IMG 1010 - SRTP - Overview
Overview:
SIP SRTP on the IMG 1010 utilizes RFC 3711 (The IP media layer security standard) and RFC 4568 (The IP signaling security standard). The IMG provides security, confidentiality, message authentication, and replay protection for both RTP and RTCP packets. This is accomplished using a cryptographic key and other parameters that serve to configure security. Initially feature F-0784 SIP Signaling over TLS was introduced to make the IP signaling layer secure. Now in software 10.5.3 SRTP and SRTCP are added to make the voice and data secure over the RTP stream. The information below is an Overview of what is supported on the IMG. Also there are links in the Related Topics section. Click on each link for more information on the SRTP feature.
Related Topics:
IMG 1010 - SRTP - Configuration
IMG 1010 - SIP SRTP CryptoSuite
IMG 1010 - SIP Profile - 10.5.3
SRTP Network Diagram:
Call Flow Diagrams:
SIP Inbound:
Below is a basic SIP Call Flow which has TLS and SRTP enabled.
Message details (Inbound)
The INVITE below from the originating Gateway is offering up three different crypto suites as displayed below in red:
The 100 Trying message is sent from IMG to originating gateway:
The 183 Session Progress message is sent from IMG to originating gateway with accepted crypto suite from IMG:
The 200 OK with the crypto suite embedded in the SDP is sent from IMG to Originating Gateway:
The originating Gateway sends back an Acknowledgement to the IMG:
SIP Outbound:
Below is a basic SIP Call Flow which has TLS and SRTP enabled. Click on each of the messages to display the Call Trace information for that message.
Message details (Outbound)
The INVITE below is from the IMG. It is offering up three different crypto suites as displayed below in red:
The 100 Trying message is sent from IMG to outgoing gateway:
The 183 Session Progress message is sent from IMG TO outbound gateway with the accepted crypto suite embedded in SDP:
The 200 OK with the crypto suite embedded in the SDP is sent from IMG to outgoing gateway:
The originating Gateway sends back an Acknowledgment to the IMG:
Additional Information:
TLS must be configured first before configuring SRTP. SRTP is available only when SIP signaling is accomplished over TLS.
A Secure Communications license is needed to configure SRTP and TLS. See IMG 1010 - License Info and IMG 1010 - Licensing for more information
SRTP is supported using SIP only. H.323 is not supported.
The IMG supports the following crypto-suites for incoming and outgoing SIP. The parameters can be a mix of uppercase and lowercase values as specified in RFC 4568
AES_CM_128_HMAC_SHA1_80
AES_CM_128_HMAC_SHA1_32
F8_128_HMAC_SHA1_80
The optional parameter FEC (Forward Error Correction) Control is not supported.
SRTP is supported on the Mindspeed VoIP module only.
Fax Relay using T.38 shall work as it always has. T.38 fax over UDPTL will not be encrypted even if the initial voice data in the same session was encrypted using SRTP.
Fax/Modem bypass using G.711 u/A shall be encrypted using the same rules that applied to the initial voice data for the session.
A new BOOTP flag is defined to enable TLS/SRTP. See IMG 1010 - Setting Host Flags for more information.
SRTP functionality is enabled/disabled using SIP SGP pane from ClientView. See IMG 1010 - SRTP - Configuration.
Because SRTP is configured in the SIP SGP pane, SRTP can be configured a specific channel group and/or not configured on another channel group.
RTP Redundancy cannot be applied when SRTP is enabled. RTP Redundancy is configured in the IMG 1010 - IP Bearer Profile pane.
When enabling SRTP the number of channels available changes. Below is table displaying the Channel Densities when SRTP is enabled and when SRTP is disabled.
Profile # | VoIP Module Resources (SRTP Enabled) | VoIP Module PResources (SRTP Disabled) |
Profile 5 | 336 Resources | 512 Resources |
Profile 6 | 288 Resources | 336 Resources |
Profile 7 | 288 Resources | 336 Resources |