Whitelists Configuration

You can configure whitelist profiles or rules that allow the Oracle® Enterprise Session Border Controller to only accept inbound SIP headers and URI parameters that are configured in this whitelist, using the parameter allowed-elements-profile. You can configure the settings for this parameter using the ACLI interface at session-router>enforcement-profile. Since the enforcement-profile object also pertains to session agents, realms, and SIP interfaces, you can also apply the profiles you configure to these remote entities using the ACLI interface at session-router>session-agent, session-router>sip-interface, and media-manager>realm-config.

In the following configuration example, it is assumed that your baseline configuration passes SIP traffic, with the Oracle® Enterprise Session Border Controller in the role of an Access SBC. Use this procedure to configure a whitelist for the session router and optionally apply the specific whitelists to the session agent and SIP interface, as well as the media manager’s realm configuration.

To configure a whitelist for the session router:

  1. Access the allowed-elements-profile configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# session-router
ORACLE(session-router)# allowed-elements-profile
ORACLE(allowed-elements-profile)#
  2. name— Enter a unique name for the whitelist you are creating. This name can be referenced when configuring the enforcement-profiles for session-agent, SIP interface, and realm-config. 
    ORACLE(allowed-elements-profile)# name whitelist1
  3. description— Enter a description that explains the purpose of creating this whitelist. You can use any alpha-numeric characters when entering the description. 
    ORACLE(allowed-elements-profile)# description Basic Whitelist
  4. Navigate to the rule-sets configuration element to specify the rules to match against specific incoming SIP headers and/or URI parameters. 
    ORACLE(allowed-elements-profile)# rule-sets
ORACLE(rule-sets)#
  5. unmatched-action— Select the action for the Oracle® Enterprise Session Border Controller to perform when a header does not exist in an incoming message. The default value is reject. The valid values are:

    • reject — Rejects all incoming messages that do not contain a header.

    • delete — Deletes all incoming message that do not contain a header.

      Note:

      This parameter applies to non-matching header names only (not non-matching URI parameters). 
    ORACLE(rule-sets)# unmatched action delete
  6. msg-type — Specify the type of messages for which the Oracle® Enterprise Session Border Controller applies this whitelist configuration. The default value is any. The valid values are:

    • any — Applies to all incoming messages.

    • request — Applies to only incoming REQUEST messages.

    • response — Applies to only incoming RESPONSE messages. 

    ORACLE(rule-sets)# msg-type any
  7. methods — Enter the packet method(s), separated by a comma, for which this whitelist is enforced. Packet methods include, INVITE, OPTIONS, ACK, BYE, etc. If this field is left blank, the whitelist applies to all packet methods. You can enter up to a maximum of 255 characters. 
    ORACLE(rule-sets)# methods INVITE,ACK,BYE
  8. logging — Select whether or not an incoming message is written to a log file called matched.log when the message contains an element not specified in the whitelist. The default value is disabled. The valid values are:

    • enabled | disabled 

    ORACLE(rule-sets)# logging enabled

    The matched.log contains information about the timestamp, received/sent Oracle® Enterprise Session Border Controller network-interface, IP address/port from which it was received or being sent from, and which peer IP address/port it was received from or sent to. The log also specifies the request URI (if applicable), and the From, To, and Contact headers in the message, as well as which rule triggered the log action. An example of the log output of the matched.log file is as follows: 

    Dec 17 14:17:54.526 On [0:0]192.168.1.84:5060 sent to 192.168.1.60:5060
allowed-elements-profile[whitelist1(reject)]
INVITE sip:service@192.168.1.84:5060 SIP/2.0
From: sipp <sip:+2125551212@192.168.1.60:5060>;tag=3035SIPpTag001
To: sut <sip:service@192.168.1.84>
Contact: sip:sipp@192.168.1.60:5060

    The header-rule object consists of 6 parameters that make up the header-rule:

    • header-name

    • unmatched-action

    • allow-header-param

    • allow-uri-param

    • allow-uri-user-param

    • allow-uri-header-name

      You can configure an unlimited number of header-rules on the Oracle® Enterprise Session Border Controller that you can apply to your network. Use the following parameters to configure a header-rule that the Oracle® Enterprise Session Border Controller uses to control which incoming messages it allows.

  9. header-rule — This object allows you to configure, as part of the whitelist, multiple parameters which make up the header rule that the Oracle® Enterprise Session Border Controller allows from incoming messages. Header-rules do NOT have to be in any specific order. The system prompt changes to let you know that you can begin configuring individual parameters for this object. 
    ORACLE(rule-set)# header-rule
ORACLE(allowed-header-rule)#
  10. header-name — Enter the name of the header in the whitelist that the Oracle® Enterprise Session Border Controller allows from incoming messages. It is case-insensitive and supports abbreviated forms of header names. For example, “Via”, “via”, or “v” all match against the same header. A header name of “request-uri” refers to the request URI of requests, while a header name of * applies to any header-type not matched by any other header-rule. The default value is *. This default value provides the ability to have header-rules for commonly known headers that remove unknown parameters, but leave unknown headers alone. 
    ORACLE(allowed-header-rule)# header-name Contact
  11. unmatched-action — Select the action for the Oracle® Enterprise Session Border Controller to perform when an incoming header’s parameters do not match the relevant allowed parameters specified for this header-name. The default value is reject. The valid values are:

    • reject — Rejects all incoming messages that have header parameters that do not match the parameters specified in this header-name.

    • delete — Deletes all incoming messages that have header parameters that do not match the parameters specified in this header-name.

      Note:

      This parameter applies to non-matching header names only (not non-matching URI parameters). 
    ORACLE(allowed-header-rule)# unmatched-action delete
  12. allow-header-param — Enter the header parameter that the Oracle® Enterprise Session Border Controller allows from the headers in incoming messages. You can enter up to 255 characters, including a comma (,), semi-colon (;), equal sign (=), question mark (?), at-symbol (@), backslash (\), or plus sign (+). The default value is *, which allows all header parameters to pass through. If you leave this field empty, no header parameters are allowed. 
    ORACLE(allowed-header-rule)# allow-header-param *
  13. allow-uri-param — Enter the URI parameter that the Oracle® Enterprise Session Border Controller allows from the headers in incoming messages. You can enter up to 255 characters, including a comma (,), semi-colon (;), equal sign (=), question mark (?), at-symbol (@), backslash (\), or plus sign (+). The default value is *, which allows all URI parameters to pass through. If you leave this field empty, no URI parameters are allowed. 
    ORACLE(allowed-header-rule)# allow-uri-param *
  14. allow-uri-user-param — Enter the URI user parameter that the Oracle® Enterprise Session Border Controller allows from the headers in incoming messages. You can enter up to 255 characters, including a comma (,), semi-colon (;), equal sign (=), question mark (?), at-symbol (@), backslash (\), or plus sign (+). The default value is *, which allows all URI user parameters to pass through. If you leave this field empty, no URI user parameters are allowed. 
    ORACLE(allowed-header-rule)# allow-uri-user-param *
  15. allow-uri-header-name — Enter the URI header name that the Oracle® Enterprise Session Border Controller allows from the headers in incoming messages. You can enter up to 255 characters, including a comma (,), semi-colon (;), equal sign (=), question mark (?), at-symbol (@), backslash (\), or plus sign (+). The default value is *, which allows all URI header name parameters to pass through. If you leave this field empty, no URI header name parameters are allowed. 
    ORACLE(allowed-header-rule)# allow-uri-header-name *
  16. Save your work using the done command.
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents