1 Introduction to S-Cz9.0.0

The Oracle Communications Session Border Controller Release Notes provides the following information about S-Cz9.0.0 release:
  • Specifications of supported platforms, virtual machine resources, and hardware requirements
  • Overviews of the new features and enhancements
  • Summaries of known issues, caveats, limitations, and behavioral changes
  • Details about upgrades and patch equivalency
  • Notes about documentation changes, behavioral changes, and interface changes

Supported Platforms

The Oracle Communications Session Border Controller (SBC) can run on a variety of physical and virtual platforms. It can also be run in public cloud environments. This section lists all supported platforms and high level requirements.

Supported Physical Platforms

The Oracle Communications Session Border Controller can be run on the following hardware platforms.

Acme Packet Platforms

The S-Cz9.0.0 version of the OCSBC supports the following platforms:
  • Acme Packet 3900
  • Acme Packet 3950
  • Acme Packet 4600
  • Acme Packet 4900
  • Acme Packet 6100
  • Acme Packet 6300
  • Acme Packet 6350
  • Virtual Platforms
The S-Cz9.0.0 version of the OCSR supports the following platforms:
  • Acme Packet 4600
  • Acme Packet 6100
  • Acme Packet 6300
  • Netra Server X5-2
  • Oracle Server X7-2
  • Oracle Server X8-2
  • Virtual Platforms

Supported Private Virtual Infrastructures and Public Clouds

The SBC can be run on the following Private Virtual Infrastructures, which include individual hypervisors as well as private clouds based on architectures such as VMware or Openstack.

Note:

The SBC does not support automatic, dynamic disk resizing.

Note:

Virtual SBCs do not support media interfaces when media interfaces of different NIC models are attached. Media Interfaces are supported only when all media interfaces are of the same model, belong to the same Ethernet Controller, and have the same PCI Vendor ID and Device ID.

Supported Hypervisors for Private Virtual Infrastructures

Oracle supports installation of SBC on the following hypervisors:

  • KVM: Linux kernel version 3.10.0-123 or later, with KVM/QEMU (2.9.0_16 or later) and libvirt (3.9.0_14 or later)
  • VMware: vSphere ESXi (Version 6.5 or later)

Compatibility with OpenStack Private Virtual Infrastructures

Oracle distributes Heat templates for the Newton and Pike versions of OpenStack. Use the Newton template when running either the Newton or Ocata versions of OpenStack. Use the Pike template when running Pike or a later version of OpenStack.

Supported Public Cloud Platforms

The SBC can be run on the following public cloud platforms.

  • Oracle Cloud Infrastructure (OCI) - After deployment, you can change the shape of your machine by, for example, adding disks and interfaces. OCI Cloud Shapes and options validated in this release are listed in the table below.
    Shape OCPUs/VCPUs vNICs Tx/Rx Queues Max Forwarding Cores DoS Protection
    VM.Standard1.4 4/8 4 2 2 Y
    VM.Standard1.8 8/16 8 2 2 Y
    VM.Standard1.16 16/32 16 2 2 Y
    VM.Standard2.4 4/8 4 2 2 Y
    VM.Standard2.8 8/16 8 2 2 Y
    VM.Standard2.16 16/32 16 2 2 Y

    Networking using image mode [SR-IOV mode - Native] is supported on OCI. PV and Emulated modes are not currently supported.

  • Amazon Web Services (EC2) - This table lists the AWS (ECs) instance sizes that apply to the SBC.
    Instance Type vCPUs Memory (GB) Max NICs
    c5.xlarge 4 8 4
    c5.2xlarge 8 16 4
    c5.4xlarge 16 32 8
    c5.9xlarge 36 72 8
    c5.12xlarge 48 96 8
    c5.18xlarge 72 144 15
    c5n.xlarge 4 10.5 4
    c5n.2xlarge 8 21 4
    c5n.4xlarge 16 42 8
    c5n.9xlarge 36 96 8
    c5n.18xlarge 72 192 15

    Driver support detail includes:

    • ENA is supported on C5/C5n family only.

    Note:

    C5 instances use the Nitro hypervisor.
  • Microsoft Azure - The following table lists the Azure instance sizes that you can use for the SBC.
    Size (Fs series) vCPUs Memory Max NICs
    Standard_F4s 4 8 4
    Standard_F8s 8 16 8
    Standard_F16s 16 32 8
    Size vCPUs Memory Max NICs
    Standard_F8s_v2 8 16 4
    Standard_F16s_v2 16 32 4

    Size types define architectural differences and cannot be changed after deployment. During deployment you choose a size for the OCSBC, based on pre-packaged Azure sizes. After deployment, you can change the detail of these sizes to, for example, add disks or interfaces. Azure presents multiple size options for multiple size types.

    Azure sizes that support and expose hyperthreading to the user includes the version 2, F series.

    For higher performance and capacity on media interfaces, use the Azure CLI to create a network interface with accelerated networking. You can also use the Azure GUI to enable accelerated networking.

Note:

The SBC does not support Data Disks deployed over any Azure instance sizes.

Note:

v2 instances have hyperthreading enabled.

Platform Hyperthreading Support

Of the supported hypervisors, only VMware does not expose SMT capability to the SBC. Of the supported clouds, OCI, AWS, and, for their FS-v2 sized, Azure enable SMT by default and expose it to the SBC.

DPDK Reference

The SBC relies on DPDK for packet processing and related functions. You may reference the Tested Platforms section of the DPDK release notes available at https://doc.dpdk.org. This information can be used in conjunction with this Release Notes document for you to set a baseline of:

  • CPU
  • Host OS and version
  • NIC driver and version
  • NIC firmware version

Note:

Oracle only qualifies a specific subset of platforms. Not all the hardware listed as supported by DPDK is enabled and supported in this software.
The DPDK version used in this release is:
  • 20.11

Requirements for Machines on Private Virtual Infrastructures

In private virtual infrastructures, you choose the compute resources required by your deployment. This includes CPU core, memory, disk size, and network interfaces. Deployment details, such as the use of distributed DoS protection, dictate resource utilization beyond the defaults.

Default VSBC Resources

The default compute for the SBC image files is as follows:

  • 4 CPU Cores
  • 8 GB RAM
  • 20 GB hard disk (pre-formatted)
  • 8 interfaces as follows:
    • 1 for management (wancom0 )
    • 2 for HA (wancom1 and 2)
    • 1 spare
    • 4 for media

Interface Host Mode for Private Virtual Infrastructures

The SBC VNF supports interface architectures using Hardware Virtualization Mode - Paravirtualized (HVM-PV):

  • ESXi - No manual configuration required.
  • KVM - HVM mode is enabled by default. Specifying PV as the interface type results in HVM plus PV.

Supported Interface Input-Output Modes for Private Virtual Infrastructures

  • Para-virtualized
  • SR-IOV
  • PCI Passthrough
  • Emulated - Emulated is supported for management interfaces only.

Supported Ethernet Controller, Driver, and Traffic Type based on Input-Output Modes

The following table lists supported Ethernet Controllers (chipset families) and their supported driver that Oracle supports for Virtual Machine deployments. Reference the host hardware specifications, where you run your hypervisor, to learn the Ethernet controller in use. The second table provides parallel information for virtual interface support. Refer to the separate platform benchmark report for example system-as-qualified performance data.

Note:

Virtual SBCs do not support media interfaces when media interfaces of different NIC models are attached. Media Interfaces are supported only when all media interfaces are of the same model, belong to the same Ethernet Controller, and have the same PCI Vendor ID and Device ID.

For KVM and VMware, accelerated media/signaling using SR-IOV and PCI-pt modes are supported for the following card types.

Ethernet Controller Driver SR-IOV PCI Passthrough
Intel 82599 / X520 / X540 ixgbe M M
Intel i210 / i350 igb M M
Intel X710 / XL710 i40e M M
Intel X710 / XL710 / XXV710 i40e, i40enFoot 1, iavfFoot 2 M M
Mellanox Connect X-4 mlx5 M M

Footnote 1 This driver is not supported on KVM.

Footnote 2 iavf driver is support in SR-IOV n/w mode

For PV mode (default, all supported hypervisors), the following virtual network interface types are supported. You can use any make/model NIC card on the host as long as the hypervisor presents it to the VM as one of these vNIC types.

Virtual Network Interface Driver W/M
Emulated e1000 W
KVM (PV) virtio W/M
Hyper-V (PV) NetVSC M
VMware (PV) VMXNET3 W/M

Emulated NICs do not provide sufficient bandwidth/QoS, and are suitable for use as management only.

