You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Back to Table of Contents

Back to CLI Configure Mode

Back to Profiles - CLI

Back to Services - CLI

In this section:

Related articles:

 

The SIP Security Profile feature defines the type and behavior of security mechanism to apply to the 

Unable to show "metadata-from": No such page "_space_variables"
acting as P-CSCF.

When configuring sipSecurityProfile on a particular sipTrunkGroup, ensure authcodeHeaders transparency flag (see commonIpAttributes - SIP - CLI) is not enabled on the same Trunk Group.

When configuring a SIP Security Profile in P-CSCF mode, a Sip Security Mechanism is required.

Command Syntax

The CLI syntax to configure the SIP Security Profile is shown below:

% set profiles services sipSecurityProfile <profile name> 
	forceClientSecurityPref <disabled | enabled> 
	rejectSecUnsupportedRequest <disabled | enabled>
	sbxSecMode <sbc-only | sbc-pcscf>
	sipSecurityMechanism <ipsec-3gpp | tls> precedence <1-65535>

Command Parameters

SIP Security Profile

Parameter

Length/Range

Description

sipSecurityProfile

1-23

<profile name> – Security profile name.

forceClientSecurityPref

N/A

Enable this flag to give precedence to the order of occurrence of "mechanism-name" value in the "Security-Client" header while selecting the Security Mechanism to apply.

  • disabled (default)
  • enabled

rejectSecUnsupportedRequest

N/A

Enable this flag to reject the incoming REGISTER when it does not contain "sec-agree" header value (in Require or Proxy-Require headers) or does not contain any supported mechanism-name (ipsec-3gpp) in "Security-Client" header.
Use default setting "disabled" to process messages using "Digest without TLS" security mechanism.

  • disabled (default)
  • enabled
sbxSecModeN/A

Use this parameter to define the SBC security mode for this SIP Security Profile.

  • sbc-only – SBC-only mode. SBC disregards the configured security mechanism (ipsec-3gpp or tls) in the profile, if any.
  • sbc-pcscf (default) – Integrated SBC+PCSCF mode.

When sbxSecMode is configured as sbc-only, you must configure a Transparency Profile for following headers in an egress trunk group. See example configuration below.

sipSecurityMechanism

N/A

Identifies the list of security mechanisms supported by 

Unable to show "metadata-from": No such page "_space_variables"
and the corresponding precedence level for each security mechanism.

  • ipsec-3gpp precedence <1-65535> – The precedence to assign to IMS AKA security mechanism. A lower value represents a higher precedence.
  • tls precedence <1-65535> –  The precedence to assign to TLS security mechanism. A lower value represents a higher precedence.

Command Examples

When SBC Security Mode (sbxSecMode) is set to sbc-only, configure a Transparency Profile for following headers in egress trunk group:

% set profiles services transparencyProfile <profile name> sipHeader Require
% set profiles services transparencyProfile <profile name> sipHeader Proxy-Require
% set profiles services transparencyProfile <profile name> sipHeader Security-Client
% set profiles services transparencyProfile <profile name> sipHeader Security-Verify
% set profiles services transparencyProfile <profile name> state enabled
% set addressContext <AC name> zone <zone name> sipTrunkGroup <trunk group name> services transparencyProfile <profile  name>

 

The following example configuration accomplishes the following:

  • Creates a SIP security profile named "S-PROFILE1", sets "forceClientSecurityPref" and "rejectSecUnsupportedRequest" to "enabled", and sets SIP security mechanism "ipsec-3gpp" to precedence of "1".
  • Assign S-PROFILE1 to SIP trunk group "STG-1".
% set profiles services sipSecurityProfile S-PROFILE1 forceClientSecurityPref enabled rejectSecUnsupportedRequest enabled sipSecurityMechanism ipsec-3gpp precedence 1 
% set addressContext default zone MYZONE sipTrunkGroup STG-1 services sipSecurityProfile S-PROFILE1

  • No labels