2-7
Cisco BTS 10200 Softswitch SIP Feature and Provisioning Guide, Release 5.0
OL-12397-13
Chapter2 SIP Subscribers
SIP Registration and Security
Call Processing
The SIP application in the BTS 10200 implements the secure provisioning feature for all incoming SIP
messages (requests and responses) from SIP endpoints.
When a SIP request message is received from a SIP endpoint and Auth_Rqed=Y for the serving domain,
the request is challenged. When the request is resubmitted with credentials, the AOR of the authenticated
SIP endpoint is used to perform the SECURE_FQDN validation, provided a SECURE_FQDN value is
provisioned in the AOR2SUB record. If Auth_Reqd=N, the SECURE_FQDN validation is performed
without the request being challenged.
Validation
The validation processing for a SIP request, that comes from a SIP endpoint provisioned with this
feature, is as follows:
1. The SECURE_FQDN validation occurs on every request (including CANCEL/ACK).
2. The SECURE_FQDN is verified to have a DNS resolution, if it is a domain name. If there is no DNS
resolution, a 500 Internal Server Error response is returned.
3. The DNS resolution for the SECURE_FQDN is verified to yield a single IP address Secure-IP1.
If the address is incorrect, a 500 Internal Server Error response is returned.
4. The Source IP address of the packet is verified as identical to Secure-IP1.
If the address is not identical, a 403 Forbidden response is returned.
5. If the Request is a Register, it is verified to have a single Contact header.
If there is not a single contact header, a 403 Forbidden response is returned.
6. If the SIP request is an initial INVITE (including an INVITE resubmitted with credentials), it is
verified that there is an unexpired registered contact for the AOR.
If here is not an unexpired registered contact, a 403 Forbidden response is returned.
7. When a Contact header is present, the Contact FQDN/IP address of the request is verified to yield a
single IP address Secure-IP1.
If it does not yield the proper address, a 500 Internal Server Error response is returned.
8. The IP address of the Contact host is verified as identical to the IP address Secure-IP1 of the
SECURE_FQDN.
If the addresses are not identical, a 403 Forbidden response is returned.
9. The provisioning of a static contact on a AOR is not disabled, but any provisioned value is ignored
because of the SECURE_FQDN validation rules. A static contact is irrelevant for SECURE_FQDN
AORs, since the SIP request is denied if no registered contact exists.
10. The To and From header URLs in a REGISTER are verified to be identical, for SECURE_FQDN
subscribers. This is to block third-party registration.
Received SIP Response Message
When a SIP response message is received from a SIP endpoint, the following occurs:
1. The Source IP address of the packet is verified to be identical with the IP address of the Secure-IP1.
If the addresses are not identical, the response is dropped. This has the same result as the non-receipt
of that response, such as would happen with a call failure.