SIP PAI Stripping
The Oracle® Enterprise Session Border Controller now has the ability to strip P-Asserted-Identity (PAI) headers so that service providers can ensure an extra measure of security against malicious users pretending to be legitimate users. To pretend to represent another account, the malicious users simply send an INVITE with an imitation PAI. This feature allows real-time detection of such fraudulent use.
This feature uses a combination of:
- DoS protection applied on a per-realm basis
- SIP PAI header stripping
The combination of these settings can produce different results for the SIP PAI stripping feature.
- SIP PAI header stripping enabled for an untrusted realm—If the PAI stripping parameter is set to enabled in a realm that is untrusted, then the Oracle® Enterprise Session Border Controller strips the PAI headers from SIP INVITEs that are received from the external address, regardless of the privacy type. The Oracle® Enterprise Session Border Controller then sends the modified INVITE (without the PAI). If the INVITE comes from a trusted realm, then the Oracle® Enterprise Session Border Controller does not strip the PAI header and the system behaves as it does when you are using previous 1.3.1 releases.
- Multiple SIP PAIs in a SIP INVITE—The Oracle® Enterprise Session Border Controller removes all PAIs when there are multiple PAIs set in SIP INVITEs that come from untrusted realms.
- Oracle® Enterprise Session Border Controller behavior bridging trusted and untrusted realms—The following graphics shows you how Oracle® Enterprise Session Border Controllers can be positioned and configured to handle PAI stripping between trusted and untrusted realms.
| Realm Configuration Settings | REALM A | REALM B | REALM C |
|---|---|---|---|
| Realm designation trusted or untrusted
(trust-me) |
Disabled | Enabled | Enabled |
| SIP PAI stripping (pai-strip) | Enabled | Enabled or disabled | Disabled |
| SBC’s behavior | Strip PAI regardless of privacy type | Same as behavior for SIP privacy support in previous 1.3.1 releases | Same as behavior for SIP privacy support in previous 1.3.1 releases |
SIP PAI Stripping Configuration
When you configure this feature, please note how the Oracle® Enterprise Session Border Controller behaves when you combine the designation of a realm as trusted/untrusted and SIP PAI stripping is enabled. Enter the choices for the ACLI trust-me and pai-strip parameters accordingly.
Be aware that trust is also established in the session agent configuration, and that the trust level set in a session agent configuration overrides the trust set in a realm configuration. For example, a realm might have several endpoints, some of which are associated with session agents and some of which are not. The endpoints that have configured session agent will take their trust level from the session agent parameters you set; the other endpoints, ones that are not associated with session agents, take their trust level from the realm parameters you set.
Take this relationship into consideration when you configure SIP PAI header stripping, or this feature will not work as designed.
For the sample configuration cited below, the desired Oracle® Enterprise Session Border Controller behavior is to always strip the PAI regardless of privacy type.
To configure SIP PAI stripping for an existing realm using the ACLI: