Configuring SIP Message Policy Rules

The Message Policies table lets you configure up to 20 SIP Message Policy rules. You can use SIP Message Policy rules to block (blocklist) unwanted incoming SIP messages or to permit (allowlist) the receipt of desired SIP messages. You can configure legal and illegal characteristics of SIP messages. SIP Message Policy rules are helpful against VoIP fuzzing (also known as robustness testing), which sends different types of packets to its "victims" for finding bugs and vulnerabilities. For example, the attacker might try sending a SIP message containing either an oversized parameter or too many occurrences of a parameter.

You can also enable the Message Policy to protect the device against incoming SIP messages with malicious signature patterns, which identify specific scanning tools used by attackers to search for SIP servers in a network. To configure Malicious Signatures, see Configuring Malicious Signatures.

Each Message Policy rule can be configured with the following:

Maximum message length
Maximum header length
Maximum message body length
Maximum number of headers
Maximum number of bodies
Option to send 400 "Bad Request" response if message request is rejected
Blocklist and allowlist for defined methods (e.g., INVITE)
Blocklist and allowlist for defined bodies
Malicious Signatures

The Message Policies table provides a default Message Policy called "Malicious Signature DB Protection" (Index 0), which is based only on Malicious Signatures and discards SIP messages identified with any of the signature patterns configured in the Malicious Signature table.

To apply a SIP Message Policy rule to calls, you need to assign it to the SIP Interface associated with the relevant IP Group (see Configuring SIP Interfaces).

The following procedure describes how to configure Message Policy rules through the Web interface. You can also configure it through ini file [MessagePolicy] or CLI (configure voip > message message-policy).

To configure SIP Message Policy rules:
1. Open the Message Policies table (Setup menu > Signaling & Media tab > Message Manipulation folder > Message Policies).
2. Click New; the following dialog box appears:

3. Configure a Message Policy rule according to the parameters described in the table below.
4. Click Apply.

Message Policies Table Parameter Descriptions

Parameter

Description

General

'Index'

[Index]

Defines an index number for the new table row.

Note: Each row must be configured with a unique index.

'Name'

name

[Name]

Defines a descriptive name, which is used when associating the row in other tables.

The valid value is a string of up to 40 characters.

Note:

Configure each row with a unique name.
The parameter value can't contain a forward slash (/).
The parameter value can't be configured with the character string "any" (upper or lower case).

Limits

 

'Max Message Length'

max-message-length

[MaxMessageLength]

Defines the maximum SIP message length.

The valid value is up to 65,000 characters. The default is 65,000.

'Max Header Length'

max-header-length

[MaxHeaderLength]

Defines the maximum SIP header length.

The valid value is up to 4,096 characters. The default is 4,096.

'Max Body Length'

max-body-length

[MaxBodyLength]

Defines the maximum SIP message body length. This is the value of the Content-Length header.

The valid value is up to 61,440 characters. The default is 61,440.

'Max Num Headers'

max-num-headers

[MaxNumHeaders]

Defines the maximum number of SIP headers.

The valid value is any number up to 64. The default is 64.

Note: The device supports up to 20 SIP Record-Route headers that can be received in a SIP INVITE request or a 200 OK response. If it receives more than this, it responds with a SIP 513 'Message Too Large' response.

'Max Num Bodies'

max-num-bodies

[MaxNumBodies]

Defines the maximum number of bodies (e.g., SDP) in the SIP message.

The valid value is any number up to 64. The default is 64.

Policies

 

'Send Rejection'

send-rejection

[SendRejection]

Defines whether the device sends a SIP response if it rejects a message request due to the Message Policy. The default response code is SIP 400 "Bad Request". To configure a different response code, use the [MessagePolicyRejectResponseType] parameter.

[0] Policy Reject = (Default) The device discards the message and sends a SIP response to reject the request.
[1] Policy Drop = The device discards the message without sending any response.

SIP Method Blocklist-Allowlist Policy

'Method List'

method-list

[MethodList]

Defines the SIP methods for the blocklist or allowlist.

Multiple methods are separated by a backslash (\), for example, "INVITE\BYE" (without quotations). The values are case-insensitive.

'Method List Type'

method-list-type

[MethodListType]

Defines the policy (blocklist or allowlist) for the SIP methods specified in the 'Method List' parameter (above).

[0] Policy Blocklist = The specified methods are rejected.
[1] Policy Allowlist = (Default) Only the specified methods are allowed; the others are rejected.

SIP Body Blocklist-Allowlist Policy

'Body List'

body-list

[BodyList]

Defines the SIP body type (i.e., value of the Content-Type header) to blocklist or allowlist. For example, application/sdp.

The values of the parameter are case-sensitive.

'Body List Type'

body-list-type

[BodyListType]

Defines the policy (blocklist or allowlist) for the SIP body specified in the 'Body List' parameter (above).

[0] Policy Blocklist =The specified SIP body is rejected.
[1] Policy Allowlist = (Default) Only the specified SIP body is allowed; the others are rejected.

Malicious Signature

'Malicious Signature Database'

signature-db-enable

[UseMaliciousSignatureDB]

Enables the use of the Malicious Signature database (signature-based detection).

[0] Disable (default)
[1] Enable

To configure Malicious Signatures, see Configuring Malicious Signatures.