2-6
Cisco BTS 10200 Softswitch SIP Feature and Provisioning Guide, Release 5.0
OL-12397-13
Chapter2 SIP Subscribers
SIP Registration and Security
change aor2sub aor-id=241-555-1018@sia-SYS41CA146.ipclab.cisco.com; status=ins;
Step 4 Reboot the adapter device (such as ATA) for this subscriber.
Operations
The system performs the following checks. If any of the following conditions are not met, the request is
rejected, and an alarm is generated.

No Calls to or from an Unregistered Secure-Provision SIP Endpoint

An unregistered secure-provision SIP endpoint cannot originate or receive calls.

Third-Party Registrations for Secure FQDN Endpoint Not Allowed

Third-party registrations for secure FQDN endpoints are not allowed.

Cisco BTS 10200 Challenges Registration

On receiving a REGISTER message from a secure-provision SIP endpoint, the BTS10200 challenges
the registration, asking for authentication. Verification of the resend REGISTER message with UserId
and Password is as follows, after the UserId and Password are authenticated:
Ensure that there is only one contact in the contact header.
Ensure that the source IP address of the REGISTER message is the same IP address of the
provisioned FQDN for that endpoint.
Ensure that the IP address or the FQDN of the contact is the same as the provisioned FQDN for that
endpoint.
If any of these conditions are not met, registration is rejected and a security event and alarm is generated,
indicating that the source of the registration is illegal.
The contact address can verify all subsequent SIP request source IP address of the request from the
endpoint until the registration expired or is deregistered.

Registration Expires

If the registration expires or the end point de-registers, the registration process in the “Cisco BTS 10200
Challenges Registration” section on page 2-6 occurs before any new calls are accepted.

Call Originates From or Terminates to a Secure-Provision SIP Endpoint

When a call originates from or terminates to a secure-provision SIP endpoint
1. The system authenticates the user ID and password on all messages requiring authentication.
2. If the Contact header is available, the system ensures that only one contact is present, and that it has
the same IP address or FDQN of the provisioned endpoint.
3. All messages sent by the endpoint and the source IP address of the message must be the same as the
internal cache contact address (for example, the cache contact address is the contact obtained during
registration).
4. Response from an endpoint that has a contact header must conform to the second item in this list.