Cisco Systems ASR 1000 manual Interim Authentication Header Support, Latch and Relatch Support

Chapter 8 Integrated Session Border Controller Security

Interim Authentication Header Support

Interim Authentication Header Support

Interim Authentication Header (IAH) Support provides protocol-level support that allows you to insert an IAH in the messages and to set all fields in the IAH header to zeroes. You are able to send and receive null IAH headers.

DBE Restrictions

The following is a restriction of Interim Authentication Header (IAH) Support:

•The data border element (DBE) only checks that the received messages are syntactically correct and does not confirm that an IAH is present.

Related Commands

The interim-auth-headerkeyword is added to the transport command to insert the IAH into H.248 messages.

IP NAPT Traversal Package and Latch and Relatch Support

The data border element (DBE) supports the IP NAPT Traversal (IP NAPT) package that is defined in H.248.37. IP NAPT traversal is an alternative method to the existing support of the NAT Traversal (NTR) package, defined in ETSI TS 102 333. IP Network Address and Port Translation (IP NAPT) defines two signals, Latch and Relatch, to control how the DBE learns remote addresses for endpoints behind a Network Address Translation (NAT).

The NAPT package is defined through a new field, napt_variant, in the bcaGalEntTable MIB table. If this field is set to “H.248.37,” then NAPT support can be requested by the media gateway controller (MGC) using the H.248.37 IP NAPT Traversal package. In other words, the MGC can request that the DBE wait for the first inbound media packet and “latch” onto it. The DBE learns the remote address and port for the flow from that packet. The MGC can request latching or relatching using the H.248 signal.

Latch and Relatch Support

The DBE supports Latch and full Relatch support. The Latch and Relatch signals control how the DBE learns remote addresses. Latch and Relatch are commands from the media gateway controller (MGC). Latch is an event that occurs on a flow when certain packets arrive and are matched to that flow. This event changes the admission criteria for a flow.

The ITU-T H.248.37 standard describes the ipnapt/latch signal with the napt parameter. The napt parameter has the values OFF, LATCH, and RELATCH.

When the LATCH value is set, the DBE ignores the addresses received in the RemoteDescriptor. Instead, the DBE uses the source address and source port from the incoming media streams to be the destination address and destination port of the outgoing streams.

The RELATCH value is similar to the LATCH value except that when the DBE detects a change of source IP address and port on the incoming media stream, then the new source IP address and port are used as the destination address and port for outgoing packets. After relatching, any packets received with the old source address and port are discarded.

Cisco IOS XE Integrated Session Border Controller Configuration Guide for the Cisco ASR 1000 Series Aggregation Services Routers