3 Interface Changes

The following topics summarize ACLI, SNMP, HDR, Alarms, Accounting, and Web GUI changes for S-Cz9.0.0. The additions, removals, and changes noted in these topics occured since the previous major release of the Oracle Communications Session Border Controller.

ACLI Configuration Element Changes

The following tables summarize the ACLI configuration element changes that first appear in the Oracle Communications Session Border Controller (SBC) S-Cz9.0.0 release.

DoS Counters

Modified Elements Description
media-manager, media-manager, untrusted-minor-threshold Specifies the traffic level at which the system triggers minor notifications about DoS traffic in the untrusted queue.
media-manager, media-manager, untrusted-major-threshold Specifies the traffic level at which the system triggers major notifications about DoS traffic in the untrusted queue.
media-manager, media-manager, untrusted-critical-threshold Specifies the traffic level at which the system triggers critical notifications about DoS traffic in the untrusted queue.
media-manager, media-manager, trusted-minor-threshold Specifies the traffic level at which the system triggers minor notifications about DoS traffic in the trusted queue.
media-manager, media-manager, trusted-major-threshold Specifies the traffic level at which the system triggers major notifications about DoS traffic in the trusted queue.
media-manager, media-manager, trusted-critical-threshold Specifies the traffic level at which the system triggers critical notifications about DoS traffic in the trusted queue.
media-manager, media-manager, arp-minor-threshold Specifies the traffic level at which the system triggers minor notifications about DoS traffic in the arp queue.
media-manager, media-manager, arp-major-threshold Specifies the traffic level at which the system triggers major notifications about DoS traffic in the arp queue.
media-manager, media-manager, arp-critical-threshold Specifies the traffic level at which the system triggers critical notifications about DoS traffic in the arp queue.

Hyperthreading Support

Modified Elements Description
system-config, use-sibling-core-datapath Allows the system to support hyperthreading of cores performing datapath functions.

Surrogate Registration for Diverse Realms

Modified Elements Description
media-manager, realm-config, auth-attributes Allows the application of authentication configuration on a realm to support cross-realm surrogate authentication.
media-manager, realm-config, auth-attributes, username Performs the same authentication function as a session agent's auth-attribute from within a realm.
media-manager, realm-config, auth-attributes, auth-user-lookup Performs the same authentication function as a session agent's auth-attribute from within a realm.
media-manager, realm-config, auth-attributes, password Performs the same authentication function as a session agent's auth-attribute from within a realm.
media-manager, realm-config, auth-attributes, in-dialog-methods Performs the same authentication function as a session agent's auth-attribute from within a realm.

Support for RFC 5939

Modified Elements Description
sdes-profile, egress-offer-format, rfc5939-compliant Allows you to specify RFC 5939 operation for this sdes-profile.

Session Translation for SIP-SIPI Interworking

Modified Elements Description
session-router, session-translation, rules-redirect Allows you to define session translation rules for managing redirect information during SIP-SIPI interworking.
session-router, session-translation, rules-history-info Allows you to define session translation rules for managing history-info information during SIP-SIPI interworking.

IKEv2 Support for Wancom0

New Elements Description
security, ikev2-ipsec-wancom0-params Allows you to define the IP addresses, ports, protocol, and other attrbutes of the IKEv2/IPsec connection.

Regex Support for Advanced Logging

New Elements Description
session-router, sip-advanced-logging, conditions, match-procedure Allows you to select whether to perform an exact match or a regex match.

OCSP Verification of Client X.509 Certificates

New Elements Description
security, authentication, online-certificate-status-protocol Allows you to select which interfaces require OCSP verification, the OCSP FQDN, and the IP address and port of the DNS resolver for the OCSP FQDN.

ACLI Command Changes

The following table summarizes the ACLI command changes that first appear in the Oracle Communications Session Border Controller S-Cz9.0.0 release.

This table lists and describes changes to ACLI commands that are available in the S-Cz9.0.0 release.