  • W - wancom (management) interface
  • M - media interface

Note:

Accelerated media/signaling using SR-IOV (VF) or PCI-pt (DDA) modes are not currently supported for Hyper-V when running on Private Virtual Infrastructures.

CPU Core Resources for Private Virtual Infrastructures

The SBC S-Cz9.0.0 VNF requires an Intel Core i7 processor or higher, or a fully emulated equivalent including 64-bit SSSE3 and SSE4.2 support.

If the hypervisor uses CPU emulation (for example, qemu), Oracle recommends that you set the deployment to pass the full set of host CPU features to the VM.

PCIe Transcoding Card Requirements

For virtual SBC (vSBC) deployments, you can install an Artesyn SharpMedia™ PCIe-8120 media processing accelerator with either 4, 8, or 12 DSPs in the server chassis in a full-height, full-length PCI slot to provide high density media transcoding.

Compatibility between the PCIe-8120 card and the SBC is subject to these constraints:
  • VMWare and KVM are supported
  • PCIe-pass-through mode is supported
  • Each vSBC can support 2 PCIE 8120 cards and the server can support 4 PCIE 8120 cards.
  • Each PCIe-8120 card supports only one vSBC instance
  • Do not configure transcoding cores for software-based transcoding when using a PCIe media card.

Oracle Communications Session Router Recommendations for Netra and Oracle Servers

Oracle recommends the following resources when operating the OCSR, release S-Cz9.0.0 over Netra and Oracle Platforms.

Hardware recommendations for Netra Server X5-2

Processor Memory
2 x Intel Xeon E5-2699 v3 CPUs 32GB DDR4-2133

Hardware recommendations for Oracle Server X7-2

Processor Memory
2 x 18-core Intel Xeon 6140 32GB DDR4 SDRAM

Hardware recommendations for Oracle Server X8-2

Processor Memory
2x 24-core Intel Platinum 8260 32GB DDR4 SDRAM

Image Files and Boot Files

This software version distribution provides multiple products, based on your setup product configuration.

For Acme Packet Platforms

Use the following files for new installations and upgrades on Acme Packet platforms.

  • Image file: nnSCZ900.bz
  • Bootloader file: nnSCZ900.boot

For Virtual Platforms

This S-Cz9.0.0 release includes distributions suited for deployment over hypervisors. Download packages contain virtual machine templates for a range of virtual architectures. Use the following distributions to the Session Border Controller as a virtual machine:

  • nnSCZ900-img-vm_ovm.ova—Open Virtualization Archive (.ova) distribution of the SBC VNF for Amazon EC2.
  • nnSCZ900-img-vm_kvm.tgz—Compressed image file including SBC VNF for KVM virtual machines, Oracle Cloud Infrastructure (OCI), EC2 Nitro, and AWS C4 and C5 instances.
  • nnSCZ900-img-vm_vmware.ova—Open Virtualization Archive (.ova) distribution of the SBC VNF for ESXi virtual machines.
  • nnSCZ900p4_HOT.tar.gz—The Heat Orchestration Templates used with OpenStack.
  • nnSCZ900p4_tfStackBuilder.tar.gz—The Terraform templates used to create an AWS AMI.

Each virtual machine package includes:

  • Product software—Bootable image of the product allowing startup and operation as a virtual machine. Example formats include vmdk and qcow2.
  • usbc.ovf—XML descriptor information containing metadata for the overall package, including identification, and default virtual machine resource requirements. The .ovf file format is specific to the supported hypervisor.
  • legal.txt—Licensing information, including the Oracle End-User license agreement (EULA) terms covering the use of this software, and third-party license notifications.

For Oracle Platforms supporting the Session Router

Use the following files for new installations and upgrades on COTS platforms.

  • Image file: nnSCZ900.bz
  • Bootloader file: nnSCZ900.boot

Image Files for Customers Requiring Lawful Intercept

Deployments requiring Lawful Intercept (LI) functionality must use the LI-specific image files. These image files are available in a separate media pack on MOS and OSDC. LI-specific image files can be identified by the "LI" notation before the file extension.

All subsequent patches follow naming conventions with the LI modifier.

Boot Loader Requirements

All platforms require the Stage 3 boot loader that accompanies the Oracle Communications Session Border Controller image file, as distributed. Install the boot loader according to the instructions in the Installation and Platform Preparation Guide.

Setup Product

The following procedure shows how to setup the product. Once you have setup the product, you must setup entitlements. For information on setting up entitlements, see "Feature Entitlements".

