SIP Registration Overload Protection for IMS-AKA

The SIP Registration Overload Protection (SROP) feature supports registrations via IMS-AKA. From the endpoint's perspective, overload protection for IMS-AKA endpoints is the same as for other endpoints. From the Oracle Communications Session Border Controller's perspective, however, overload protection functions differently with IMS-AKA, using ACLs to manage connectivity with the endpoint. De-registration support remains the same, either explicitly by UE signaling or by registration timeout. The ingress realm must be set to low or medium trust level.

SROP, with or without IMS-AKA, requires that the user enable both reg-overload-protect and cache-challenges in the sip-config.

For IMS-AKA SROP, the system creates one ACL entry for the path between the endpoint’s secure client port and the SBC's secure server port. This ACL allows both TCP as well as UDP signaling traffic for the path between the endpoint’s secure server port and the SBC's secure client port. The system temporarily promotes these ACLs to trusted when it receives the registrar's challenge (401 or 407) to an IMS-AKA endpoint's REGISTER request. The promotion period is temporary.

After receiving the 200 OK, the system updates the flow session timer with the registration expire timer and the registration timers. In addition, it updates the ACL entry with the new timer value. This value is the sum of the registration expire timer plus the remaining registration cache linger value.

The temporary ACL promotion is equal to the remaining expiration time of the REGISTER server transaction plus the value of the transaction-expire parameter of the sip-interface/sip-config. If the registration does not finish within this temporary promotion, the system allows the ACL session to expire and removes the entries.

Note:

The Oracle Communications Session Border Controller does not replicate this ACL's security associations to a standby system.

If signaling before the registration is complete shows the endpoints have changed their secure ports, the system deletes the ACLs initially set up for the registration. There are two ways for the system to delete these entries:

  • The user can set the remove-old-secured-acl-entries option on the ingress sip-interface. This option causes the system to delete the entry as soon as it detects the secure ports are changed.
  • If the option above is not set, the system deletes the entries when the session-timer expires.

Note:

The system adds the Reset UE Ipp keyword with the IP and port of the UE as an ACL entry to the log.sipd file each time it creates these ACLs.
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents