Saturday, May 26, 2012

Toll Fraud Prevention in IOS 15.1(2) / CME 8.1

I did an upgrade for the IOS of my voice gateway / CME from 12.4T(24) to 15.1(2). I have noticed couple of features introduced related to Toll Fraud Prevention which changed the way how VGW handles incoming calls.

IP Address Trust List

IP address trusted authentication process blocks unauthorized calls to be made through VGW.  VoIP (SIP/H.323) calls will succeed only if the remote IP address of an incoming VoIP call is successfully validated from the system IP address trusted list. System IP address trusted list is built automatically based on session target addresses of VoIP dial-peers (assuming that dial-peer status is UP). Addresses can be added manually as well to trusted list to be used for validation of incoming calls.

If the IP address trusted authentication fails, an incoming VoIP call is then disconnected by the application with a user- defined cause code and a new application Internal Error Code 31 message (TOLL_FRAUD_CALL_BLOCK) is logged.

Note: The voice IEC error messages are logged to syslog if “voice iec syslog” option is enabled.

%VOICE_IEC-3-GW: Application Framework Core: Internal Error (Toll fraud call rejected): IEC= on callID 3 GUID=AE5066C5883E11DE8026A96657501A09

  • This feature is enabled by default.
  • Duplicate addresses aren't allowed
  • IP address trusted list authentication will be suspended if VGW is registered with GK.

  • IP address trusted authentication is skipped if an incoming SIP call is originated from a SIP phone.
  • IP address trusted authentication is skipped if an incoming call is an IPv6 call.
  • For an incoming VoIP call, IP trusted authentication must be invoked when the IP address trusted authentication is in “UP” operational state.

Configuration & Verification Commands

voice service voip
 ip address trusted authenticate
 ip-address trusted call-block cause

 ip address trusted list
  ipv4 ipv4 address network mask

Router #show ip address trusted list

IP Address Trusted Authentication
 Administration State: UP
 Operation State: UP

IP Address Trusted Call Block Cause: call-reject (21)

VoIP Dial-peer IPv4 Session Targets:

Peer Tag      Oper State      Session Target
--------      ----------      --------------
11            DOWN            ipv4:
1             UP              ipv4:

IP Address Trusted List:

Disconnecting ISDN Calls With no Matching Dial-peer

In case no inbound dial-peer is matched for incoming  POTS calls on ISDN, the call will be disconnected instead of matching default dial-peer. The cause code of this disconnected can be modified using the command dial-peer no-match disconnect-cause.

Disconnecting ISDN Calls With no Matching Dial-peer

The direct-inward-dial isdn feature in enabled to prevent the toll fraud for incoming ISDN calls even if direct-inward-dial option is disabled from a selected
Inbound POTS dial-peer. The called number of an incoming ISDN enbloc dialing call is used to match the outbound dial-peers and incase no outbound dial-peer matched the call will disconnect with cause code “unassigned-number (1)”.

Blocking Two-stage Dialing Service on Analog and Digital FXO Ports

This is enabled by default on FXO ports using the command no secondary dialtone. In this case, no digits are collected from the port and no outbound dial-peer lookup is performed when the call is answered without PLAR configured on voice-port. The call will be disconnected with cause code “unassigned-number (1)”

Hope this was useful. I will let you know if something interesting pops in between ...

No comments:

Post a Comment


R1 …………………………………………………………………………………………………………………………………………… vrf definition dmvpn  !  address-family ipv4  exit-addre...