Cisco IOS XR Session Border Controller Configuration Guide Release 3.6
Interim Authentication Header Support
Downloads: This chapterpdf (PDF - 379.0 KB) The complete bookPDF (PDF - 12.8 MB) | Feedback

Interim Authentication Header Support

Table Of Contents

Interim Authentication Header Support


Restrictions for Interim Authentication Header Support

Information About Interim Authentication Header Support

Configuring Interim Authentication Header Support

Additional References

Related Documents



Technical Assistance

Interim Authentication Header Support

An interim authentication header (IAH) is part of every H.248 message generated by the DBE to a resource admission control subsystem (RACS). All its fields are set to zero. DBE accepts any H.248 message sent to it that includes an IAH, but it does not verify any of its content. DBE checks for correct syntax only. This functionality works similarly to the RACS (SBE) behavior, since RACS also only checks that an H.248 message contains an IAH, but does not verify its content.

Feature History for Interim Authentication Header Support


Release 3.5.0

This command was first introduced on the Cisco CRS-1.

Release 3.6.0

No modification.


This module contains the following sections:

Restrictions for Interim Authentication Header Support

Information About Interim Authentication Header Support

Configuring Interim Authentication Header Support

Additional References

Restrictions for Interim Authentication Header Support

IAH is checked on the receiving message only for correct syntax.

This feature provides no security support, but lays the groundwork for future security support.

Information About Interim Authentication Header Support

The H.248/Megaco MGC operates over transports secured with IPSec or an IAH, as defined in the H.248/Megaco specifications.

Zero interim header authentication is a Cisco-specified requirement for the SBC implementation of H.248/Megaco and deviates from the standard specification as follows:

Messages sent over non-IPSec transports have an added Interim AH header, but all fields in this header are explicitly set to zero:

SecurityParmIndex is set to 0x00000000

SequenceNum is set to 0x00000000

AuthData is set to 0x000000000000000000000000

Messages received over non-IPSec transports should contain an IAH, but this header is not verified for its content. Rather, it is verified for syntactical correctness.

You cannot enable or disable the level of IAH support at runtime (whether or not validation is actually performed).

Note The transport protocol default setting is UDP.

Configuring Interim Authentication Header Support

This section contains the steps for configuring IAH support. The new interim-auth-header keyword is added to the transport command to insert the IAH into H.248 messages.


1. configure

2. sbc service-name

3. dbe

4. vdbe

5. controller h248 controller-index

6. transport [tcp|udp] interim-auth-header

7. commit

8. exit


Command or Action

Step 1 



RP/0/0/CPU0:router# configure

Enables the configuration mode.

Step 2 

sbc service-name


RP/0/0/CPU0:router(config)# sbc mysbc

Enters the mode of an SBC service.

Use the service-name argument to define the name of the SBC.

Step 3 



RP/0/0/CPU0:router(config-sbc)# dbe

Enters the mode of the data border element (DBE) function of the SBC.

Step 4 



RP/0/0/CPU0:router(config-sbc-dbe)# vdbe

Enters a submode to the DBE for configuring virtual (vDBE) parameters.

Step 5 

controller h248 controller-index


RP/0/0/CPU0:router(config-sbc-dbe-vdbe)# controller h248 1

Enters the submode for configuring an H.248 media gateway controller.

Step 6 

transport [udp|tcp] interim-auth-header


RP/0/0/CPU0:router(config-sbc-dbe-vdbe-h248)# transport tcp interim-auth-header

Configures an H.248 media gateway controller to use a specified transport protocol and inserts an interim authentication header into H.248 messages.

Valid protocols:

udp—Use UDP as a transport protocol for H.248 signaling

tcp—Use TCP as a transport for H.248 signaling

Step 7 



RP/0/0/CPU0:router(config-sbc-dbe-vdbe-h248)# commit

Saves the configuration changes. Use the commit command to save the configuration changes to the running configuration file and remain within the configuration session.

Step 8 



RP/0/0/CPU0:router(config-sbc-dbe-vdbe-h248)# exit

Exits the current configuration mode.

Additional References

The following documentation provides references related to Interim Authentication Header Support.

Related Documents

Related Topic
Document Title

Cisco IOS XR master command reference

Cisco IOS XR Master Commands List

Cisco IOS XR SBC interface configuration commands

Cisco IOS XR Session Border Controller Command Reference

Initial system bootup and configuration information for a router using the Cisco IOS XR Software

Cisco IOS XR Getting Started Guide

Cisco IOS XR command modes

Cisco IOS XR Command Mode Reference




Media Gateway Control (Megaco) Protocol Standard, v. 1


MIBs Link

To locate and download MIBs using Cisco IOS XR software, use the Cisco MIB Locator found at the following URL and choose a platform under the Cisco Access Products menu:

Technical Assistance


The Cisco Technical Support website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered users can log in from this page to access even more content.