Media Policing
Media policing controls the throughput of individual media flows in the Oracle® Enterprise Session Border Controller, which in turn provides security and bandwidth management functionality. The media policing feature works for SIP, H.323 and SIP-H.323 protocols. The media policing feature also lets you police static flows and RTCP flows.
The term media policing refers to flows that go through the Oracle® Enterprise Session Border Controller. Flows that are directed to the host application are not affected by media policing.
You can use media policing to protect against two potential security threats that can be directed against your Oracle® Enterprise Session Border Controller:
- Media DoS—Once media flows are established through the Oracle® Enterprise Session Border Controller, network resources are open to RTP media flooding. You can eliminate the threat of a media DoS attack by constraining media flows to absolute bandwidth thresholds.
- Bandwidth Piracy—Bandwidth policing ensures that sessions consume no more bandwidth than what is signaled for.
Policing Methods
The Oracle® Enterprise Session Border Controller polices real-time traffic by using Constant Bit Rate (CBR) media policing. CBR policing is used when a media flow requires a static amount of bandwidth to be available during its lifetime. CBR policing best supports real-time applications that have tightly constrained delay variation. For example, voice and video streaming are prime candidates for CBR policing.
Session Media Flow Policing
Session media encompasses RTP and RTCP flows. In order to select policing constraints for these flows, the Oracle® Enterprise Session Border Controller watches for the codec specified in an SDP or H.245 message. When a match is made between the codec listed in an incoming session request and a configured media-profile configuration element, the Oracle® Enterprise Session Border Controller applies that media-profile's bandwidth policing constraint to the media flow about to start.
If multiple codecs are listed in the SDP message, the Oracle® Enterprise Session Border Controller will use the media-profile with the most permissive media policing constraints for all of the flows associated with the session. If a codec in the H.245/SDP message is not found in any configured media-profile, the Oracle® Enterprise Session Border Controller uses the media-profile with the most permissive media policing constraints configured. If no media-profiles are configured, there will be no session media flow policing.
If a mid-call change occurs, bandwidth policing is renegotiated.
Configuration Notes
Review the following information before configuring your Oracle® Enterprise Session Border Controller to perform media policing.
Session Media Flow Policing
Session media flow policing applies to both RTP and RTCP flows. Setting either of the parameters listed below to 0 disables media policing, letting RTP or RTCP flows pass through the system unrestricted.
- RTP Policing
- Set in the media-profile configuration element’s average-rate-limit parameter to police RTP traffic with the CBR policing method.
- average-rate-limit—Establishes the maximum speed for a flow in bytes per second.
- RTCP Policing
- Set in the media-manager-config configuration element’s rtcp-rate-limit parameter to police RTCP traffic with the CBR policing method.
- rtcp-rate-limit—Establishes the maximum speed for an RTCP flow in bytes per second.
Static Flow Policing
Static flow policing is configured with one parameter found in the static-flow configuration element. To configure CBR, you have to set the average-rate-limit parameter to a non-zero value. Setting the parameter listed below to 0 disables static flow policing, effectively letting the flow pass through the Oracle® Enterprise Session Border Controller unrestricted.
In a CBR configuration, the average-rate-limit parameter determines the maximum bandwidth available to the flow.
- average-rate-limit—Establishes the maximum speed for a static flow in bytes per second.
Note:
Static flow policing is not necessarily tied to any type of media traffic, it can affect flows of any traffic type.
Media Policing Configuration for RTP Flows
You can configure media policing in the media-profile configuration element using the ACLI. In the following example, you will configure media policing for the G723 media profile.
To configure media policing for RTP flows:
RTP Payload Type Mapping
The Oracle® Enterprise Session Border Controller maintains a default list of RTP payload types mapped to textual encoding names as defined in RFC 3551.
The following table defines the preconfigured payload type for standard encodings.
Payload Type | Encoding Name | Audio (A) / Video (V) | Clock Rate |
---|---|---|---|
0 | PCMU | A | 8000 |
4 | G723 | A | 8000 |
8 | PCMA | A | 8000 |
9 | G722 | A | 8000 |
15 | G728 | A | 8000 |
18 | G729 | A | 8000 |
If you configure any payload type to encoding name mappings, the default mappings will be ignored. You must then manually enter all payload type mappings you use in the media-profile configuration element.
ITU-T to IANA Codec Mapping
The Oracle® Enterprise Session Border Controller maintains a list of ITU-T (H.245) codecs that map to IANA RTP codecs. An ITU codec is directly mapped to an IANA Encoding Name for media profile lookups. All codecs are normalized to IANA codec names before any matches are made. New ITU-T codecs can not be added to the media profiles list.
The following table defines the ITU-T to IANA codec mappings.
ITU-T | IANA |
---|---|
g711Ulaw64k | PCMU |
g711Alaw64k | PCMA |
g726 | G726 |
G7231 | G723 |
g728 | G728 |
g729wAnnexB | G729 |
g729 | G729 fmtp:18 annexb=no |
H261VideoCapability | H261 |
H263VideoCapability | H263 |
t38Fax | T38 |
SDP Anonymization
In order to provide an added measure of security, the Oracle® Enterprise Session Border Controller’s topology-hiding capabilities include SDP anonymization. Enabling this feature gives the Oracle® Enterprise Session Border Controller the ability to change or modify certain values in the SDP so that malicious parties will be unable to learn information about your network topology.
To do this, the Oracle® Enterprise Session Border Controller hides the product-specific information that can appear in SDP o= lines and s= lines. This information can include usernames, session names, and version fields. To resolve this issues, the Oracle® Enterprise Session Border Controller makes the following changes when you enable SDP anonymization:
- Sets the session name (or the s= line in the SDP) to s=-
- Sets the username in the origin field to -SBC
- Sets the session ID in the origin field to an integer of incrementing value
Note that for mid-call media changes, the session identifier is not incremented.
To enable this feature, you set a parameter in the media manager configuration.
Unique SDP Session ID
Codec negotiation can be enabled by updating the SDP session ID and version number. The media-manager option, unique-sdp-id enables this feature.
With this option enabled, the Oracle® Enterprise Session Border Controller will hash the session ID and IP address of the incoming SDP with the current date/time of the Oracle® Enterprise Session Border Controller in order to generate a unique session ID.