1. ACLI Configuration Guide
  2. SIP Signaling Services
  3. SIP Privacy Extensions

SIP Privacy Extensions

This section explains how you can configure privacy services to be applied only when the source is trusted and the destination is considered untrusted. (Prior to this release, the Oracle® Enterprise Session Border Controller always applied the privacy services, unless the source and the destination were both trusted.)

The Oracle® Enterprise Session Border Controller considers all user endpoints and nodes outside the core as untrusted.

The Oracle® Enterprise Session Border Controller acts as the boundary device between the trusted platform and the untrusted Internet, to implement privacy requirements. When it receives a message, the Oracle® Enterprise Session Border Controller checks whether the source is trusted. It evaluates the level of privacy requested in a Privacy header, if present.

Depending on whether the source is trusted or untrusted, the Oracle® Enterprise Session Border Controller can do different things when passing the message to the outgoing side. It also checks whether the destination is trusted.

Privacy Types Supported

The Oracle® Enterprise Session Border Controller supports the following Privacy types:

  • user: user-level privacy function provided. Any non-essential informational headers are removed, including the Subject, Call-Info, Organization, User-Agent, Reply-To, and In-Reply-To. Possibly the original value of the From header is changed to anonymous.
  • header: headers that cannot be set arbitrarily by the user (Contact/Via) are modified. No unnecessary headers that might reveal personal information about the originator of the request are added. (The values modified must be recoverable when further messages in the dialog need to be routed to the originator.)
  • id: third-party asserted identity kept private with respect to SIP entities outside the trust domain with which the user authenticated.

The following SIP headers can directly or indirectly reveal identity information about the originator of a message: From, Contact, Reply-To, Via, Call-Info, User-Agent, Organization, Server, Subject, Call-ID, In-Reply-To and Warning.

user

The Oracle® Enterprise Session Border Controller supports the Privacy type user. It can remove non-essential information headers that reveal user information by:

  • Setting the SIP From header and display information to anonymous
  • Removing the Privacy header
  • Removing Proxy-Require option tag = privacy (if present)
  • Removing the following headers:

    Subject

    Call-Info

    Organization

    User-Agent

    Reply-To

    In-Reply-To

header

The Oracle® Enterprise Session Border Controller also supports the Privacy type header. It modifies SIP headers that might reveal the user identity by:

  • Stripping the Via header
  • Replacing the Contact header
  • Stripping Record-Route
  • Removing the Privacy header
  • Removing Proxy-Require option tag = privacy (if present)

In general, the B2BUA behavior of the Oracle® Enterprise Session Border Controller by default provides header privacy for all sessions.

id

The Oracle® Enterprise Session Border Controller also supports the Privacy type id. It keeps the Network Asserted Identity private from SIP entities outside the trusted domain by:

  • Stripping only P-Asserted-Identity
  • Removing the Privacy header and Proxy-Require option-tag = privacy
  • Setting the From header to anonymous (for the backward compatibility)

Examples

The following examples show the actions the Oracle® Enterprise Session Border Controller performs depending on the source and target of the calls.

Calls from Untrusted Source to Trusted Target

When calls are from an untrusted source to a trusted target and PPI is included in the INVITE sent to IP border elements, the Oracle® Enterprise Session Border Controller maps the PPI information to PAI in the outgoing INVITE to the trusted side (even if the Privacy header is set to id or to none). The Privacy and From headers get passed on unchanged.

IP border elements must pass PAI (if received in the ingress INVITE) and the From and Privacy headers to the egress side just as they were received on the ingress side.

The Oracle® Enterprise Session Border Controller maps the PPI to PAI by default, if the outgoing side is trusted. To change this behavior, you need to configure the disable-ppi-to-pai option.

Calls from Trusted to Untrusted

When calls are from a trusted source to an untrusted target, and the Privacy header is set to id, the Oracle® Enterprise Session Border Controller strips PAI, makes the From header anonymous, and strips the Privacy header.

If the Privacy header is set to none, the Oracle® Enterprise Session Border Controller does not change the From header and passes on the Privacy header, if there is one.

Calls from Trusted to Trusted

When calls are going from trusted source to trusted target acting as a peer network border element and PPI is included, the Oracle® Enterprise Session Border Controller maps PPI to PAI. The Privacy header remains the same as signaled and the Oracle® Enterprise Session Border Controller passes the From header and the PAI without changes.

Configuring SIP Privacy Extensions

Prior to this release the session agent’s trust mode provided this functionality. Now you configure SIP interface’s trust-mode as none, which means nothing is trusted for this SIP interface.

You also configure the disable-ppi-to-pai parameter disable the changing of the P-Preferred header to the P-Asserted-Identity header, if the outgoing side is trusted.

Trust Mode

To configure the trust mode:

  1. In Superuser mode, type configure terminal and press Enter. 
    ORACLE# configure terminal
  2. Type session-router and press Enter to access the system-level configuration elements. 
    ORACLE(configure)# session-router
  3. Type sip-interface and press Enter. The system prompt changes to let you know that you can begin configuring individual parameters. 
    ORACLE(session-router)# sip-interface
ORACLE(sip-interface)#

    From this point, you can configure SIP interface parameters. To view all sip-interface parameters, enter a ? at the system prompt.

  4. If configuring an existing interface, enter the select command to select the interface.
  5. trust-mode—Select the trust mode for this SIP interface. The default value is all. The valid values are:

    • all—Trust all previous and next hops except untrusted session agents

    • agents-only—Trust only trusted session agents

    • realm-prefix—Trusted only trusted session agents or address matching realm prefix

    • registered—Trust only trusted session agents or registered endpoints

    • none—Trust nothing

  6. Save and activate your configuration.

    The following example shows the trust-mode set to none. The remaining SIP interface options are omitted for brevity. 

    sip-interface
        state                          enabled
        realm-id                       access1
        sip-port
                address                        192.168.1.30
                port                           5060
                transport-protocol             UDP
                allow-anonymous                all
        carriers
        proxy-mode                     Proxy
        redirect-action
        contact-mode                   maddr
        nat-traversal                  none
        nat-interval                   30
        registration-caching           disabled
        min-reg-expire                 300
        registration-interval          3600
        route-to-registrar             disabled
        teluri-scheme                  disabled
        uri-fqdn-domain
        options
        trust-mode                     none

Disabling the PPI to PAI Change

To disable the changing of PPI to PAI:

  1. In Superuser mode, type configure terminal and press Enter. 
    ORACLE# configure terminal
  2. Type session-router and press Enter to access the system-level configuration elements. 
    ORACLE(configure)# session-router
  3. Type sip-config and press Enter. The system prompt changes. 
    ORACLE(session-router)# sip-config
ORACLE(sip-config)#

    From this point, you can configure SIP configuration parameters. To view all sip-config parameters, enter a ? at the system prompt.

  4. If configuring an existing SIP configuration, enter the select command to select it.
  5. options—Enter disable-ppi-to-pai. If adding to an existing list of options, use a preceding plus (+) sign. 
    options +disable-ppi-to-pai
  6. Save and activate your configuration.