3 Interface Changes
The following topics summarize ACLI, SNMP, HDR, Alarms, Accounting, and Web GUI changes for S-Cz9.0.0. The additions, removals, and changes noted in these topics occured since the previous major release of the Oracle Communications Session Border Controller.
ACLI Configuration Element Changes
The following tables summarize the ACLI configuration element changes that first appear in the Oracle Communications Session Border Controller (SBC) S-Cz9.0.0 release.
DoS Counters
| Modified Elements | Description |
|---|---|
| media-manager, media-manager, untrusted-minor-threshold | Specifies the traffic level at which the system triggers minor notifications about DoS traffic in the untrusted queue. |
| media-manager, media-manager, untrusted-major-threshold | Specifies the traffic level at which the system triggers major notifications about DoS traffic in the untrusted queue. |
| media-manager, media-manager, untrusted-critical-threshold | Specifies the traffic level at which the system triggers critical notifications about DoS traffic in the untrusted queue. |
| media-manager, media-manager, trusted-minor-threshold | Specifies the traffic level at which the system triggers minor notifications about DoS traffic in the trusted queue. |
| media-manager, media-manager, trusted-major-threshold | Specifies the traffic level at which the system triggers major notifications about DoS traffic in the trusted queue. |
| media-manager, media-manager, trusted-critical-threshold | Specifies the traffic level at which the system triggers critical notifications about DoS traffic in the trusted queue. |
| media-manager, media-manager, arp-minor-threshold | Specifies the traffic level at which the system triggers minor notifications about DoS traffic in the arp queue. |
| media-manager, media-manager, arp-major-threshold | Specifies the traffic level at which the system triggers major notifications about DoS traffic in the arp queue. |
| media-manager, media-manager, arp-critical-threshold | Specifies the traffic level at which the system triggers critical notifications about DoS traffic in the arp queue. |
Hyperthreading Support
| Modified Elements | Description |
|---|---|
| system-config, use-sibling-core-datapath | Allows the system to support hyperthreading of cores performing datapath functions. |
Surrogate Registration for Diverse Realms
| Modified Elements | Description |
|---|---|
| media-manager, realm-config, auth-attributes | Allows the application of authentication configuration on a realm to support cross-realm surrogate authentication. |
| media-manager, realm-config, auth-attributes, username | Performs the same authentication function as a session agent's auth-attribute from within a realm. |
| media-manager, realm-config, auth-attributes, auth-user-lookup | Performs the same authentication function as a session agent's auth-attribute from within a realm. |
| media-manager, realm-config, auth-attributes, password | Performs the same authentication function as a session agent's auth-attribute from within a realm. |
| media-manager, realm-config, auth-attributes, in-dialog-methods | Performs the same authentication function as a session agent's auth-attribute from within a realm. |
Support for RFC 5939
| Modified Elements | Description |
|---|---|
| sdes-profile, egress-offer-format, rfc5939-compliant | Allows you to specify RFC 5939 operation for this sdes-profile. |
Session Translation for SIP-SIPI Interworking
| Modified Elements | Description |
|---|---|
| session-router, session-translation, rules-redirect | Allows you to define session translation rules for managing redirect information during SIP-SIPI interworking. |
| session-router, session-translation, rules-history-info | Allows you to define session translation rules for managing history-info information during SIP-SIPI interworking. |
IKEv2 Support for Wancom0
| New Elements | Description |
|---|---|
| security, ikev2-ipsec-wancom0-params | Allows you to define the IP addresses, ports, protocol, and other attrbutes of the IKEv2/IPsec connection. |
Regex Support for Advanced Logging
| New Elements | Description |
|---|---|
| session-router, sip-advanced-logging, conditions, match-procedure | Allows you to select whether to perform an exact match or a regex match. |
OCSP Verification of Client X.509 Certificates
| New Elements | Description |
|---|---|
| security, authentication, online-certificate-status-protocol | Allows you to select which interfaces require OCSP verification, the OCSP FQDN, and the IP address and port of the DNS resolver for the OCSP FQDN. |
ACLI Command Changes
The following table summarizes the ACLI command changes that first appear in the Oracle Communications Session Border Controller S-Cz9.0.0 release.
This table lists and describes changes to ACLI commands that are available in the S-Cz9.0.0 release.
| New Commands | Description |
|---|---|
| show sipd rbt-trfo | |
| show lrt route-table <lrt-config-name> | Output enhanced to include information on priority and weight. |
| show lrt route-entry <lrt-config-name> <user> | Output enhanced to include information on priority and weight. |
| show dos threshold counters | Displays current statistics on traffic and triggers collected to monitor DoS traffic status. |
| show security ipsec wancom0 <sad | spd | tunnels> | Displays the IPsec databases and counters for the wancom0 interface |
| show security ike wancom0 <error-stats | sad> | Displays the IKEv2 error stats or SAD information for the wancom0 interface. |
| show sipd srs | Lists the current status for all the SRS'
configured in the system. The status being:
|
| show sipd srg | Displays the current status for all the SRGs configured in the system. |
| show sipd siprec <message> | Lists information about a specific type of SIP message related to all SIPREC sessions towards SRS. |
| show sipd siprec errors | Shows errors related to SIP media event. |
| show rec srs <srs_name> | Shows the statistics for a specific SRS. |
| show rec srg <srg_name> | Shows the statistics for a specific SRG. |
| reset tacacs-stats | Reset the TACACS+ statistics |
| ssh-key x509 import <certificate-name> <ocsp-server> <class> | Import a client X.509 certificate that a client can use for authentication, specifying the OCSP server to use for verification. |
| ssh-key x509 delete <login-name> | Delete an imported X.509 certificate. |
Accounting Changes
This section summarizes the accounting changes that appear in the Oracle Communications Session Border Controller version S-Cz9.0.0.
There are no accounting data additions documented for this release.
SNMP/MIB Changes
This section summarizes the SNMP/MIB changes that appear in the SBC version S-Cz9.0.0.
MIB Changes for STIR/SHAKEN Statistics
When the STIR/SHAKEN feature is enabled, the SBC uses the apStirServerStats table, within
the ap.apps.mib, to monitor feature statistics.
This table contains the new apStirServerStats objects by which the user can monitor STIR/SHAKEN statistics using SNMP.
| MIB Object | Object ID 1.3.6.1.4.1.9148.3.16.1.4.2.1.4.x + | Description |
|---|---|---|
| apStirServerName | .1. | Server name as configured on the SBC |
| apStirServerStats.recent.asQueries | .1.1 | Recent queries made to the named AS server |
| apStirServerStats.recent.asSuccessResponses | .1.2 | Recent successful responses received from the named AS server |
| apStirServerStats.recent.asFailResponses | .1.3 | Recent failed responses received from the named AS server |
| apStirServerStats.recent.asFailServiceException | .1.4 | Recent failed responses received from the named AS server caused by a service exception |
| apStirServerStats.recent.asFailPolicyException | .1.5 | Recent failed responses received from the named AS server caused by a policy exception |
| apStirServerStats.recent.vsQueries | .1.6 | Recent queries made to the named VS server |
| apStirServerStats.recent.vsSuccessResponses | .1.7 | Recent successful responses received from the named VS server |
| apStirServerStats.recent.vsFailResponses | .1.8 | Recent failed responses received from the named VS server |
| apStirServerStats.recent.vsFailVerification | .1.9 | Recent failed responses received from the named VS server indicating verification failure |
| apStirServerStats.recent.vsFailServiceException | .1.10 | Recent failed responses received from the named VS server caused by a service exception |
| apStirServerStats.recent.vsFailPolicyException | .1.11 | Recent failed responses received from the named VS server caused by a policy exception |
| apStirServerStats.recent.ServerUnreachable | .1.12 | N/A |
| apStirServerStats.total.asQueries | .2.1 | Recent queries made to the named AS server |
| apStirServerStats.total.asSuccessResponses | .2.2 | Total successful responses received from the named AS server |
| apStirServerStats.total.asFailResponses | .2.3 | Total failed responses received from the named AS server |
| apStirServerStats.total.asFailServiceException | .2.4 | Total failed responses received from the named AS server caused by a service exception |
| apStirServerStats.total.asFailPolicyException | .2.5 | Total failed responses received from the named AS server caused by a policy exception |
| apStirServerStats.total.vsQueries | .2.6 | Total queries made to the named VS server |
| apStirServerStats.total.vsSuccessResponses | .2.7 | Total successful responses received from the named VS server |