Note:

The availability of a particular feature depends on your entitlements and configuration environment.
  1. Type setup product at the ACLI. If this is the first time running the command on this hardware, the product will show as Uninitialized.
  2. Type 1 <Enter> to modify the uninitialized product.
  3. Type the number followed by <Enter> for the product type you wish to initialize.
  4. Type s <Enter> to commit your choice as the product type of this platform.
  5. Reboot your system.
ORACLE# setup product

--------------------------------------------------------------
WARNING:
Alteration of product alone or in conjunction with entitlement
changes will not be complete until system reboot

Last Modified
--------------------------------------------------------------
 1 : Product       : Uninitialized

Enter 1 to modify, d' to display, 's' to save, 'q' to exit. [s]: 1

  Product
    1 - Session Border Controller
    2 - Session Router - Session Stateful
    3 - Session Router - Transaction Stateful
    4 - Subscriber-Aware Load Balancer
    5 - Enterprise Session Border Controller
    6 - Peering Session Border Controller
  Enter choice     : 1

Enter 1 to modify, d' to display, 's' to save, 'q' to exit. [s]: s
save SUCCESS

Note:

When configuring an HA pair, you must provision the same product type and features on each system.

Upgrade Information

Supported Upgrade Paths (OCSBC, OESBC and OCSR)

The OCSBC, OESBC and the OCSR support the following in-service (hitless) upgrade and rollback paths:

  • S-Cz8.2.0 to S-Cz9.0.0
  • S-Cz8.3.0 to S-Cz9.0.0
  • S-Cz8.4.0 to S-Cz9.0.0
  • S-Cz8.4.0p3 to S-Cz9.0.0
  • S-Cz8.4.0p5C (and newer) to S-Cz9.0.0

    Note:

    Do not upgrade to S-Cz9.0.0 directly from S-Cz8.4.0p4, S-Cz8.4.0p5 or any S-Cz8.4.0p5 OOC patches up to S-Cz8.4.0p5B. If running these versions, upgrade to S-Cz8.4.0p5C before upgrading to S-Cz9.0.0.

When upgrading to this release from a release older than the previous release, read all intermediate Release Notes for notification of incremental changes.

Upgrade Checklist

Before upgrading the Oracle Communications Session Border Controller software:

  1. Obtain the name and location of the target software image file from either Oracle Software Delivery Cloud, https://edelivery.oracle.com/, or My Oracle Support, https://support.oracle.com, as applicable.
  2. Provision platforms with the Oracle Communications Session Border Controller image file in the boot parameters.
  3. Run the check-upgrade-readiness command and examine its output for any recommendations or requirements prior to upgrade.
  4. Verify the integrity of your configuration using the ACLI verify-config command.
  5. Back up a well-working configuration. Name the file descriptively so you can fall back to this configuration easily.
  6. Refer to the Oracle Communications Session Border Controller Release Notes for any caveats involving software upgrades.
  7. Do not configure an entitlement change on the Oracle Communications Session Border Controller while simultaneously performing a software upgrade. These operations must be performed separately.

Upgrade and Downgrade Caveats

The following items provide key information about upgrading and downgrading with this software version.

Note:

Upgrading to this Release from releases earlier than S-Cz8.4.0:

The S-Cz8.4.0 release included significant changes that hardened the security posture of the SBC. These changes required your careful evaluation regarding functionality when upgrading to S-Cz8.4.0. These changes are also applicable to customers upgrading from releases prior to S-Cz8.4.0 to this release. Take care to review this information in the S-Cz8.4.0 Release Notes: Upgrade and Downgrade Caveats

Upgrading to S-Cz9.0.0 with IKEv2 LI Tunnels

An HA upgrade to S-Cz9.0.0, when configured with LI Tunnels using IKEv2, can cause IPSec tunnels to fail if an IPsec rekey initiated from a peer has resulted in the IPSec SAs being out of sync across the HA pair. After an upgrade with these conditions, these LI tunnels do not function on the Active node.

Prior to upgrading these deployments determine whether the IKEv2/IPsec SA's are in sync on the Active and Standby node by running the ACLI command show security ipsec sad <network-interface>:vlan detail and check whether the SPI's are same on both the Active and standby node.

