SIP PAI Stripping

The Oracle® Enterprise Session Border Controller now has the ability to strip P-Asserted-Identity (PAI) headers so that service providers can ensure an extra measure of security against malicious users pretending to be legitimate users. To pretend to represent another account, the malicious users simply send an INVITE with an imitation PAI. This feature allows real-time detection of such fraudulent use.

This feature uses a combination of:

  • DoS protection applied on a per-realm basis
  • SIP PAI header stripping

The combination of these settings can produce different results for the SIP PAI stripping feature.

  • SIP PAI header stripping enabled for an untrusted realm—If the PAI stripping parameter is set to enabled in a realm that is untrusted, then the Oracle® Enterprise Session Border Controller strips the PAI headers from SIP INVITEs that are received from the external address, regardless of the privacy type. The Oracle® Enterprise Session Border Controller then sends the modified INVITE (without the PAI). If the INVITE comes from a trusted realm, then the Oracle® Enterprise Session Border Controller does not strip the PAI header and the system behaves as it does when you are using previous 1.3.1 releases.
  • Multiple SIP PAIs in a SIP INVITE—The Oracle® Enterprise Session Border Controller removes all PAIs when there are multiple PAIs set in SIP INVITEs that come from untrusted realms.
  • Oracle® Enterprise Session Border Controller behavior bridging trusted and untrusted realms—The following graphics shows you how Oracle® Enterprise Session Border Controllers can be positioned and configured to handle PAI stripping between trusted and untrusted realms.
Realm Configuration Settings REALM A REALM B REALM C
Realm designation trusted or untrusted

(trust-me)

Disabled Enabled Enabled
SIP PAI stripping (pai-strip) Enabled Enabled or disabled Disabled
SBC’s behavior Strip PAI regardless of privacy type Same as behavior for SIP privacy support in previous 1.3.1 releases Same as behavior for SIP privacy support in previous 1.3.1 releases
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents