In this section:
The SBC Core supports registration relay support in an IBCF environment consisting of the following parts:
The Transparency Profile is the recommended method of configuring transparency on the SBC Core for new deployments as well as when applying additional transparency configurations to existing deployments. Do not use IP Signaling Profile flags in these scenarios because the flags will be retired in upcoming releases.
Refer to the SBC SIP Transparency Implementation Guide for additional information.
At a high-level, the following steps are needed for the SBC to act as a registration relay:
The SBC as IBCF supports relay of registration messages using the flag sipRegRelay
which is configurable per Zone level and associated with ingress Zone with respect to message direction.
When registration relay functionality is enabled, the following behavior applies:
noServiceRouteHdrForEmergencyRegistration
is enabled, even if createServiceRouteHeader
flag is enabled.Contact header and parameters (excluding transport parameter).
Expires header
The SBC as IBCF can route non-REGISTER requests based on the received route set. Options include:
The SBC as IBCF can prevent the addition of Service-Routes pointing to IBCF (both internal and external interface IP addresses) in 200 OK response.
A Service-Route is not inserted in default deployment as IBCF.
The SBC supports network topology hiding, including following behavior: The SBC as IBCF performs encryption for network topology hiding purposes under the following conditions:
Header transparency is controlled using the dynamic header Transparency Profile (Note that contact and expires headers are transparently passed by default).
The SBC adds itself to the appropriate headers so as to remain in the path. In other words, the step of transparently passing and inserting itself to the header-list is different than performing encryption.
The flag noServiceRouteHdrForEmergencyRegistration
controls whether the SBC as IBCF adds itself to Service-Route headers in the 200 OK to emergency registration requests.
The SBC as IBCF supports following encryption/decryption functionality using IP Signaling Profile's headerEncryptionFlags encryptPathHeader/encryptServiceRouteHeader
:
The SBC as IBCF encrypts the topology revealing headers in the request and response messages before forwarding.
While the ability to encrypt is configurable, no configuration is required to decrypt messages. When receiving messages from an untrusted network and there is no need to encrypt the messages, by default the corresponding headers that were earlier encrypted are automatically decrypted.
The SBC as IBCF supports the encryption of the topology revealing headers using the following logic:
The Global command generateSipHeaderEncryptionKeys
generates header encryption keys for AES encryption. The SBC stores up to two sets of keys at any given time, with each key having a specific key ID. The user can issue the generateSipHeaderEncryptionKeys
command at any time. There is no specific time delay before reissuing the command. The SBC adds the key-Id to each encrypted header based on which key is selected as the correct key for decryption.
Generating new keys too frequently may lead to a situation where the SBC receives a request with an expired key-id (i.e. the current header encryption key is over-written due to the new key generation) causing unsuccessful decryption of headers. This may lead to call failures any calls caught in the transition to the new key-id.
Since the SBC as IBCF relays registration messages without creating any RCB, Registration Limit CAC functionality is not applicable and must not be enabled at IBCF. The SBC only applies Registration Rate and Registration Burst Rate CAC on register relay messages. Only new Register messages are subjected to CAC in case of Register Relay. If the Authorization header has an integrity-protected parameter with value “no” or if there is no integrity-protected parameter, SBC identifies it as a fresh Register Message. If the integrity-protected parameter has other values like “yes”, “tls-yes”, “tls-pending”, “ip-assoc-pending”, “ip-assoc-yes”, SBC identifies it as a refresh Register Message.