  • If they are in sync, proceed with the upgrade.
  • If the IPsec SA's are not in sync across the HA nodes, perform the following procedure:
    1. If enabled, disable x2-keep-alive from the LI shell. (See procedures in LI documentation.)
    2. Upgrade the Standby node to S-Cz9.0.0.
    3. Wait until the pair reaches HA state.
    4. Configure the Active node to boot to S-Cz9.0.0. (Do not reboot this device yet.)
    5. Delete tunnels on the Active node, which is still running the older software version, using one of the following commands from the CLI root.
      security ipsec delete ike-interface <ike-interface IP address> all
      security ipsec delete tunnel destIP <ipsec tunnels destination ip> spi <inbound spi>
    6. Ensure that tunnel(s) were deleted from both nodes. (If necessary run this command one more time for any new spi.)
      show security ipsec sad <network interface name> detail
    7. Reboot the Active node.
    8. If the IKE interface is in INITIATOR mode, execute the ping command to the applicable IPSec endpoints on the newly Active (S-Cz9.0.0) node to establish new tunnels.

      If the IKE interface is in RESPONDER mode, have peers restart tunnels instead of executing the ping command.

    9. Upon completion of boot cycle of the standby node, verify HA state and proper tunnel synchronization.

Two downgrade procedures are presented below.

  1. Rollback after full Upgrade:
    1. HA pair is in highly available state with 840p1 version
    2. Reboot Standby node with downgraded version
    3. Wait until highly available state established
    4. Delete tunnels on the Active node using one of the following commands from the CLI root.
      security ipsec delete ike-interface <ike-interface IP address> all
      security ipsec delete tunnel destIP <ipsec tunnels destination ip> spi <inbound spi>
    5. Ensure that tunnel(s) were deleted from both nodes. (If necessary run this command one more time for any new spi.)
      show security ipsec sad <network interface name> detail
    6. Reboot the Active node.
    7. If the IKE interface is in INITIATOR mode, execute the ping command to the applicable IPSec endpoints on the newly Active (Downgraded) node to establish new tunnels.

      If the IKE interface is in RESPONDER mode, have peers restart tunnels instead of executing the ping command.

    8. Upon completion of boot cycle verify HA state and proper tunnel synchronization.
  2. Rollback after Upgrading the active node only:
    1. HA pair is in highly available state with Active node 9.0.0 and Standby node with old version
    2. Configure boot table on Active node with rollback version
    3. Delete tunnels on the Active node using one of the following commands from the CLI root.
      security ipsec delete ike-interface <ike-interface IP address> all
      security ipsec delete tunnel destIP <ipsec tunnels destination ip> spi <inbound spi>
    4. Ensure that tunnel(s) were deleted from both nodes. (If necessary run this command one more time for any new spi.)
      show security ipsec sad <network interface name> detail
    5. Reboot the Active node.
    6. If the IKE interface is in INITIATOR mode, execute the ping command to the applicable IPSec endpoints on the newly Active node to establish new tunnels.

      If the IKE interface is in RESPONDER mode, have peers restart tunnels instead of executing the ping command.

    7. Upon completion of boot cycle of verify HA state and proper tunnel synchronization

SSH Keys

Before upgrading from a pre-8.4 release to this release, delete any imported public keys using the ssh-pub-key delete <key-name> command. Because the commands for SSH key management changed between 8.3 and 8.4, you will not be able to delete old 8.3-type SSH keys using 8.4 (or later) commands. After upgrading, re-import any required public keys. For example, if your SBC pushes records to an SFTP server, import that server's public key as a known host.

If you're upgrading from 8.4 and you didn't previously import the public keys of your SFTP server, import them as a known-host key. Any public keys imported in 8.4 will be available in 9.0.

See "Manage SSH Keys" in the Configuration Guide.

TSCF Configurations from Prior Software Versions

A TSCF configuration that was present on your system before upgrade to this S-Cz9.0.0 release and above, which do not support TSM, may still be present in the configuration file if you do not remove it manually before upgrade. The system does not apply these TSCF configurations on a non-TSM release.

If you subsequently downgrade to a TSM supported release, however, the system applies the TSCF configuration.

Although there is no operational impact, Oracle recommends that you manually remove the TSCF configuration before you upgrade to a non-TSM supported release. If working with an HA pair, be sure your TSM configuration and feature setup is synchronized across the pair during an upgrade. Refer to the procedures in “Setting Up Product-Type, Features and Functionality” and “Setup Features on an HA Pair" in the ACLI configuration Guide.

