13.6 Configuring Media Security
The device supports Secured RTP (SRTP) according to RFC 3711. SRTP is used to
encrypt RTP and RTCP transport for protecting VoIP traffic. SRTP requires a key
exchange mechanism that is performed according to RFC 4568 – “Session Description
Protocol (SDP) Security Descriptions for Media Streams”. The key exchange is done by
adding a 'crypto' attribute to the SDP. This attribute is used (by both sides) to declare the
various supported cipher suites and to attach the encryption key. If negotiation of the
encryption data is successful, the call is established.
SRTP supports the following cipher suites (all other suites are ignored):
AES_CM_128_HMAC_SHA1_80
When the device is the offering side, it generates an MKI of a size configured by the
'Master Key Identifier (MKI) Size' parameter. The length of the MKI is limited to four bytes.
If the remote side sends a longer MKI, the key is ignored. The key lifetime field is not
supported. However, if it is included in the key it is ignored and the call does not fail.
The device supports the following session parameters (as defined in RFC 4568, SDP
Security Descriptions for Media Streams):
UNAUTHENTICATED_SRTP
Session parameters should be the same for the local and remote sides. When the device is
the offering side, the session parameters are configured by the following parameter -
'Authentication On Transmitted RTP Packets', 'Encryption On Transmitted RTP Packets,
and 'Encryption On Transmitted RTCP Packets'. When the device is the answering side,
the device adjusts these parameters according to the remote offering. Unsupported
session parameters are ignored, and do not cause a call failure.
Below is an example of crypto attributes usage:
a=crypto:1 AES_CM_128_HMAC_SHA1_80
inline:PsKoMpHlCg+b5X0YLuSvNrImEh/dAe
a=crypto:2 AES_CM_128_HMAC_SHA1_32
inline:IsPtLoGkBf9a+c6XVzRuMqHlDnEiAd
The device also supports symmetric MKI negotiation, whereby it can be configured to
forward the MKI size received in the SDP offer crypto line in the SDP answer crypto line.
To configure the device's mode of operation if negotiation of the cipher suite fails, use the
'Media Security Behavior' parameter. This parameter can be set to enforce SRTP, whereby
incoming calls that don’t include encryption information are rejected.
Notes:
• For a detailed description of the SRTP parameters, see SRTP
Parameters on page 449.
• When SRTP is used, the channel capacity may be reduced.
To Next Page
Loading...
Need help?
General