New Commands Description
show sipd rbt-trfo  
show lrt route-table <lrt-config-name> Output enhanced to include information on priority and weight.
show lrt route-entry <lrt-config-name> <user> Output enhanced to include information on priority and weight.
show dos threshold counters Displays current statistics on traffic and triggers collected to monitor DoS traffic status.
show security ipsec wancom0 <sad | spd | tunnels> Displays the IPsec databases and counters for the wancom0 interface
show security ike wancom0 <error-stats | sad> Displays the IKEv2 error stats or SAD information for the wancom0 interface.
show sipd srs Lists the current status for all the SRS' configured in the system. The status being:
  • I (in service)
  • O (out of service)
  • S (Transitioning from out of service to in service status.)
show sipd srg Displays the current status for all the SRGs configured in the system.
show sipd siprec <message> Lists information about a specific type of SIP message related to all SIPREC sessions towards SRS.
show sipd siprec errors Shows errors related to SIP media event.
show rec srs <srs_name> Shows the statistics for a specific SRS.
show rec srg <srg_name> Shows the statistics for a specific SRG.
reset tacacs-stats Reset the TACACS+ statistics
ssh-key x509 import <certificate-name> <ocsp-server> <class> Import a client X.509 certificate that a client can use for authentication, specifying the OCSP server to use for verification.
ssh-key x509 delete <login-name> Delete an imported X.509 certificate.

Accounting Changes

This section summarizes the accounting changes that appear in the Oracle Communications Session Border Controller version S-Cz9.0.0.

There are no accounting data additions documented for this release.

SNMP/MIB Changes

This section summarizes the SNMP/MIB changes that appear in the SBC version S-Cz9.0.0.

MIB Changes for STIR/SHAKEN Statistics

When the STIR/SHAKEN feature is enabled, the SBC uses the apStirServerStats table, within the ap.apps.mib, to monitor feature statistics.

This table contains the new apStirServerStats objects by which the user can monitor STIR/SHAKEN statistics using SNMP.

MIB Object Object ID 1.3.6.1.4.1.9148.3.16.1.4.2.1.4.x + Description
apStirServerName .1. Server name as configured on the SBC
apStirServerStats.recent.asQueries .1.1 Recent queries made to the named AS server
apStirServerStats.recent.asSuccessResponses .1.2 Recent successful responses received from the named AS server
apStirServerStats.recent.asFailResponses .1.3 Recent failed responses received from the named AS server
apStirServerStats.recent.asFailServiceException .1.4 Recent failed responses received from the named AS server caused by a service exception
apStirServerStats.recent.asFailPolicyException .1.5 Recent failed responses received from the named AS server caused by a policy exception
apStirServerStats.recent.vsQueries .1.6 Recent queries made to the named VS server
apStirServerStats.recent.vsSuccessResponses .1.7 Recent successful responses received from the named VS server
apStirServerStats.recent.vsFailResponses .1.8 Recent failed responses received from the named VS server
apStirServerStats.recent.vsFailVerification .1.9 Recent failed responses received from the named VS server indicating verification failure
apStirServerStats.recent.vsFailServiceException .1.10 Recent failed responses received from the named VS server caused by a service exception
apStirServerStats.recent.vsFailPolicyException .1.11 Recent failed responses received from the named VS server caused by a policy exception
apStirServerStats.recent.ServerUnreachable .1.12 N/A
apStirServerStats.total.asQueries .2.1 Recent queries made to the named AS server
apStirServerStats.total.asSuccessResponses .2.2 Total successful responses received from the named AS server
apStirServerStats.total.asFailResponses .2.3 Total failed responses received from the named AS server
apStirServerStats.total.asFailServiceException .2.4 Total failed responses received from the named AS server caused by a service exception
apStirServerStats.total.asFailPolicyException .2.5 Total failed responses received from the named AS server caused by a policy exception
apStirServerStats.total.vsQueries .2.6 Total queries made to the named VS server
apStirServerStats.total.vsSuccessResponses .2.7 Total successful responses received from the named VS server
apStirServerStats.total.vsFailResponses .2.8 Total failed responses received from the named VS server
apStirServerStats.total.vsFailVerification .2.9 Total failed responses received from the named VS server indicating verification failure
apStirServerStats.total.vsFailServiceException .2.10 Total failed responses received from the named VS server caused by a service exception
apStirServerStats.total.vsFailPolicyException .2.11 Total failed responses received from the named VS server caused by a policy exception
apStirServerStats.total.ServerUnreachable .2.12 N/A
apStirServerStats.permax.asQueries .3.1 Permax queries made to the named AS server
apStirServerStats.permax.asSuccessResponses .3.2 Permax successful responses received from the named AS server
apStirServerStats.permax.asFailResponses .3.3 Permax failed responses received from the named AS server
apStirServerStats.permax.asFailServiceException .3.4 Permax failed responses received from the named AS server caused by a service exception
apStirServerStats.permax.asFailPolicyException .3.5 Permax failed responses received from the named AS server caused by a policy exception
apStirServerStats.permax.vsQueries .3.6 Permax queries made to the named VS server
apStirServerStats.permax.vsSuccessResponses .3.7 Permax successful responses received from the named VS server
apStirServerStats.permax.vsFailResponses .3.8 Permax failed responses received from the named VS server
apStirServerStats.permax.vsFailVerification .3.9 Permax failed responses received from the named VS server indicating verification failure
apStirServerStats.permax.vsFailServiceException .3.10 Permax failed responses received from the named VS server caused by a service exception
apStirServerStats.permax.vsFailPolicyException .3.11 Recent failed responses received from the named VS server caused by a policy exception
apStirServerStats.permax.ServerUnreachable .3.12 N/A

