You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Current »

In this section:

Related articles:

 

The SIP Security Profile feature defines the type and behavior of security mechanism to apply to the 

Unable to show "metadata-from": No such page "_space_variables"
acting as P-CSCF.

Note

When configuring sipSecurityProfile on a particular sipTrunkGroup, ensure authcodeHeaders transparency flag (refer to Common IP Attributes - SIP - CLI) is not enabled on the same Trunk Group.

Note

When configuring a SIP Security Profile in P-CSCF mode, a Sip Security Mechanism is required.

IMPORTANT

The Transparency Profile is the recommended method of configuring transparency on the SBC Core for new deployments as well as when applying additional transparency configurations to existing deployments. Do not use IP Signaling Profile flags in these scenarios because the flags will be retired in upcoming releases.

Refer to the SBC SIP Transparency Implementation Guide for additional information.

Command Syntax

The CLI syntax to configure the SIP Security Profile is shown below:

% set profiles services sipSecurityProfile <profile name>
	encryptionPreference <always-encrypt | none | null-forced>
	forceClientSecurityPref <disabled | enabled> 
	rejectSecUnsupportedRequest <disabled | enabled>
	sbxSecMode <sbc-only | sbc-pcscf>
	sipSecurityMechanism <ipsec-3gpp | tls> precedence <1-65535>

Command Parameters

SIP Security Profile

Parameter

Description

sipSecurityProfile

<profile name> – Security profile name (1-23 characters).

encryptionPreference

Use this parameter to define the encryption preference for this SIP Security Profile.

  • always-encrypt – The
    Unable to show "metadata-from": No such page "_space_variables"
    rejects REGISTER requests if the UE offers a NULL encryption algorithm. 
  • none (default) – The 
    Unable to show "metadata-from": No such page "_space_variables"
    compares the UE's offer of encryption algorithms with the list of supported encryption algorithms, and selects the first matched entry in the 401 response for the REGISTER request. The
    Unable to show "metadata-from": No such page "_space_variables"
    accepts the NULL encryption algorithm if it is the first one in the UE's offer.
  • null-forced Enforce NULL encryption irrespective of what encryption algorithm offered by the UE. The SBC acting as a Proxy For Call Session Control Function (P-CSCF) always disables encryption. 

forceClientSecurityPref

Enable this flag to give precedence to the order of occurrence of "mechanism-name" value in the "Security-Client" header while selecting the Security Mechanism to apply.

  • disabled (default)
  • enabled

rejectSecUnsupportedRequest

Enable this flag to reject the incoming REGISTER when it does not contain "sec-agree" header value (in Require or Proxy-Require headers) or does not contain any supported mechanism-name (ipsec-3gpp) in "Security-Client" header.
Use default setting "disabled" to process messages using "Digest without TLS" security mechanism.

  • disabled (default)
  • enabled
sbxSecMode

Use this parameter to define the

Unable to show "metadata-from": No such page "_space_variables"
security mode for this SIP Security Profile.

  • sbc-only –
    Unable to show "metadata-from": No such page "_space_variables"
    -only mode. The
    Unable to show "metadata-from": No such page "_space_variables"
    disregards the configured security mechanism (ipsec-3gpp or tls) in the profile, if any.
  • sbc-pcscf (default) – Integrated
    Unable to show "metadata-from": No such page "_space_variables"
    +PCSCF mode.

When sbxSecMode is configured as sbc-only, you must configure a Transparency Profile for following headers in an egress trunk group. See example configuration below.

sipSecurityMechanism

Identifies the list of security mechanisms supported by 

Unable to show "metadata-from": No such page "_space_variables"
and the corresponding precedence level for each security mechanism.

  • ipsec-3gpp precedence <1-65535> – The precedence to assign to IMS AKA security mechanism. A lower value represents a higher precedence.
  • tls precedence <1-65535> –  The precedence to assign to TLS security mechanism. A lower value represents a higher precedence.

Command Examples

When

Unable to show "metadata-from": No such page "_space_variables"
 Security Mode (sbxSecMode) is set to sbc-only, configure a Transparency Profile for following headers in egress trunk group:

% set profiles services transparencyProfile <profile name> sipHeader Require
% set profiles services transparencyProfile <profile name> sipHeader Proxy-Require
% set profiles services transparencyProfile <profile name> sipHeader Security-Client
% set profiles services transparencyProfile <profile name> sipHeader Security-Verify
% set profiles services transparencyProfile <profile name> state enabled
% set addressContext <AC name> zone <zone name> sipTrunkGroup <trunk group name> services transparencyProfile <profile  name>

 

The following example configuration accomplishes the following:

  • Creates a SIP security profile named "S-PROFILE1", sets "forceClientSecurityPref" and "rejectSecUnsupportedRequest" to "enabled", and sets SIP security mechanism "ipsec-3gpp" to precedence of "1".
  • Assign S-PROFILE1 to SIP trunk group "STG-1".
% set profiles services sipSecurityProfile S-PROFILE1 forceClientSecurityPref enabled rejectSecUnsupportedRequest enabled sipSecurityMechanism ipsec-3gpp precedence 1 
% set addressContext default zone MYZONE sipTrunkGroup STG-1 services sipSecurityProfile S-PROFILE1

  • No labels