 | Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |
The PGCP feature provides the following security features:
If the underlying network layer does not support IPSec, you can use the interim authentication header (AH) scheme to provide security on the connection between the VPG and the PGC. The interim AH scheme defines an authentication header with the H.248 protocol header.
To use the interim AH scheme, configure the security algorithm for the interim AH scheme for a PGC. If you configure an algorithm, the PG accepts H.248 messages from the PGC that include an AH from the defined algorithm. It discards received packets that do not include the expected AH. When the PG replies to the PGC, it includes an AH from the defined algorithm.
For control association between the PG and a PGC, you define the address and port of the PG and the PGC. The PG uses the address and port configured for the PGC when it sends registration messages to the PGC. If the registration reply contains a ServiceChangeAddress command, the PG connects to the PGC using the new address or port or both instead of the address and port configured in the CLI. The PG accepts only H.248 messages that arrive from the PGC address and port. All other messages are dropped.
In the following cases, the PG attempts to connect to the address and port configured on the router:
If needed, the PGC can reply with a new ServiceChangeAddress command.
The PG uses the new address in the ServiceAddressChange command only if the command is triggered by ServiceChangeReason 901 & 902. If the change is triggered by other ServiceChangeReasons such as 900, the PG uses the configured address and port.
| Copyright © 2008, Juniper Networks, Inc. All rights reserved. Trademark Notice. | |