Acme Packet 3950/4900 Slots

The Acme Packet 3950 and Acme Packet 4900 support:
  • 4 media interfaces: s0p0, s0p1, s0p2, and s0p3
  • 2 10G interfaces: s0p4 and s0p5
  • The optional TDM interface: s2p0

Because there is no slot 1, do not copy over a configuration which contains a phy-interface element that uses slot 1 unless you delete and reconfigure the phy-interfaces.

Encrypting the Surrogate Agent Password

If upgrading from any version prior to S-CZ8.4.0p5, run the spl save acli encr-surrogate-passwords command to save the surrogate-agent passwords in an encrypted format. Later versions do not require this command.

If performing an upgrade from any version prior to S-CZ8.4.0p5 in an HA environment:
  1. Run backup-config on both the active and standby SBC.
  2. Upgrade the release on the standby SBC.
  3. Perform a failover so that the standby becomes the active.
  4. Encrypt surrogate-agent passwords on the new active SBC with the command:
    spl save acli encr-surrogate-passwords
  5. Upgrade the release on the new standby SBC.

You do not need to run the same spl command on the new standby SBC because it will sync with the new active SBC.

Upgrade Version Caveat from Session Delivery Manager

The Session Delivery Manager cannot direct upgrades from SCZ910p6, SCZ900p8 or SCZ900p9 for HA deployments. See Knowledge Document # 2952935.1 for a detailed explanation.

Feature Entitlements

You enable the features that you purchased from Oracle, either by self-provisioning using the setup entitlements command, or installing a license key at the system, license configuration element.

This release uses the following self-provisioned entitlements and license keys to enable features.

The following table lists the features you enable with the setup entitlements command.

Feature Type
Accounting boolean
Admin Security boolean
ANSSI R226 Compliance boolean
BFD boolean
IMS-AKA Endpoints Integer
IPSec Trunking Sessions Integer
IPv4 - IPv6 Interworking boolean
IWF (SIP-H323) boolean
Load Balancing boolean
MSRP B2BUA Sessions Integer
Policy Server boolean
Quality of Service boolean
Routing boolean
SIPREC Session Recording boolean
STIR/SHAKEN Client boolean
SRTP Sessions Integer
Transcode Codec AMR Capacity Integer
Transcode Codec AMRWB Capacity Integer
Transcode Codec EVRC Capacity Integer
Transcode Codec EVRCB Capacity Integer
Transcode Codec EVS Capacity Integer
Transcode Codec OPUS Capacity Integer
Transcode Codec SILK Capacity Integer
The following table lists the features you enable by installing a license key at the system, license configuration element. Request license keys at the License Codes website at http://www.oracle.com/us/support/licensecodes/acme-packet/index.html.
Feature Type
Lawful Intercept boolean
R226 SIPREC boolean

The following tables lists the features for the Oracle Communications' Session Router (SR) you enable with the setup entitlements command. When setting up an SR, you choose between either the Session Stateful or the Transaction Stateful Session Routers. The Enterprise Session Router entitlements are the same.

This first SR table lists entitlements for the Session Stateful Session Router.

Feature Type
Session Capacity Number of sessions
Accounting Enabled or Disabled
Load Balancing Enabled or Disabled
Policy Server Enabled or Disabled
Admin security Enabled or Disabled
ANSII R226 Compliance Enabled or Disabled
Data Integrity (FIPS 140-2 ) Enabled or Disabled

Note:

Do not enable the FIPS entitlement for the Oracle Session Router, service provider product.

This second SR table lists entitlements for the Transaction Stateful Session Router.

Feature Type
MPS Capacity Number of sessions
Admin security Enabled or Disabled
ANSII R226 Compliance Enabled or Disabled
Data Integrity (FIPS 140-2 ) Enabled or Disabled
Load Balancing Enabled or Disabled

Note:

Do not enable the FIPS entitlement for the Oracle Session Router, service provider product.

Encryption for Virtual SBC

You must enable encryption for virtualized deployments with a license key. The following table lists which licenses are required for various encryption use cases.

Feature License Key
IMS-AKA Endpoints IPSec
IPSec Trunking IPSec
SRTP Sessions SRTP
Transport Layer Security Sessions TLS Foot 3
MSRP TLS

Footnote 3 The TLS license is only required for media and signaling. TLS for secure access, such as SSH, HTTPS, and SFTP is available without installing the TLS license key.

To enable the preceding features, you install a license key at the system, license configuration element. Request license keys at the License Codes website at http://www.oracle.com/us/support/licensecodes/acme-packet/index.html.

After you install the license keys, you must reboot the system to see them.

Upgrading To S-Cz9.0.0 From Previous Releases

When upgrading from a previous release to S-Cz9.0.0, your encryption entitlements carry forward and you do not need to install a new license key.

System Capacities

System capacities vary across the range of platforms that support the Oracle Communications Session Border Controller. To query the current system capacities for the platform you are using, execute the show platform limits command.

Transcoding Support

Based on the transcoding resources available, which vary by platform, different codecs may be transcoded from- and to-.

Platform Supported Codecs (by way of codec-policy in the add-on-egress parameter)
  • Acme Packet physical platforms
  • Hardware-based transcoding for virtual platforms (PCIe Media Accelerator)
  • AMR
  • AMR-WB
  • CN
  • EVRC0
  • EVRC
  • EVRC1
  • EVRCB0
  • EVRCB
  • EVRCB1
  • EVSFoot 4
  • G711FB
  • G722
  • G723
  • G726
  • G726-16
  • G726-24
  • G726-32
  • G726-40
  • G729
  • G729A
  • GSM
  • iLBC
  • Opus
  • SILK
  • PCMU
  • PCMA
  • T.38
  • T.38OFD
  • telephone-event
  • TTY, except on the Acme Packet 1100
  • Virtual Platforms (with 1+ transcoding core) - only supported on Intel CPUs
  • AMR
  • AMR-WB
  • EVS
  • G722
  • G723
  • G729
  • G729A
  • iLBC
  • Opus
  • SILK
  • PCMU
  • PCMA
  • telephone-event

Note that the pooled transcoding feature on the VNF uses external transcoding SBC, as defined in "Co-Product Support," for supported SBC for the Transcoding-SBC (T-SBC) role.

Footnote 4 Hardware-based EVS SWB and EVS FB transcoding is supported for decode-only.

Coproduct Support

The following products and features run in concert with the Oracle Communications Session Border Controller (SBC) for their respective solutions. Oracle Communications Session Router support is also provided below. Contact your Sales representative for further support and requirement details.

Oracle Communications Operations Manager

This S-Cz9.0.0 SBC release can interoperate with the following versions of the Oracle Communications Session Monitor:
  • 4.2.0
  • 4.3.0
  • 4.4.0

Oracle Communications Session Delivery Manager

This S-Cz9.0.0 SBC release can interoperate with the following versions of the Oracle Communications Session Delivery Manager:
  • 8.2.3

Note:

Customers who wish to run release S-Cz9.0.0 and higher need to load an updated XSD into OCSDM. This file can be found by searching My Oracle Support for Patch ID 32887468, which is the NNC-OCSDM XSD file for SCz9.0.0 with SDM 8.2.2/8.2.3.

Oracle Communications Subscriber Aware Load Balancer

This S-Cz9.0.0 SBC release can interoperate as a cluster member with the following versions of the Subscriber Aware Load Balancer:

  • Acme Packet 6100: S-Cz8.3.0
  • v-SLB: S-Cz8.4.0, S-Cz9.0.0

Pooled Transcoding

This S-Cz9.0.0 SBC release acting as an A-SBC can interoperate with T-SBCs on the following hardware/software combinations :
  • Acme Packet 4500: S-Cz7.4.0
  • Acme Packet 4600: S-Cz8.3.0, S-Cz8.4.0
  • Acme Packet 6300: S-Cz8.3.0, S-Cz8.4.0
  • Acme Packet 6350: S-Cz8.3.0, S-Cz8.4.0
  • Virtual Platforms with Artesyn SharpMedia™: S-Cz8.2.0, S-Cz8.3.0, S- Cz8.4.0, S-Cz9.0.0
This S-Cz9.0.0 SBC release acting as a T-SBC can interoperate with A-SBCs on the following hardware/software combinations:
  • All platforms supported by the following releases: S-Cz8.2.0, S-Cz8.3.0, S-Cz8.4.0
  • Acme Packet 4500 running S-Cz7.4.0

Oracle Communications Session Router and SDM

This S-Cz9.0.0 release of the OCSR can interoperate with the following versions of the Oracle Communications Session Delivery Manager:
  • 8.2.3

Oracle Communications Session Router and Operations Manager

This S-Cz9.0.0 release of the OCSR can interoperate with the following versions of the Oracle Communications Operations Manager:
  • 4.2.0
  • 4.3.0
  • 4.4.0

TLS Cipher Updates

Note the following changes to the DEFAULT cipher list.

