X.25 security signaling facilities are used to explicitly notify the connecting stations of events that may raise security issues if they were not signaled. Suppression of these facilities should only be configured when the attached equipment and network configurations are sufficiently secure that the signaled information is unnecessary.
There are many X.25 implementations that will not operate as intended if presented with X.25 features or facilities beyond a narrow set of those that occur most commonly. The security signaling facilities are less common, and there are a significant number of X.25 implementations that will not proceed with an SVC that encodes them during Call setup. This can cause connection failures when Cisco equipment is used to implement an X.25 hunt group. There are two security facilities that the Cisco hunt group feature encodes: An X.25 Call packet forwarded out from a hunt group has the CRCDN facility encoded in the packet and, when accepted, the returning X.25 Call Confirm packet has the CLAMN facility encoded in the packet.
Both the originator of the Call packet and the destination it reaches should be notified of the hunt group event, thus allowing each side to clear the SVC if communication is not permitted by the station's security policy. For this reason, the Cisco implementation of hunt groups is designed to signal both stations participating in the Call setup using the X.25-designated CRCDN and CLAMN facilities. The X.25 Suppression of Security Signaling Facilities feature allows this signaling to be suppressed by the CRCDN facility in a Call packet. The no x25 security crcdn command introduced in this feature provides this function, and there are no implications for correct protocol behavior by using it.
X.25 operation can also be modified to suppress a CLAMN facility in X.25 Call Confirm packets when the no x25 security clamn command is configured to disable that signaling. Configuring suppression of the CLAMN security signaling facility has an implication for correct protocol behavior: The X.25 Recommendations specify that the CLAMN facility must be present in a Call Confirm packet if that packet encodes a destination address that is not the null address and that differs from the address encoded in the Call packet. When X.25 is configured to suppress the encoding of a CLAMN facility, it will also suppress the encoding of the destination address. That is, when the address block is encoded in the Call Confirm packet, the destination address will be encoded as the null address (zero digits) because no representation should be made as to what destination was reached.
An X.25 profile may also be configured to suppress the X.25 security signaling facilities. This profile can be useful if the network administrator wants to localize the suppression of these facilities. For example, a hunt group that switches a connection using X.25 over TCP/IP (XOT) may be configured so that the security signaling facilities are not transmitted to either hop participating in the Call setup.
As another example, some telephone company data communications networks (telco DCNs) use a nonstandard X.25 implementation that blends elements of the 1980 and 1984 International Telecommunication Union Telecommunication Standardization Sector (ITU-T) Recommendations. The figure below shows a portion of a telco DCN network where X.25 devices, also called CPE, are connected to Cisco routers and the IP backbone network using serial links.
Figure 1 |
DCN Network Devices Connected to a Cisco IP Backbone Network |
Early equipment in the telco DCN conformed to the ITU-T 1980 X.25 Recommendation, and Cisco provides support for this standard. However, substantial ITU-T 1984 X.25 Recommendation elements, such as maximum packet sizes of 2048 and 4096 and X.25 Annex G operation, have since been incorporated into the DCN. This mix of ITU-T 1980 and 1984 X.25 Recommendations in the telco DCN has resulted in a design requirement that would allow the CPE to operate according to the ITU-T 1984 X.25 Recommendation, but with a modification that would allow suppressing security signaling facilities encoded by the Cisco hunt group feature. Because the ITU-T 1980 X.25 Recommendation does not define these security signaling facilities, the Cisco X.25 implementation can now be configured to suppress them in the packets where they would otherwise be encoded.