OpenDNS Feature

This chapter describes the following topics:

Feature Summary and Revision History

Summary Data

Applicable Product(s) or Functional Area

  • P-GW

  • SAEGW

Applicable Platform(s)

All

Feature Default

Disabled - Configuration Required

Related Changes in This Release

Not Applicable

Related Documentation

  • Command Line Interface Reference

  • P-GW Administration Guide

  • SAEGW Administration Guide

Revision History

Revision Details

Release

First introduced.

21.6

Feature Description


Important
This is a licensed controlled feature. Contact your Cisco account representative for detailed information on specific licensing requirements.

The OpenDNS feature provides DNS-based security policies to secure the subscriber traffic based on the policy associated with it.

StarOS already supports readdressing of DNS traffic to the specific DNS server. Configuration for readdressing of DNS traffic is available in the charging action of the ECS service. OpenDNS functionality can be invoked on a per-subscriber basis by associating such charging action to predefined rules. Hence, with this feature, by having the PCRF control activation and deactivation of such predefined rules, the readdressing of DNS traffic is made subscriber specific.

New CLI commands have been added to the ACS configuration to support configuration of EDNS format containing fields for the DNS header enrichment:

  • MSISDN

  • PGW-IP-Address

  • APN Name

  • IMSI

  • Device-id

New CLI command has been added for associating the Device-id's with the security profiles to be applied.

Limitations: Following are the limitations of this feature:

  • Registration for Device-ids not supported currently. These are retrieved offline and configured against the respective security profiles.

  • Integrity of Device-ids is not validated on the SAEGW.

Configuring Commands for Enabling OpenDNS Feature

This section covers configuration commands used in this feature. Any change in the relevant configuration or activation or deactivation of an associated rule is applicable on the subsequent DNS requests.

Configuring EDNS Mode

The EDNS Mode has been added in the Active Charging Service Configuration Mode to configure EDNS format and fields. You this configuration when you want to convert the DNS traffic to an EDNS request.

This command allows you to enable or disable EDNS Configuration Mode. 


configure  
   active-charging service  service_name 
      edns  
      [ no ] edns  
      exit

Entering this command sequence results at the following prompt: 

[local]host_name(config-acs-edns)#

Configuring Commands in EDNS Mode 


configure  
   active-charging service  service_name 
      edns  
      [ no ] { fields | format }  name | security-profile  name device-id  device-id 
      exit

NOTES:

  • edns: Enables EDNS format configuration mode.

  • fields: Defines EDNS fields tag value.

  • format: Enables EDNS format configuration.

  • name: Defines the name of EDNS field or EDNS format or security profile.

  • security-profile: Associates security profile to Device-id.

  • device-id: Defines the Device-id to map to a EDNS profile.

Configuring the EDNS Fields Mode

This command allows you to enable or disable EDNS Fields Configuration Mode. 


configure  
   active-charging service  service_name 
      edns  
         fields  fields_name 
         [ no ] fields  fields_name 
         exit

Entering this command sequence results at the following prompt: 

[local]host_name(config-acs-edns-fields)#
NOTES:

  • fields: Defines EDNS fields tag value.

Configuring Commands in EDNS Fields Mode 


configure  
   active-charging service  service_name 
      edns  
         fields  fields_name 
            [ no ] tag { val { imsi | msisdn | pgw-address | apn-name } { encrypt } } | default device-id }  
            exit
NOTES:

  • fields: Inserts EDSN field.

  • fields_name: Defines the fields name.

  • tag: Defines the tag value for EDNS fields.

  • val: Defines the tag value for EDNS fields. This is an integer value between 1 and 65535. Tag value is of 2 bytes.

  • imsi: Defines the IMSI of the subscriber.

  • msisdn: Defines the MSISDN of the subscriber.

  • default: Defines the standard opt-code value.

  • apn-name: Defines the access point name of the subscriber to which it is connected.

  • device-id: Defines device-id learned during registration.

  • encrypt: Encrypts the subscriber traffic. This option is available for IMSI and MSISDN only.


Important
If encoding of any of the fields fails, EDNS insert does not happen.

Configuring the EDNS Format Mode

This command allows you to enable or disable EDNS Format Configuration Mode. 


configure  
   active-charging service  service_name 
      edns  
         format  format_name 
         [ no ] format  format_name 
         exit
NOTES:

  • format: Enables EDNS format configuration.

  • format_name: Defines the name of EDNS field or EDNS format.

Configuring Commands in the EDNS Format Mode 


configure  
   active-charging service  service_name 
      edns  
			      format  format_name 
            fields  fields_name encode  
            [ no ] fields  name 
            exit
NOTES:

  • format: Associates fields with format.

  • format_name: Defines the format name.

  • fields: Inserts the EDNS field.

  • fields_name: Defines the fields name.

  • encode: Defines fields to be used for encoding EDNS message.

Configuring Security Profile

Use this CLI command to configure the security profile in EDNS to add mapping with the Device-id. 


configure  
   active-charging service  service_name 
      edns  
         [ no ] security-profile  security_profile_name 
         exit
NOTES:

  • security-profile: Defines the security profile configuration in the EDNS to add mapping with the Device-id.

  • security_profile_name: Defines the name of the security profile. This is a string of size 1 to 50.

Associating Charging Action to EDNS Format and Tag to Identify the Device-ID

This CLI command associates the Device-ID's with the security profiles to be applied. If any of the associated formats is not configured or the configured field value is not available for encoding, then the DNS request is sent unchanged and no EDNS translation is performed. 


configure  
   active-charging service  service_name 
      charging-action  charging_action_name 
      [ no ] edns format  edns_format_name { security-profile  profile_name { encryption rc4md5 encrypted key  key_string } }  
      exit
NOTES:

  • edns format: Defines the EDNS format.

  • edns_format_name: Defines the EDNS format name. This is a string of size 1 to 63.

  • security-profile: Associates the EDNS security profile to the charging action.

  • security_profile_name: Defines the name of the EDNS security profile. This is a string of size 1 to 50.

  • encryption: Encrypts the EDNS header fields.

  • encrypted-key: Designates use of encryption.

  • key: Defines key used to encrypt EDNS header fields. This is string of size 1 to 255.

  • rc4md5: Defines the encryption type. This is hardcoded value.


Important
Since any other encryption type is not supported currently, the encryption type rc4md5 is hardcoded.

Sample Configuration

This section displays the sample configuration. 

config
  active-charging service acs
    edns
      security-profile profile_high device-id 1234567890abcdef
     		format format_xyz
       	fields field_xyz encode
    exit
  fields field_xyz 
        tag imsi 10 encrypt
        tag msisdn 20
        tag pgw_address 30
        tag apn-name 40
        tag default device-id
      exit
     exit
  exit
  charging-action action
     edns format format_xyz security-profile profile_high
  exit

Show Commands and Outputs

This section provides information regarding show commands and their outputs in support of the feature.

show active-charging analyzer statistics name dns

The following new fields are added to the show command to indicate the EDNS encoding status:

  • EDNS over UDP:

    • Authorization with S6b: HSS-EGTP-S5S8 GN-GP-Disabled

    • Authorization with S6b: HSS-EGTP-S5S8 GN-GP-Enabled

show active-charging charging-action name action

The following new fields are added to the show command to indicate the EDNS Information:

  • EDNS Info:

    • Format Name: Displays the format name of the EDNS format

    • Encryption Type: Displays the encryption type of EDNS header field

    • Encryption Key: Displays the encryption key of the EDNS header fields.

    • Security Profile: Displays the security profile of the associated EDNS security-profile to charging action