logged in the CDR for ingress and egress. If the higher priority headers take up all the space, then the lower priority headers are not written in the CDR.

When more than one SHAKEN header arrives in the Ingress INVITE, then the following is the order of precedence in which the Identity header is picked: 

  1. SHAKEN header with Attestation Level 'A is picked.
  2. If more than one SHAKEN header with Attestation 'A' level is present, the top-most A level SHAKEN header is picked.
  3. If no Attestation Level 'A' SHAKEN header is present, then Attestation level 'B' SHAKEN header is picked.
  4. If more than one SHAKEN header with 'B' level is present, the top most 'B' level SHAKEN header is picked.
  5. If no Attestation Level 'B' SHAKEN header is present, then Attestation level 'C' SHAKEN header is picked.
  6. If more than one SHAKEN header with Attestation 'C' level is present, the top-most 'C' level SHAKEN header is picked.
O

Configuration Example

Code Block
titlestoreIdentityHdrtoCdr - CLI Example
set addressContext default zone <ZONE_IN> sipTrunkGroup <TG_IN> services storeIdentityHdrtoCdr shaken,rph

For more information, refer to SIP Trunk Group - Services - CLI.

SBX-122231 FIPS 140-3 Support in SBC

In the CLI to enable FIPS mode, the parameter fips-140-2 is changed to fips-140-3. 

Command Syntax

Code Block
% set system admin <SYSTEM NAME> fips-140-3 mode <disabled | enabled>

Command Parameters

ParameterLength/RangeDefaultDescription
fips-140-3 mode

N/A

disabled

Use this object to enable FIPS-140-3 mode.

  • disabled (default)
  • enabled

NOTE: Once you enable fips-140-3 mode, you cannot manually disable it. A fresh software installation is required to set the FIPS-140-3 mode back to 'disabled'.

Configuration Example

Code Block
set system admin vsbcSystem fips-140-3 mode enabled

For more information, refer to FIPS-140-3 - CLI.

systemUsername

1-255 characters

An LDAP user with Administrative privileges   Leave blank, or enter a user name.

Info
titleNote

If ldapConfigurationMode = advanced, the SBC LDAP client binds with the provided systemUsername and systemPassword. This allows the LDAP query specified in the searchFilter to  access the records needed to ascertain the group of the user under authentication.

The systemUsername and systemPassword are optional.  If a systemUsername is not specified, the SBC performs the search specified in searchFilter using the user's credentials.  If a systemUsername is specified, you cannot leave the systemPassword field blank.

O
Configuration Example

An example of LDAP Authentication using the "advanced" mode is provided below:

Code Block
languagenone
set oam ldapAuthentication ldapConfigurationMode advanced set oam ldapAuthentication ldapServer ldap1 priority 1 set oam ldapAuthentication ldapServer ldap1 state enabled set oam ldapAuthentication ldapServer ldap1 bindMethod simple set oam ldapAuthentication ldapServer ldap1 saslMechanism plain set oam ldapAuthentication ldapServer ldap1 systemUsername CN=Administrator,CN=Users,DC=mdroot,DC=tst set oam ldapAuthentication ldapServer ldap1 systemPassword xxxyyyzzz set oam ldapAuthentication ldapServer ldap1 transport ldaps set oam ldapAuthentication ldapServer ldap1 binddn "cn={0},CN=Users,dc=mdroot,dc=tst" set oam ldapAuthentication ldapServer ldap1 searchbase CN=Builtin,DC=mdroot,DC=tst set oam ldapAuthentication ldapServer ldap1 ldapServerAddress rdc1.mdroot.tst set oam ldapAuthentication ldapServer ldap1 ldapServerPort 636 set oam ldapAuthentication ldapServer ldap1 searchFilter (&(objectClass=group)(member=CN=Administrator,CN=Users,DC=mdroot,DC=tst)) set oam ldapAuthentication ldapServer ldap1 returnAttribute cn commit