Oracle recommends the following ciphers, and includes them in the DEFAULT cipher list:
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
Oracle supports the following ciphers, but does not include them in the DEFAULT cipher list:
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_3DES_EDE_CBC_SHA
Oracle supports the following ciphers for debugging purposes only:
  • TLS_RSA_WITH_NULL_SHA256 (debug only)
  • TLS_RSA_WITH_NULL_SHA (debug only)
  • TLS_RSA_WITH_NULL_MD5 (debug only)
Oracle supports the following ciphers, but considers them not secure. They are not included in the DEFAULT cipher-list, but they are included when you set the cipher-list attribute to ALL. Note that they trigger verify-config error messages.
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

To configure TLS ciphers, use the cipher-list attribute in the tls-profile configuration element.

WARNING:

When you set tls-version to either tlsv1 or tlsv11 and you want to use ciphers that Oracle considers not secure, you must manually add them to the cipher-list attribute.

Note:

The default is TLSv1.2. Oracle supports TLS1.0 and TLS1.1 for backward compatibility, only, and they may be deprecated in the future. TLS 1.0 is planned to be deprecated in the next release.

Documentation Changes

The following information lists and describes the changes made to the Oracle Communications Session Border Controller (SBC) documentation set for S-Cz9.0.0.

TSM Documentation

All TSM documentation is removed due to the feature being deprecated.

Platform Preparation and Installation Guide

The vSBC configuration and operation descriptions are moved from the Platform Preparation and Installation Guide to the System Configuration chapter of the ACLI Configuration Guide. This consolidates vSBC information.

An appendix has been added with reference information for users who want to deploy Heat templates on versions of OpenStack newer than Pike.

A new section has been added with reference to deploying on Azure with accelerated networking in Public Cloud Platforms chapter.

Accounting Guide

The Accounting Guide is re-organized to present the same content it presented before more clearly and effectively.

Security Guide

The DDoS recommendations have been removed from the Security Guide. Refer to the following documents for DDoS recommendations:

Known Issues and Caveats

Oracle has moved the Known Issues and Caveats section from the Release Notes to its own publication titled Oracle Communications Session Border Controller Known Issues S-Cz9.0.0.

Behavioral Changes

The following information documents the behavioral changes to the Oracle Communications Session Border Controller (SBC) in this software release.

SSH Keys

A new ssh-key command was introduced in 8.4. We recommended customers use this command to import public keys. In 9.0, however, customers must use the ssh-key command to manage SSH keys. For example, if you have an SFTP server that you push logs to, you must import your logging server's public key as a known host on the SBC.

TOS Configuration

By default, the SBC no longer passes DSCP codes in ingress packets to egress packets. You must configure a media-policy with desired TOS changes and affix those policies to the realms on which you want to define egress types of service. Without a media-policy, the SBC includes the default DSCP code, CS0 (Hex 0x00), as the DSCP code to all egress media packets.

Patches Included in This Release

The following information assures you that when upgrading, the S-Cz9.0.0 release includes defect fixes from neighboring patch releases.

Neighboring Patches Included

  • S-Cz740m2p9
  • S-Cz800p10
  • S-Cz810m1p25B
  • S-Cz810m1p26
  • S-Cz810m1p18D
  • S-Cz820p8
  • S-Cz830m1p11
  • S-Cz840p3
  • S-Cz840p4
  • S-Cz840p5

Supported SPL Engines

The S-Cz9.0.0 release supports the following SPL engine versions: C2.0.0, C2.0.1, C2.0.2, C2.0.9, C2.1.0, C2.1.1, C2.2.0, C2.2.1, C2.3.2, C3.0.0, C3.0.1, C3.0.2, C3.0.3, C3.0.4, C3.0.6, C3.0.7, C3.1.0, C3.1.1, C3.1.2, C3.1.3, C3.1.4, C3.1.5, C3.1.6, C3.1.7, C3.1.8, C3.1.9, C3.1.10, C3.1.11, C3.1.12, C3.1.13, C3.1.14, C3.1.15, C3.1.16, C3.1.17, C3.1.18, C3.1.19, C3.1.20, C3.1.21.