The SBC sends two SNMP traps that alert you when traffic crosses each threshold, and clear when the traffic falls back below the threshold:

  • apDosThresholdCrossTrap
  • apDosThresholdClearTrap

See the Security chapter in the ACLI Configuration Guide for further information on how to read these traps.

DoS Counter Statistics

The SBC uses the apStirServerStats table, within the ap.apps.mib, to monitor feature statistics.

This table contains the new apDosThresholdCountersGroup objects by which the user can monitor DoS statistics on a per-queue basis using SNMP.

MIB Object Object ID 1.3.6.1.4.1.9148.3.16.5 + Description
apDosTrustedMinorCounter .1 Counter incremented, when trusted bandwidth crossed the minor threshold percentage
apDosTrustedMajorCounter .2 Counter incremented, when trusted bandwidth crossed the major threshold percentage
apDosTrustedCriticalCounter .3 Counter incremented, when trusted bandwidth crossed the critical threshold percentage
apDosUntrustedMinorCounter .4 Counter incremented, when untrusted bandwidth crossed the minor threshold percentage
apDosUntrustedMajorCounter .5 Counter incremented, when untrusted bandwidth crossed the major threshold percentage
apDosUntrustedCriticalCounter .6 Counter incremented, when untrusted bandwidth crossed the critical threshold percentage
apDosArpMinorCounter .7 Counter incremented, when ARP bandwidth crossed the minor threshold percentage
apDosArpMajorCounter .8 Counter incremented, when ARP bandwidth crossed the major threshold percentage
apDosArpCriticalCounter .9 Counter incremented, when ARP bandwidth crossed the critical threshold percentage

OCSP Verification of Client X.509 Certificates

The following MIB is generated whenever any second-factor authentication fails, including when OCSP verification rejects an X.509 certificate because it is revoked.

MIB Object Object ID Description
apSysMgmtAuthenticationFailedTrap 1.3.6.1.4.1.9148.3.2.6.0.16 Generated if an authentication attept fails.

Alarms

This topic summarizes Alarm additions that appear in this release.

DoS Traffic Alarms

Three alarms are implemented to notify the user that DoS traffic has exceeded your thresholds on the applicable queue. These alarms correspond to the SNMP traps:
  • DOS THRESHOLD TRUSTED CROSS MEDIA ALARM
  • DOS THRESHOLD UNTRUSTED CROSS MEDIA ALARM
  • DOS THRESHOLD ARP CROSS MEDIA ALARM

Unlike SNMP, these present type and 'threshold crossed' in a single alarm object.

