Cisco Unified Border Element (SP Edition) Configuration Guide: Unified Model
Bias-Free Language
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
- Updated:
- July 16, 2014
Chapter: P-CSCF Support
P-CSCF Support
The Proxy-Call Session Control Function (P-CSCF) is the first contact point for the users of the IP Multimedia Subsystem (IMS). The P-CSCF functions as a proxy server for the user equipment; all Session Initiation Protocol (SIP) signaling traffic to and from the user equipment must go through the P-CSCF. The P-CSCF validates and then forwards requests from the user equipment and then processes and forwards the responses to the user equipment.
The P-CSCF can also function as a user agent in the context of the SIP operating procedures. If an abnormal condition arises in a session, the P-CSCF can unilaterally release the session for the user equipment. The user agent role can also be used to generate independent SIP messages required during the registration, such as sending the user’s public and private identities. There may be more than one P-CSCF in the operator’s network based on survivability, number of users, expected traffic, and network topology. The P-CSCF can be also referred to as the SIP server.
To implement the P-CSCF support on Cisco Unified Border Element (SP Edition), users must select an Inherit Profile for a SIP adjacency. The three available Inherit Profiles are:
Each of these profiles groups a set of IMS-related configuration fields that can be applied across multiple adjacencies.
If a valid profile is configured, this profile is applied to an adjacency that does not have a profile configured. If a profile is already selected for a SIP adjacency, that profile is used instead of the entity’s profile.
In Cisco IOS XE Release 2.5 and later, Cisco Unified Border Element (SP Edition) supports Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) for
SIP calls. This type of authentication is used for access authentication in mobile IMS deployments and typically may reside on a mobile subscriber’s card inside a phone. No special configuration is needed. The only requirement is that a UNI SIP profile is configured on the access side of the network.
Cisco Unified Border Element (SP Edition) was formerly known as Integrated Session Border Controller and may be commonly referred to in this document as the session border controller (SBC).
For a complete description of the commands used in this chapter, refer to the Cisco Unified Border Element (SP Edition) Command Reference: Unified Model at:
http://www.cisco.com/en/US/docs/ios/sbc/command/reference/sbcu_book.html.
For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or a Cisco IOS master commands list.
Note
For Cisco IOS XR Software Release and later, this feature is supported in the unified model only.
Feature History for P-CSCF Support
Contents
Restrictions for Implementing P-CSCF Support
The following restrictions and limitations apply to implementing P-CSCF support:
- Since the Visited Network Identifier is not part of an Inherit Profile, you need to configure it independently on a per-adjacency basis.
- This feature does not offer support for securing access links through IPsec or Network Attachment Subsystem (NASS) bundled authentication.
- This feature does not support emergency calls.
Information About P-CSCF Support
This section contains the following subsections:
- Standard Non-IMS Profile
- P-CSCF Access Profile
- P-CSCF Core Profile
- Effect of P-CSCF Inherit Profiles on Method Profiles, Header Profiles, and Option Profiles
Standard Non-IMS Profile
This profile provides compatibility with existing Cisco Unified Border Element (SP Edition) functionality and is used for adjacencies that do not operate in an IMS network. When this profile is applied to an adjacency, Cisco Unified Border Element (SP Edition) exhibits the following properties:
- Contact headers are rewritten to ensure that the SBC remains on the signaling path.
- Unknown headers, methods, and options are, by default, not allowed to pass through.
- Cisco Unified Border Element (SP Edition) does not attach Path headers to outbound signals.
- Cisco Unified Border Element (SP Edition) does not attach Record-Route headers to outbound signals.
- The endpoints on this adjacency do not need to be registered to receive or send Non-REGISTER requests.
- The endpoints do not need to attach a Route header to outbound signals.
- The adjacencies do not generate P-Charging Vector headers for outbound signals.
P-CSCF Access Profile
This profile provides the configurations required to perform the functions of a P-CSCF Access adjacency. When this profile is applied to an adjacency, Cisco Unified Border Element (SP Edition) exhibits the following properties:
- Contact headers are not rewritten.
- The endpoints on this adjacency need to be registered to receive or send Non-REGISTER requests.
- The endpoints need to attach a Route header to outbound signals, which in turn, matches a Service-Route set from the Registrar.
- The SBC appends Record-Route headers to outbound signals for adjacencies with P-CSCF profiles.
- The SBC does not attach Path headers to outbound signals.
- The adjacencies do not generate P-Charging Vector headers for outbound signals.
- The SBC, by default, allows all inbound non-essential headers to pass through, except P-Asserted Identity, Security-Client, Security-Verify, P-Charging-Function Addresses, P-Charging-Vector, and P-Media-Authorization.
- The SBC, by default, allows all outbound non-essential headers, except P-Charging-Function-Addresses, P-Charging-Vector, and P-Media-Authorization.
- The SBC allows all inbound non-essential methods to pass through.
- The SBC allows all outbound non-essential methods to pass through; UEs are not permitted to act as Registrars.
- The Option tags in Supported, Require, or Proxy-Require headers are allowed to pass through in both directions.
P-CSCF Core Profile
This profile provides the configurations required to perform the functions of a P-CSCF Core adjacency. When this profile is applied to an adjacency, Cisco Unified Border Element (SP Edition) exhibits the following properties:
- Contact headers are not rewritten.
- The SBC, by default, allows all inbound unknown headers, except the P-Charging-Function-Addresses and P-Media-Authorization.
- The SBC appends Record-Route headers to outbound signals for adjacencies with P-CSCF profiles.
- The SBC attaches Path headers to outbound REGISTER signals from P-CSCF.
- The adjacencies generate P-Charging Vector headers for outbound signals.
- The endpoints on this adjacency do not need to be registered to receive or send Non-REGISTER requests.
- The SBC, by default, allows all outbound non-essential headers, except P-Charging-Function-Addresses and P-Media-Authorization.
- The SBC allows all unknown methods to pass through.
- The Option tags in Supported, Require, or Proxy-Require headers are allowed to pass through in both directions.
Effect of P-CSCF Inherit Profiles on Method Profiles, Header Profiles, and Option Profiles
Use of a P-CSCF inherit profile dynamically assigns the following sets of profiles (method profile, header profile, and option profile) to a call based on the P-CSCF inherit profile selected. Table 55-1 shows which P-CSCF inherit profile has an effect on which specific method profile, header profile, and option profile.
The effect is not visible in the adjacency configuration for header-profile, method-profile or option profiles, and can be overridden by explicit configuration of header, method, option profiles as needed.
Implementing P-CSCF Support
This section explains how to configure intrinsic profiles and profile inheritance.
Configuring Profile Inheritance
SUMMARY STEPS
4. sip inherit profile preset-p-cscf-access
5. adjacency sip adjacency-name
6. inherit profile preset-p-cscf-access
DETAILED STEPS
Information About HTTP Digest Authentication Using AKA
This section contains the following subsections:
- Configuring HTTP Digest Authentication Using AKA
- Configuration Example—HTTP Digest Authentication Using AKA
Cisco Unified Border Element (SP Edition) supports Hypertext Transfer Protocol (HTTP) Digest Authentication Using Authentication and Key Agreement (AKA) for SIP calls. This type of authentication is used for access authentication in mobile IMS deployments and typically resides on a mobile subscriber’s card inside a phone. Cisco Unified Border Element (SP Edition) supports the HTTP Digest Authentication Using AKA feature with no special configuration needed, as long as a User-to-Network Interconnections (UNI) SIP profile is configured on the access side (that is, with a P-CSCF access side profile).
The AKA function carries out user authentication and session key distribution in Universal Mobile Telecommunications System (UMTS) networks. AKA is challenge- response based. The response to the challenge is computed by the application running on the mobile subscriber’s card inside the phone.
HTTP Digest Authentication is common with IP-PBXs. The HTTP Digest Authentication procedure is used to ensure that only valid devices can register (at a SIP level) to a network. The SBC supports the typical registration call flow, that is, passing through authentication challenges and their responses. A typical call flow consists of a SIP REGISTER message from an endpoint that is routed by the SBC to the SIP registrar. The registrar replies with a 401 Unauthorized response and a “challenge.”
The challenge contains a random number that the endpoint uses to compute a response, which is sent in another REGISTER message. Finally the registrar replies with a 200 OK message if the response was valid. In the case of HTTP Digest Authentication Using AKA, the response to the challenge is computed by the application running on the mobile subscriber’s card inside the phone. The SBC supports this typical call flow by means of enabling a SIP profile that allows SIP registrations.
Another usage of HTTP Digest Authentication Using AKA concerns the ability of using the procedure to establish an IPsec connection (actually two IPsec connections) for ensuring signaling security. Cisco Unified Border Element (SP Edition) supports IPsec, however the ability to extract the port security association identifiers and key information from SIP messages is not supported in Cisco IOS XE Release 2.5.
Configuring HTTP Digest Authentication Using AKA
This task configures HTTP Digest Authentication Using AKA on two related adjacencies where preset-access and preset-core profiles must be configured.
SUMMARY STEPS
4. adjacency { sip | h323 } adjacency-name
5. inherit profile { preset-access | preset-core | preset-ibcf-ext-untrusted | preset-ibcf-external | preset-ibcf-internal | preset-p-cscf-access | preset-p-cscf-core | preset-peering | preset-standard-non-ims}
7. adjacency { sip | h323 } adjacency-name
8. inherit profile { preset-access | preset-core | preset-ibcf-ext-untrusted | preset-ibcf-external | preset-ibcf-internal | preset-p-cscf-access | preset-p-cscf-core | preset-peering | preset-standard-non-ims}
DETAILED STEPS
Configuration Example—HTTP Digest Authentication Using AKA
The following is a configuration example used to verify HTTP Digest Authentication Using AKA:
Feedback