| apStirServerStats.total.vsFailResponses | .2.8 | Total failed responses received from the named VS server |
| apStirServerStats.total.vsFailVerification | .2.9 | Total failed responses received from the named VS server indicating verification failure |
| apStirServerStats.total.vsFailServiceException | .2.10 | Total failed responses received from the named VS server caused by a service exception |
| apStirServerStats.total.vsFailPolicyException | .2.11 | Total failed responses received from the named VS server caused by a policy exception |
| apStirServerStats.total.ServerUnreachable | .2.12 | N/A |
| apStirServerStats.permax.asQueries | .3.1 | Permax queries made to the named AS server |
| apStirServerStats.permax.asSuccessResponses | .3.2 | Permax successful responses received from the named AS server |
| apStirServerStats.permax.asFailResponses | .3.3 | Permax failed responses received from the named AS server |
| apStirServerStats.permax.asFailServiceException | .3.4 | Permax failed responses received from the named AS server caused by a service exception |
| apStirServerStats.permax.asFailPolicyException | .3.5 | Permax failed responses received from the named AS server caused by a policy exception |
| apStirServerStats.permax.vsQueries | .3.6 | Permax queries made to the named VS server |
| apStirServerStats.permax.vsSuccessResponses | .3.7 | Permax successful responses received from the named VS server |
| apStirServerStats.permax.vsFailResponses | .3.8 | Permax failed responses received from the named VS server |
| apStirServerStats.permax.vsFailVerification | .3.9 | Permax failed responses received from the named VS server indicating verification failure |
| apStirServerStats.permax.vsFailServiceException | .3.10 | Permax failed responses received from the named VS server caused by a service exception |
| apStirServerStats.permax.vsFailPolicyException | .3.11 | Recent failed responses received from the named VS server caused by a policy exception |
| apStirServerStats.permax.ServerUnreachable | .3.12 | N/A |
The SBC sends two SNMP traps that alert you when traffic crosses each threshold, and clear when the traffic falls back below the threshold:
- apDosThresholdCrossTrap
- apDosThresholdClearTrap
See the Security chapter in the ACLI Configuration Guide for further information on how to read these traps.
DoS Counter Statistics
The SBC uses the
apStirServerStats table, within the ap.apps.mib, to monitor
feature statistics.
This table contains the new apDosThresholdCountersGroup objects by which the user can monitor DoS statistics on a per-queue basis using SNMP.
| MIB Object | Object ID 1.3.6.1.4.1.9148.3.16.5 + | Description |
|---|---|---|
| apDosTrustedMinorCounter | .1 | Counter incremented, when trusted bandwidth crossed the minor threshold percentage |
| apDosTrustedMajorCounter | .2 | Counter incremented, when trusted bandwidth crossed the major threshold percentage |
| apDosTrustedCriticalCounter | .3 | Counter incremented, when trusted bandwidth crossed the critical threshold percentage |
| apDosUntrustedMinorCounter | .4 | Counter incremented, when untrusted bandwidth crossed the minor threshold percentage |
| apDosUntrustedMajorCounter | .5 | Counter incremented, when untrusted bandwidth crossed the major threshold percentage |
| apDosUntrustedCriticalCounter | .6 | Counter incremented, when untrusted bandwidth crossed the critical threshold percentage |
| apDosArpMinorCounter | .7 | Counter incremented, when ARP bandwidth crossed the minor threshold percentage |
| apDosArpMajorCounter | .8 | Counter incremented, when ARP bandwidth crossed the major threshold percentage |
| apDosArpCriticalCounter | .9 | Counter incremented, when ARP bandwidth crossed the critical threshold percentage |
OCSP Verification of Client X.509 Certificates
The following MIB is generated whenever any second-factor authentication fails, including when OCSP verification rejects an X.509 certificate because it is revoked.
| MIB Object | Object ID | Description |
|---|---|---|
| apSysMgmtAuthenticationFailedTrap | 1.3.6.1.4.1.9148.3.2.6.0.16 | Generated if an authentication attept fails. |
Alarms
This topic summarizes Alarm additions that appear in this release.
DoS Traffic Alarms
Three alarms are implemented to notify the user that DoS traffic has exceeded your
thresholds on the applicable queue. These alarms correspond to the SNMP traps:
- DOS THRESHOLD TRUSTED CROSS MEDIA ALARM
- DOS THRESHOLD UNTRUSTED CROSS MEDIA ALARM
- DOS THRESHOLD ARP CROSS MEDIA ALARM
Unlike SNMP, these present type and 'threshold crossed' in a single alarm object.
