• Download Software
• Research a Problem 
• Case Management 
• Contract & Product Management 
• Technical Documentation
  • Advanced Search
  • Documentation Archive
  • Documentation Bug Report
  • Enterprise MIBs
  • File Format Help
  • Glossary
  • Portable Libraries
• End-of-Life Products
• Contact Support
• Guidelines and Policies
• Security Resources

Protecting H.248 Messages and Mirrored Sessions with IPsec Overview

You can use IPsec authentication and encryption to protect H.248 messages and session mirroring call content (that is, the X3 interface).

The BGF supports IPsec tunnel and transport modes as follows:

• Tunnel mode—Use for H.248 messages and for session mirroring call content. You can use tunnel mode to protect H.248 messages whether you are running your virtual BGFs on the Routing Engine or on a services PIC or DPC.
• Transport mode—Use for H.248 messages when you are running your virtual BGFs on the Routing Engine. Transport mode is not supported on services PICs.

Interim AH Scheme

If the underlying network layer does not support IPsec, you can use the interim authentication header (AH) scheme to provide security on the connection between the virtual BGF and the gateway controller. The interim AH scheme defines an authentication header with the H.248 protocol header.

To use the interim AH scheme, configure the security algorithm for the interim AH scheme for a gateway controller. If you configure an algorithm, the BGF accepts H.248 messages from the gateway controller that include an AH from the defined algorithm. It discards received packets that do not include the expected AH. When the BGF replies to the gateway controller, it includes an AH from the defined algorithm.

Symmetric Control Association

For control association between the BGF and a gateway controller, you define the address and port of the BGF and the gateway controller. The BGF uses the address and port configured for the gateway controller when it sends registration messages to the gateway controller. If the registration reply contains a ServiceChangeAddress command, the BGF connects to the gateway controller using the new address or port or both instead of the address and port configured in the CLI. The BGF accepts only H.248 messages that arrive from the gateway controller address and port. All other messages are dropped.

In the following cases, the BGF attempts to connect to the address and port configured on the router:

• Loss of the BGF-to-gateway controller connection
• Restart of the pgcp-services
• Reboot of the router

If needed, the gateway controller can reply with a new ServiceChangeAddress command.

The BGF uses the new address in the ServiceAddressChange command only if the command is triggered by ServiceChangeReason 901 & 902. If the change is triggered by other ServiceChangeReasons such as 900, the BGF uses the configured address and port.