In this section:
The
Each of the above mentioned signaling/management packets are screened by the following subsystems before being forwarded to the appropriate application for further action.
When the wire-rate policers complete, the packets (media or non media) may get processed by application-level policers (or “software” policers) including the SIP trunk group policers described in Call Admission Controls. SIP trunk group policers limit call and registration rates but depend on sufficient
To view or reset offenders list from EMA, see Policers - IP Policing Offenders, System - Ip Policing; or from CLI, see IP Policing - CLI.
rogueMediaOffendersList
and mediaOffenderListstatistics
, a new entry is created when the destination IP address or destination UDP port is different than the existing entries. The rogue media offender's list includes the column “Source Unique” to identify when packets are discarded for each listed offender entry. If the “Source Unique” field is “notUnique”, the packets from multiple source IP Address or source UDP port are discarded. If the source unique field is “unique”, the packets from a single source IP Address/UDP port are discarded.For all other “offender’s list” categories, a new entry is created when the source IP address is different than the existing entries.
Packets from a registered peer are policed by the Registered Peer Policers. Registered peer packet policing is applied peer by peer. However, the policing parameters are defined and applied on a per trunk group level. Registered Peer Policing applies to packets received from peers that are authorized by successfully registering with a SIP Registrar through the
For each registered end point, the system associates a flow policer. The flow policer applies to that registered end point. The flow policer parameters are based on the endpoint CAC profile associated with the SIP trunk group. If there is no associated endpoint CAC profile, then a fixed rate is used.
Registered Peer Policers use the “single token bucket” model. These policers are limited to one Bucket Size and one Fill Rate used for every Registered Peer Policer instance throughout the system.
When a SIP Register request is challenged by the application server, an interim micro-flow policer is created with fill rate of 0 packets per second and bucket size of 10 packets. As a result, the policer limits the number of packets from the end point to at most 10 packets. The policer remains in effect for a random interval with a range of 5-9 seconds.
The
The
Aggregate Policers are implemented at the hardware level to protect against Denial of Service (DoS) attacks. All arriving IP non-media packets that have passed the ACL or registered peer policers, are aggregated and policed using the Aggregate Policer.
Non-signaling non-media packets are collectively policed depending on the type of packet (ARP, ICMP, IKE etc). These policers are not configurable by the operator.
The following diagram details how aggregate policing is applied to incoming signaling packets in SBC.
The
The
Most media validating and policing are either not user configurable or generally do not require changing from the default setting. Individual Token Bucket policers for properly established calls are automatically configured based on the associated codec. Media packet validation (rogue media detection) associated with an unallocated port or bad destination address is always on and is not
user-configurable.
The only media packet validation provisioning to normally perform is to enable media source address filtering. This function is disabled by default (for SIP) but can be enabled by setting the Source Address Filtering state (SAF) parameter in the SIP trunk group object to “enabled”.
It is important to note that Source Address Filtering generally does not work in an environment where Network Address Translation (NAT) is used because SAF assumes that the
Media policing is based solely on RTP packet length (MAC, IP, and UDP headers are ignored).
A "Rogue RTP Stream" is comprised of media packets not associated with any active call. These may be inadvertent, such as late arrival of packets associated with a recently terminated call, or malicious, such as a generalized Denial of Service attack, or an attempt to corrupt the media stream of a legitimate call.
The
The