HDR

This topic summarizes the HDR changes that appear in this release.

STIR/SHAKEN HDR Group

This release includes the stir-stats HDR group. The table below lists and describes stir servers statistics and includes HDR position, statistic, type, timer value, range, and description.

Position Statistic Type Timer Value Range Description
1 TimeStamp N/A N/A N/A N/A
2 STI-Server text N/A N/A Server name as configured on the SBC
3 AS Queries counter N/A N/A Recent queries made to the named AS server
4 AS Success Responses counter N/A N/A Recent successful responses received from the named AS server
5 AS Fail Responses counter N/A N/A Recent failed responses received from the named AS server
6 AS Fail Service Exception counter N/A N/A Recent failed responses received from the named AS server caused by a service exception
7 AS Fail Policy Exception counter N/A N/A Recent failed responses received from the named AS server caused by a policy exception
8 VS Queries counter N/A N/A Recent queries made to the named VS server
9 VS Success Responses counter N/A N/A Recent successful responses received from the named VS server
10 VS Fail Responses counter N/A N/A Recent failed responses received from the named VS server
11 VS Fail Verification counter N/A N/A Recent failed responses received from the named VS server indicating verification failure
12 VS Fail Service Exception counter N/A N/A Recent failed responses received from the named VS server caused by a service exception
13 VS Fail Policy Exception counter N/A N/A Recent failed responses received from the named VS server caused by a policy exception
14 STI Server Unreachable counter N/A N/A The number of times the server has tripped the STI server's 'circuit breaker'

DoS Traffic Group

This release includes the dos-threshold-counters HDR group. The table below lists and describes counter statistics and includes HDR position, statistic, type, timer value, range, and description.

CSV Position HDR Column Name Data Type Range Description
1 Trusted Minor Counter Counter (0-2^64-1) Counter incremented, when trusted bandwidth crossed the minor threshold percentage
2 Trusted Major Counter Counter (0-2^64-1) Counter incremented, when trusted bandwidth crossed the major threshold percentage
3 Trusted Critical Counter Counter (0-2^64-1) Counter incremented, when trusted bandwidth crossed the critical threshold percentage
4 Untrusted Minor Counter Counter (0-2^64-1) Counter incremented, when untrusted bandwidth crossed the minor threshold percentage
5 Untrusted Major Counter Counter (0-2^64-1) Counter incremented, when untrusted bandwidth crossed the major threshold percentage
6 Untrusted Critical Counter Counter (0-2^64-1) Counter incremented, when untrusted bandwidth crossed the critical threshold percentage
7 ARP Minor Counter Counter (0-2^64-1) Counter incremented, when ARP bandwidth crossed the minor threshold percentage
8 ARP Major Counter Counter (0-2^64-1) Counter incremented, when ARP bandwidth crossed the major threshold percentage
9 ARP Critical Counter Counter (0-2^64-1) Counter incremented, when ARP bandwidth crossed the critical threshold percentage

Errors and Warnings

The following errors or warnings have been added in this release.

verify-config Errors and Warnings

Error or Warning Description
WARNING: [x] and [y] should not be run simultaneously as they may interfere with each other and lead to undefined behavior. Two or more of these conflicting items have been activated: comm-monitor, packet-trace, call-trace and SIP Monitoring & Trace. At least one needs to be disabled.
When misconfigured, a warning will display when running the packet-trace or capture command. For example:
ORACLE# packet-trace local start wancom0 "host 192.168.1.1"

WARNING: packet-trace and comm-monitor should not be run simultaneously as they may interfere with each other and lead to undefined behavior.

Do you want to continue :  [y/n]?:
ORACLE# capture start global *

WARNING: SIP Monitoring & Trace, call-trace and comm-monitor should not be run simultaneously as they may interfere with each other and lead to undefined behavior.

Do you want to continue :  [y/n]?: