1. ACLI Configuration Guide
  2. Security
  3. Media Policing

Media Policing

Media policing controls the throughput of individual media flows in the Oracle® Enterprise Session Border Controller, which in turn provides security and bandwidth management functionality. The media policing feature works for SIP, H.323 and SIP-H.323 protocols. The media policing feature also lets you police static flows and RTCP flows.

The term media policing refers to flows that go through the Oracle® Enterprise Session Border Controller. Flows that are directed to the host application are not affected by media policing.

You can use media policing to protect against two potential security threats that can be directed against your Oracle® Enterprise Session Border Controller:

  • Media DoS—Once media flows are established through the Oracle® Enterprise Session Border Controller, network resources are open to RTP media flooding. You can eliminate the threat of a media DoS attack by constraining media flows to absolute bandwidth thresholds.
  • Bandwidth Piracy—Bandwidth policing ensures that sessions consume no more bandwidth than what is signaled for.

Policing Methods

The Oracle® Enterprise Session Border Controller polices real-time traffic by using Constant Bit Rate (CBR) media policing. CBR policing is used when a media flow requires a static amount of bandwidth to be available during its lifetime. CBR policing best supports real-time applications that have tightly constrained delay variation. For example, voice and video streaming are prime candidates for CBR policing.

Session Media Flow Policing

Session media encompasses RTP and RTCP flows. In order to select policing constraints for these flows, the Oracle® Enterprise Session Border Controller watches for the codec specified in an SDP or H.245 message. When a match is made between the codec listed in an incoming session request and a configured media-profile configuration element, the Oracle® Enterprise Session Border Controller applies that media-profile's bandwidth policing constraint to the media flow about to start.

If multiple codecs are listed in the SDP message, the Oracle® Enterprise Session Border Controller will use the media-profile with the most permissive media policing constraints for all of the flows associated with the session. If a codec in the H.245/SDP message is not found in any configured media-profile, the Oracle® Enterprise Session Border Controller uses the media-profile with the most permissive media policing constraints configured. If no media-profiles are configured, there will be no session media flow policing.

If a mid-call change occurs, bandwidth policing is renegotiated.

Static Flow Policing

Static flows can also be policed in the same way as media flows are policed. A static flow configuration redirects flows entering the Oracle® Enterprise Session Border Controller on a media interface. The redirection is based on realm, source, destination, and protocol. When a flow matches the configured static flow criteria, besides being redirected toward a specified destination, its rate can also be controlled based on a static flow policing parameter found in the static-flow element. Static flow policing operates obliviously to the data contained within the flow.

Configuration Notes

Review the following information before configuring your Oracle® Enterprise Session Border Controller to perform media policing.

Session Media Flow Policing

Session media flow policing applies to both RTP and RTCP flows. Setting either of the parameters listed below to 0 disables media policing, letting RTP or RTCP flows pass through the system unrestricted.

  • RTP Policing
    • Set in the media-profile configuration element’s average-rate-limit parameter to police RTP traffic with the CBR policing method.
    • average-rate-limit—Establishes the maximum speed for a flow in bytes per second.
  • RTCP Policing
    • Set in the media-manager-config configuration element’s rtcp-rate-limit parameter to police RTCP traffic with the CBR policing method.
    • rtcp-rate-limit—Establishes the maximum speed for an RTCP flow in bytes per second.

Static Flow Policing

Static flow policing is configured with one parameter found in the static-flow configuration element. To configure CBR, you have to set the average-rate-limit parameter to a non-zero value. Setting the parameter listed below to 0 disables static flow policing, effectively letting the flow pass through the Oracle® Enterprise Session Border Controller unrestricted.

In a CBR configuration, the average-rate-limit parameter determines the maximum bandwidth available to the flow.

  • average-rate-limit—Establishes the maximum speed for a static flow in bytes per second.

    Note:

    Static flow policing is not necessarily tied to any type of media traffic, it can affect flows of any traffic type.

Media Policing Configuration for RTP Flows

You can configure media policing in the media-profile configuration element using the ACLI. In the following example, you will configure media policing for the G723 media profile.

To configure media policing for RTP flows:

  1. In Superuser mode, type configure terminal and press Enter. 
    ORACLE# configure terminal
  2. Type session-router and press Enter to access the session-router path. 
    ORACLE(configure)# session-router
  3. Type media-profile and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters. 
    ORACLE(session-router)# media-profile
  4. Select an existing media profile to which you will add policing constraints. 
    ORACLE(media-profile)# select
<name>:
1: audio   4=G723     RTP/AVP 16 0 0 0
selection:1
ORACLE(media-profile)#

    From this point, you can configure media policing parameters. To view all media-profile parameters, enter a ? at the system prompt

  5. average-rate-limit—Enter the maximum rate in bytes per second for any flows that this media-profile polices. The default value is zero (0), disabling media policing. The valid range is:

    • Minimum—0

    • Maximum—125000000

      Average rate limit values for common codecs:

    • PCMU—80000 Bps

    • G729—26000 Bps

      The following example shows a media-profile configuration element configured for media policing. 

      media-profile
        name                           G723
        media-type                     audio
        payload-type                   4
        transport                      RTP/AVP
        req-bandwidth                  16
        frames-per-packet              0
        parameters
        average-rate-limit             15000

Media Policing Configuration for RTCP Flows

You can configure media policing for RTCP flows by using the ACLI.

To configure media policing for RTCP flows:

  1. In Superuser mode, type configure terminal and press Enter. 
    ORACLE# configure terminal
  2. Type media-manager and press Enter to access the media-manager path. 
    ORACLE(configure)# media-manager
  3. Type media-manager and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters. 
    ORACLE(media-manager)# media-manager
ORACLE(media-manager-config)#
  4. rtcp-rate-limit—Enter the RTCP policing constraint in bytes per second. The default value is zero (0). The valid range is:

    • Minimum—0

    • Maximum—125000000

Media Policing Configuration for Static Flows

You can configure media policing for static flows using the ACLI.

To configure media policing for static flows:

  1. In Superuser mode, type configure terminal and press Enter. 
    ORACLE# configure terminal
  2. Type media-manager and press Enter to access the media-manager path. 
    ORACLE(configure)# media-manager
  3. Type static-flow and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters. 
    ORACLE(media-manager)# static-flow
ORACLE(static-flow)#
  4. Select an existing static flow to which you will add policing constraints. 
    ORACLE(static-flow)# select
<in-dest-ip>:
1: dest 0.0.0.0; src 192.168.2.1/24; static-flow-in-realm; UDP
selection:1

    From this point, you can configure media policing parameters for static flows. To view all static-flow parameters, enter a ? at the system prompt

  5. average-rate-limit—Enter the maximum rate in bytes per second for any flows that this static-flow polices. The default value is zero (0). The valid range is:

    • Minimum—0

    • Maximum—125000000

      The following example shows a static-flow configuration element configured for media policing. 

      static-flow
        in-realm-id                    static-flow-in-realm
        in-source                      192.168.2.1/24
        in-destination                 0.0.0.0
        out-realm-id                   static-flow-out-realm
        out-source                     192.168.128.1/24
        out-destination                0.0.0.0
protocol                       UDP
        average-rate-limit             15000

RTP Payload Type Mapping

The Oracle® Enterprise Session Border Controller maintains a default list of RTP payload types mapped to textual encoding names as defined in RFC 3551.

The following table defines the preconfigured payload type for standard encodings.

Payload Type Encoding Name Audio (A) / Video (V) Clock Rate
0 PCMU A 8000
4 G723 A 8000
8 PCMA A 8000
9 G722 A 8000
15 G728 A 8000
18 G729 A 8000

If you configure any payload type to encoding name mappings, the default mappings will be ignored. You must then manually enter all payload type mappings you use in the media-profile configuration element.

ITU-T to IANA Codec Mapping

The Oracle® Enterprise Session Border Controller maintains a list of ITU-T (H.245) codecs that map to IANA RTP codecs. An ITU codec is directly mapped to an IANA Encoding Name for media profile lookups. All codecs are normalized to IANA codec names before any matches are made. New ITU-T codecs can not be added to the media profiles list.

The following table defines the ITU-T to IANA codec mappings.

ITU-T IANA
g711Ulaw64k PCMU
g711Alaw64k PCMA
g726 G726
G7231 G723
g728 G728
g729wAnnexB G729
g729 G729 fmtp:18 annexb=no
H261VideoCapability H261
H263VideoCapability H263
t38Fax T38

SDP Anonymization

In order to provide an added measure of security, the Oracle® Enterprise Session Border Controller’s topology-hiding capabilities include SDP anonymization. Enabling this feature gives the Oracle® Enterprise Session Border Controller the ability to change or modify certain values in the SDP so that malicious parties will be unable to learn information about your network topology.

To do this, the Oracle® Enterprise Session Border Controller hides the product-specific information that can appear in SDP o= lines and s= lines. This information can include usernames, session names, and version fields. To resolve this issues, the Oracle® Enterprise Session Border Controller makes the following changes when you enable SDP anonymization:

  • Sets the session name (or the s= line in the SDP) to s=-
  • Sets the username in the origin field to -SBC
  • Sets the session ID in the origin field to an integer of incrementing value

Note that for mid-call media changes, the session identifier is not incremented.

To enable this feature, you set a parameter in the media manager configuration.

SDP Anonymization Configuration

To enable SDP anonymization:

  1. In Superuser mode, type configure terminal and press Enter. 
    ORACLE# configure terminal
  2. Type media-manager and press Enter. 
    ORACLE(configure)# media-manager
  3. Type media-manager again to access the media manager configuration, and press Enter. 
    ORACLE(media-manager)# media-manager
ORACLE(media-manager-config)#
  4. anonymous-sdp—Set this parameter to enabled to use the SDP anonymization feature. When you leave this parameter empty the feature is turned off. The default value is disabled. The valid values are:

    • enabled | disabled

  5. Save and activate your configuration.

Unique SDP Session ID

Codec negotiation can be enabled by updating the SDP session ID and version number. The media-manager option, unique-sdp-id enables this feature.

With this option enabled, the Oracle® Enterprise Session Border Controller will hash the session ID and IP address of the incoming SDP with the current date/time of the Oracle® Enterprise Session Border Controller in order to generate a unique session ID.

Unique SDP Session ID Configuration

To enable unique SDP session ID in media-manager:

  1. In Superuser mode, type configure terminal and press Enter. 
    ORACLE# configure terminal
ORACLE(configure)#
  2. Type media-manager and press Enter. 
    ORACLE(configure)# media-manager
ORACLE(media-manager)#
  3. options—Set the options parameter by typing options, a Space, the option name unique-sdp-id with a plus sign in front of it, and then press Enter. 
    ORACLE(media-manager)# options +unique-sdp-id

    If you type the option without the plus sign, you will overwrite any previously configured options. In order to append the new options to the realm configuration’s options list, you must prepend the new option with a plus sign as shown in the previous example.

  4. Save and activate your configuration.