HDR
This topic summarizes the HDR changes that appear in this release.
STIR/SHAKEN HDR Group
This release includes the stir-stats HDR group. The table below lists and describes stir servers statistics and includes HDR position, statistic, type, timer value, range, and description.
| Position | Statistic | Type | Timer Value | Range | Description |
|---|---|---|---|---|---|
| 1 | TimeStamp | N/A | N/A | N/A | N/A |
| 2 | STI-Server | text | N/A | N/A | Server name as configured on the SBC |
| 3 | AS Queries | counter | N/A | N/A | Recent queries made to the named AS server |
| 4 | AS Success Responses | counter | N/A | N/A | Recent successful responses received from the named AS server |
| 5 | AS Fail Responses | counter | N/A | N/A | Recent failed responses received from the named AS server |
| 6 | AS Fail Service Exception | counter | N/A | N/A | Recent failed responses received from the named AS server caused by a service exception |
| 7 | AS Fail Policy Exception | counter | N/A | N/A | Recent failed responses received from the named AS server caused by a policy exception |
| 8 | VS Queries | counter | N/A | N/A | Recent queries made to the named VS server |
| 9 | VS Success Responses | counter | N/A | N/A | Recent successful responses received from the named VS server |
| 10 | VS Fail Responses | counter | N/A | N/A | Recent failed responses received from the named VS server |
| 11 | VS Fail Verification | counter | N/A | N/A | Recent failed responses received from the named VS server indicating verification failure |
| 12 | VS Fail Service Exception | counter | N/A | N/A | Recent failed responses received from the named VS server caused by a service exception |
| 13 | VS Fail Policy Exception | counter | N/A | N/A | Recent failed responses received from the named VS server caused by a policy exception |
| 14 | STI Server Unreachable | counter | N/A | N/A | The number of times the server has tripped the STI server's 'circuit breaker' |
DoS Traffic Group
This release includes the dos-threshold-counters HDR group. The table below lists and describes counter statistics and includes HDR position, statistic, type, timer value, range, and description.
| CSV Position | HDR Column Name | Data Type | Range | Description |
|---|---|---|---|---|
| 1 | Trusted Minor Counter | Counter | (0-2^64-1) | Counter incremented, when trusted bandwidth crossed the minor threshold percentage |
| 2 | Trusted Major Counter | Counter | (0-2^64-1) | Counter incremented, when trusted bandwidth crossed the major threshold percentage |
| 3 | Trusted Critical Counter | Counter | (0-2^64-1) | Counter incremented, when trusted bandwidth crossed the critical threshold percentage |
| 4 | Untrusted Minor Counter | Counter | (0-2^64-1) | Counter incremented, when untrusted bandwidth crossed the minor threshold percentage |
| 5 | Untrusted Major Counter | Counter | (0-2^64-1) | Counter incremented, when untrusted bandwidth crossed the major threshold percentage |
| 6 | Untrusted Critical Counter | Counter | (0-2^64-1) | Counter incremented, when untrusted bandwidth crossed the critical threshold percentage |
| 7 | ARP Minor Counter | Counter | (0-2^64-1) | Counter incremented, when ARP bandwidth crossed the minor threshold percentage |
| 8 | ARP Major Counter | Counter | (0-2^64-1) | Counter incremented, when ARP bandwidth crossed the major threshold percentage |
| 9 | ARP Critical Counter | Counter | (0-2^64-1) | Counter incremented, when ARP bandwidth crossed the critical threshold percentage |
Errors and Warnings
The following errors or warnings have been added in this release.
verify-config Errors and Warnings
| Error or Warning | Description |
|---|---|
| WARNING: [x] and [y] should not be run simultaneously as they may interfere with each other and lead to undefined behavior. | Two or more of these conflicting items have been activated: comm-monitor, packet-trace, call-trace and SIP Monitoring & Trace. At least one needs to be disabled. |
When misconfigured, a warning will display when running the packet-trace or capture
command. For
example:
ORACLE# packet-trace local start wancom0 "host 192.168.1.1"
WARNING: packet-trace and comm-monitor should not be run simultaneously as they may interfere with each other and lead to undefined behavior.
Do you want to continue : [y/n]?:ORACLE# capture start global *
WARNING: SIP Monitoring & Trace, call-trace and comm-monitor should not be run simultaneously as they may interfere with each other and lead to undefined behavior.
Do you want to continue : [y/n]?: