1. Configuration Guide
  2. Admission Control and QoS
  3. Allowlists for Managing Incoming SIP Headers and Parameters

Allowlists for Managing Incoming SIP Headers and Parameters

By default, the Oracle Communications Session Border Controller (SBC) ignores unknown SIP headers and URI parameters and passes them through. If you want the SBC to accept only messages with headers and URI parameters complying with those supported by your internal equipment, you can use allowlists to control unknown headers and parameters in request and response traffic. An allowlist is an approved list of entities for which your equipment provides particular privileges, access, and recognition. The SBC uses configured allowlist profiles to control and accept specific inbound SIP headers and URI parameters. When you configure this service, the SBC rejects requests not matching the configured profile, or removes the headers or URI parameters not specified in the configured profile.

With allowlists, you can specify which SIP signaling messages you want to allow into your network and which messages to reject or delete. In the flow of SIP traffic to and from the SBC, the SBC matches any received request or response against the allowlist and rejects or deletes elements that do not match based on the actions specified in the allowlist configuration.

For responses, the SBC does not reject the message if a header or parameter is not found in the allowlist even when the action is set to reject. Instead, the SBC deletes the offending parameter or header. In addition, if the message is a request of the method type ACK, PRACK, CANCEL or BYE, the SBC deletes all unmatched elements and does not reject the request even when the action is configured to reject.

The allowlist verification performs for any method, but you can narrow the list to operate only on specific methods by defining them in the methods parameter of the configuration.

Allowlist verification occurs when the SBC receives a request or response, but only after the SBC processes the inbound header manipulation rule (HMR), network management controls (NMC), Resource-Priority header (RPH), and monthly minutes checking.

The SBC responds to requests with non-matching headers or parameters configured with an action of reject with a "403 Forbidden" response, by default. You can use a local-response event, allowed-elements-profile-rejection, to override the default reject status code and reason phrase.

The configured allowlist operates transparently on headers that contain multiple URIs or multiple header values within a single header (header values separated by a comma).

Parameter parsing operates only on parameters that it can identify. For parameters that cannot be parsed, for example an invalid URI (<sip:user@host.com&hp=val>), the SBC ignores this URI header parameter value of "hp" because it is not contained within a valid URI. Although it might look like a URI header parameter, URI headers must come after URI parameters. Parameter matching does not occur if the headers and parameters in the URI are not well-formed. The SBC does not remove the parameter just because it cannot identify it.

What is an Allowlist?

An allowlist is an approved list of entities for which equipment provides particular privileges, access, and recognition. The Oracle Communications Session Border Controller can use configured allowlist profiles to control and accept specific inbound SIP headers and URI parameters that are being passed-through the Oracle Communications Session Border Controller. When you configure an allowlist, the Oracle Communications Session Border Controller rejects requests not matching the configured profile, or removes the unspecified headers or URI parameters not in the configured profile.

Configure Allowlists for SIP Header and URI Parameter Management

You can configure allowlist profiles that tell the Oracle Communications Session Border Controller (SBC) to accept only inbound SIP headers and URI parameters that are configured in this allowlist. Using the allowed-elements-profile parameter, you can configure the settings for this parameter using the ACLI interface at session-router, enforcement-profile. Because the enforcement-profile object also pertains to session agents, realms, and SIP interfaces, you can also apply the enforcement profiles you configure to these entities. (Use the ACLI interface at session-router, session-agent, session-router, sip-interface, and media-manager, realm-config.)

The following configuration example assumes that your baseline configuration passes SIP traffic, with the SBC in the role of an Access SBC. Use this procedure to configure a allowlist for the session router and optionally apply the specific allowlists to the session agent and SIP interface, as well as the media manager realm configuration.

  1. Access the allowed-elements-profile configuration element. 
    ORACLE# configure terminal
ORACLE(configure)# session-router
ORACLE(session-router)# allowed-elements-profile
ORACLE(allowed-elements-profile)#
  2. name—Type a unique name for the allowlist you are creating. You can reference this name when configuring the enforcement-profiles for session-agent, SIP interface, and realm-config. 
    ORACLE(allowed-elements-profile)# name allowlist1
  3. description—Type a description that explains the purpose of creating this allowlist. Valid values: Any alpha-numeric characters. 
    ORACLE(allowed-elements-profile)# description Basic Allowlist
  4. Navigate to the rule-sets configuration element to specify the rules to match against specific incoming SIP headers and URI parameters. 
    ORACLE(allowed-elements-profile)# rule-sets
ORACLE(rule-sets)#
  5. unmatched-action—Select the action for the SBC to perform when a header does not exist in an incoming message. Default: reject. Valid values:

    • reject—Rejects all incoming messages that do not contain a header.

    • delete—Deletes all incoming message that do not contain a header.

      Note:

      This parameter applies to non-matching header names, only. (It does not apply to non-matching URI parameters.) 
    ORACLE(rule-sets)# unmatched action delete
  6. msg-type—Specify the type of messages to which the SBC applies this allowlist configuration. Default: any. Valid values:

    • any—Applies to all incoming messages.

    • request—Applies to incoming REQUEST messages, only.

    • response—Applies to incoming RESPONSE messages, only. 

    ORACLE(rule-sets)# msg-type any
  7. methods—Type the packet methods, separated by a comma, for which this allowlist is enforced. Packet methods include, INVITE, OPTIONS, ACK, BYE, and so on. If this field is left blank, the allowlist applies to all packet methods. You can type up to a maximum of 255 characters. 
    ORACLE(rule-sets)# methods INVITE,ACK,BYE
  8. logging—Select whether or not an incoming message is written to the matched.log file, when the message contains an element not specified in the allowlist. Default: disabled. Valid values: enabled | disabled.
  9. Navigate to allowed-header-rule—Configure multiple parameters as part of the allowlist to make up the header rule that the SBC allows from incoming messages. You can configure an unlimited number of header-rules, and they do not need to be in any specific order. The system prompt changes to let you know that you can begin configuring individual parameters for this object. 
    ORACLE(rule-set)# header-rule
ORACLE(allowed-header-rule)#
  10. header-name—Type the name of the header in the allowlist that you want theSBC to allow from incoming messages. The text is not case sensitive and supports abbreviated forms of header names. For example, “Via”, “via”, or “v” all match against the same header. A header name of “request-uri” refers to the request URI of requests, while a header name of * applies to any header-type not matched by any other header-rule. Default: *. The default value allows header-rules for commonly known headers that remove unknown parameters, but leave unknown headers alone. 
    ORACLE(allowed-header-rule)# header-name Contact
  11. unmatched-action—Select the action for the SBC to perform when an incoming header’s parameters do not match the relevant allowed parameters specified for this header-name. Default: reject. Valid values:

    • reject—Rejects all incoming messages that have header parameters that do not match the parameters specified in this header-name.

    • delete—Deletes all incoming messages that have header parameters that do not match the parameters specified in this header-name.

      Note:

      This parameter applies to non-matching header names only (not to non-matching URI parameters). 
    ORACLE(allowed-header-rule)# unmatched-action delete
  12. allow-header-param—Type the header parameter that the SBC allows from the headers in incoming messages. You can enter up to 255 characters, including a comma (,), semi-colon (;), equal sign (=), question mark (?), at-symbol (@), backslash (\), or plus sign (+). Default: *, which allows all header parameters to pass through. If you leave this field empty, no header parameters are allowed. 
    ORACLE(allowed-header-rule)# allow-header-param *
  13. allow-uri-param—Type the URI parameter that the SBC allows from the headers in incoming messages. You can enter up to 255 characters, including a comma (,), semi-colon (;), equal sign (=), question mark (?), at-symbol (@), backslash (\), or plus sign (+). Default: *, which allows all URI parameters to pass through. If you leave this field empty, no URI parameters are allowed. 
    ORACLE(allowed-header-rule)# allow-uri-param *
  14. allow-uri-user-param—Type the URI user parameter that the SBC allows from the headers in incoming messages. You can enter up to 255 characters, including a comma (,), semi-colon (;), equal sign (=), question mark (?), at-symbol (@), backslash (\), or plus sign (+). Default: *, which allows all URI user parameters to pass through. If you leave this field empty, no URI user parameters are allowed. 
    ORACLE(allowed-header-rule)# allow-uri-user-param *
  15. allow-uri-header-name—Type the URI header name that the SBC allows from the headers in incoming messages. You can enter up to 255 characters, including a comma (,), semi-colon (;), equal sign (=), question mark (?), at-symbol (@), backslash (\), or plus sign (+). Default: *, which allows all URI header name parameters to pass through. If you leave this field empty, no URI header name parameters are allowed. 
    ORACLE(allowed-header-rule)# allow-uri-header-name *
  16. Save your work using the done command.

Configuration Exception

In certain circumstances, the Oracle Communications Session Border Controller (SBC) ignores specific parameters in incoming Request-URI messages and automatically adds header-rules.

In a Request-URI, all parameters are URI parameters and URI headers are not allowed. If you define values for the “allow-header-param”, “allow-uri-header-name”, and “allow-uri-param”, the SBC ignores these parameters in the Request-URI. Instead, the SBC automatically adds header-rules for incoming “Via”, “From”, To”, “Call-ID”, and “CSeq” messages. These are explicit header rules that you cannot delete. Each header-rule in a Request-URI includes parameters populated with the value of *. If required, you can change the header-rule parameter values with the values identified in the following table.

Header Rule Applicable Parameter Required Value(s)
Via allow-header-param
  • branch
  • received
  • rport
From allow-header-param
  • tag
To allow-header-param
  • tag
Call-ID allow-header-param No restrictions
CSeq allow-header-param No restrictions

Verify Allowlist Configuration

After you configure and save an allowlist on the Oracle Communications Session Border Controller (SBC), you can use the verify-config command at the top level prompt to verify the saved configuration: For example: 

ORACLE# verify-config

The verify-config command checks for errors in the SBC configuration. Allowlist configuration errors specifically related to the enforcement-profile object also display in the output of this command when applicable. The allowlist configuration errors display if any references to the allowed-element-profiles are improperly configured. If errors exist, the system displays the following message: 

---------------------------------------------------------------------
ERROR: enforcement-profile [ep] contains a reference to an allowed-enforcement-profile [abc] that does not exist
---------------------------------------------------------------------

How Allowlists Work

Allowlists allow you to customize which SIP signaling messages to allow into your network and which messages to reject or delete. In the flow of SIP traffic to/from the Oracle Communications Session Border Controller, the Oracle Communications Session Border Controller matches any received request or response, in or out of a dialog against the configured allowed list, and rejects or deletes the non-matching element based on the actions specified in the allowlist configuration.

For responses, the Oracle Communications Session Border Controller does not reject the message if a header or parameter is not found in the allowed list, even if the action is set to reject. Instead it deletes the offending parameter or header. In addition, if the message is a request of the method type ACK, PRACK, CANCEL or BYE, it deletes all unmatched elements, but does not reject the request, even if the action was configured to reject.

The allowlist verification performs for any method; however you can narrow this list to operate only on specific methods by defining them in the methods parameter of the configuration.

Allowlist verification occurs when a request or response is received by the Oracle Communications Session Border Controller, but only after the Oracle Communications Session Border Controller has processed the inbound header manipulation rule (HMR), network management controls (NMC), Resource-Priority header (RPH), and monthly-minutes checking.

The Oracle Communications Session Border Controller responds to requests which have non-matching headers or parameters configured with an action of reject, with a "403 Forbidden" response by default. You can use a local-response event, allowed-elements-profile-rejection, to override the default reject status code and reason phrase.

The configured allowlist operates transparently on headers that have multiple URIs or multiple header values within a single header (header values separated by a comma).

Parameter parsing operates only on parameters that it can identify. For parameters that can not be parsed, for example an invalid URI (e.g. <sip:user@host.com&hp=val>), the Oracle Communications Session Border Controller ignores this URI header parameter value of "hp" since it is not contained within a valid URI. Even though it would appear to be a URI header parameter, URI headers must come after URI parameters. Parameter matching does not occur if the headers and parameters in the URI are not well-formed. The Oracle Communications Session Border Controller does not remove the parameter since it cannot identify it.