Skip to end of metadata
Go to start of metadata

In this section:

Related articles:

 

The SIP Security Profile feature defines the type and behavior of security mechanism to apply to the SBC acting as P-CSCF.

Note

When configuring sipSecurityProfile on a particular sipTrunkGroup, ensure authcodeHeaders transparency flag (refer to Common IP Attributes - SIP - CLI) is not enabled on the same Trunk Group.

Note

When configuring a SIP Security Profile in P-CSCF mode, a Sip Security Mechanism is required.

IMPORTANT

The Transparency Profile is the recommended method of configuring transparency on the SBC Core for new deployments as well as when applying additional transparency configurations to existing deployments. Do not use IP Signaling Profile flags in these scenarios because the flags will be retired in upcoming releases.

Refer to the SBC SIP Transparency Implementation Guide for additional information.

Command Syntax

The CLI syntax to configure the SIP Security Profile is shown below:

% set profiles services sipSecurityProfile <profile name>
	encryptionPreference <always-encrypt | none | null-forced>
	forceClientSecurityPref <disabled | enabled> 
	rejectSecUnsupportedRequest <disabled | enabled>
	sbxSecMode <sbc-only | sbc-pcscf>
	sipSecurityMechanism <ipsec-3gpp | tls> precedence <1-65535> 

Command Parameters

Table : SIP Security Profile

Parameter

Description

sipSecurityProfile

<profile name> – Security profile name (1-23 characters).

encryptionPreference

Use this parameter to define the encryption preference for this SIP Security Profile.

  • always-encrypt – The SBC rejects REGISTER requests if the UE offers a NULL encryption algorithm. 
  • none (default) – The SBC compares the UE's offer of encryption algorithms with the list of supported encryption algorithms, and selects the first matched entry in the 401 response for the REGISTER request. The SBC accepts the NULL encryption algorithm if it is the first one in the UE's offer.
  • null-forced Enforce NULL encryption irrespective of what encryption algorithm offered by the UE. The SBC acting as a Proxy For Call Session Control Function (P-CSCF) always disables encryption. 

forceClientSecurityPref

Enable this flag to give precedence to the order of occurrence of "mechanism-name" value in the "Security-Client" header while selecting the Security Mechanism to apply.

  • disabled (default)
  • enabled

rejectSecUnsupportedRequest

Enable this flag to reject the incoming REGISTER when it does not contain "sec-agree" header value (in Require or Proxy-Require headers) or does not contain any supported mechanism-name (ipsec-3gpp) in "Security-Client" header.
Use default setting "disabled" to process messages using "Digest without TLS" security mechanism.

  • disabled (default)
  • enabled
sbxSecMode

Use this parameter to define the SBC security mode for this SIP Security Profile.

  • sbc-only – SBC-only mode. The SBC disregards the configured security mechanism (ipsec-3gpp or tls) in the profile, if any.
  • sbc-pcscf (default) – Integrated SBC+PCSCF mode.

When sbxSecMode is configured as sbc-only, you must configure a Transparency Profile for following headers in an egress trunk group. See example configuration below.

sipSecurityMechanism

Identifies the list of security mechanisms supported by SBC and the corresponding precedence level for each security mechanism.

  • ipsec-3gpp precedence <1-65535> – The precedence to assign to IMS AKA security mechanism. A lower value represents a higher precedence.
  • tls precedence <1-65535> –  The precedence to assign to TLS security mechanism. A lower value represents a higher precedence.

Command Examples

When SBC Security Mode (sbxSecMode) is set to sbc-only, configure a Transparency Profile for following headers in egress trunk group:

% set profiles services transparencyProfile <profile name> sipHeader Require
% set profiles services transparencyProfile <profile name> sipHeader Proxy-Require
% set profiles services transparencyProfile <profile name> sipHeader Security-Client
% set profiles services transparencyProfile <profile name> sipHeader Security-Verify
% set profiles services transparencyProfile <profile name> state enabled
% set addressContext <AC name> zone <zone name> sipTrunkGroup <trunk group name> services transparencyProfile <profile  name>

 

The following example configuration accomplishes the following:

  • Creates a SIP security profile named "S-PROFILE1", sets "forceClientSecurityPref" and "rejectSecUnsupportedRequest" to "enabled", and sets SIP security mechanism "ipsec-3gpp" to precedence of "1".
  • Assign S-PROFILE1 to SIP trunk group "STG-1".
% set profiles services sipSecurityProfile S-PROFILE1 forceClientSecurityPref enabled rejectSecUnsupportedRequest enabled sipSecurityMechanism ipsec-3gpp precedence 1 
% set addressContext default zone MYZONE sipTrunkGroup STG-1 services sipSecurityProfile S-PROFILE1