Chapter 8 Integrated Session Border Controller Security

Firewall (Media Pinhole Control)

Firewall (Media Pinhole Control)

The SBE Call Admission Control (CAC) function inspects the signaling message and instructs the firewall in the DBE to open and close pinholes as needed for the media streams and signaling.

H.248 Address Reporting Package

The data border element (DBE) supports the H.248 Address Reporting (adr) package, defined in “Draft New H.248.37 Amendment 1”, ITU-T document TD-27. The adr package extends the existing IP NAPT Traversal (ipnapt) package, and adds a new Remote Source Address Change (rsac) event with two parameters: New Remote Source Address (nrsa), and New Remote Source Port (nrsp).

The rsac event is generated by the media gateway (MG) when the remote source address for the termination changes (that is, when a stream latches), and is used to report the newly detected remote source address and port to which the stream has been latched.

The event is generated in both the LATCH and RELATCH scenarios. The DBE reports the event subscription with the audit response when the media gateway controller (MGC) audits the packages.

For further information on support for the H.248 IP NAPT Traversal package, see the “IP NAPT Traversal Package and Latch and Relatch Support” section on page 8-3

DBE Restrictions

The following are restrictions for adr package support:

The MGC must explicitly subscribe for the rsac event.

The adr package can be used only in conjunction with the IP NAPT Traversal package.

H.248 Session Failure Reaction Package

The data border element (DBE) supports the H.248 Session Failure Reaction (SFR) package. From a security point of view, the media gateway controller (MGC) can put a termination out of service when the H.248 connection between the MGC and media gateway (MG) is lost.

For more information on the SFR package, see the “H.248 Session Failure Reaction Package” section on page 6-3.

H.248 Termination State Control Package

The data border element (DBE) supports the Termination State Control (TSC) package to monitor signaling pinholes.

The “tsc-quiesce” feature of the TSC package helps the media gateway controller (MGC) monitor a signaling pinhole and put the pinhole in “not-in-service” mode when all terminations are subtracted.

For more information on the TSC package, see the “H.248 Termination State Control Package” section on page 6-4.

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers

8-2

OL-15421-01

 

 

Page 81 Page 83
Page 82
Image 82
Cisco Systems ASR 1000 manual Firewall Media Pinhole Control, Address Reporting Package
Page 81 Page 83
Top Page Image Contents