SRTP - Overview

 

 

SIP SRTP on the IMG 2020 supports RFC 3711 (The IP media layer security standard) and RFC 4568 (The IP signaling security standard). The IMG 2020 provides security, confidentiality, message authentication, and replay protection for both RTP and RTCP packets. This is achieved using a cryptographic key and other parameters that serve to configure security. To utilize SRTP over SIP, the IMG 2020 must first have the SIP Signaling over TLS functionality configured. SIP Signaling over TLS was introduced to make the IP signaling layer secure. SRTP and SRTCP are added to make the voice and data secure over the RTP stream. The information below is an Overview of what is supported. Also, click on the links in the Related Topics section for more information on this feature.

Related Topics

Configure SRTP

SIP Signaling over TLS Overview

SRTP Cryptosuite

Licensing (Gateway Mode)

Physical Node - Direct Connect

SIP Profile - SGP

SRTP Mode Flowchart - Incoming

SRTP Mode Flowchart - Outgoing 

SRTP Network Diagram

 

Call Flow Diagrams

SRTP Support on Incoming leg

The call flow below displays a basic SIP Offer/Answer scenario. In the call flow, SRTP has been enabled. Click on each of the messages (INVITE, 183 Session Progress, and 200 OK) for a call trace and explanation displaying that message with the SRTP information embedded. The first call flow displays the incoming leg only.

SRTP Support on Outgoing leg

The call flow below displays a basic SIP Offer/Answer scenario. In the call flow, SRTP has been enabled. Click on each of the messages (INVITE, 100 Trying, 183 Session Progress, 200 OK, and ACK) for a call trace displaying that message with the SRTP information embedded. This displays the outgoing leg only.

 

Additional Information

  • SRTP as well as SRTCP is supported. SRTCP can be enabled or disabled on each Cryptosuite configured.

  • SRTP is supported on AUDIO calls only.

  • TLS must be configured first before configuring SRTP. SRTP functionality is available only when SIP signaling is being processed over TLS.

  • A Secure Communications license is needed to configure TLS and then SRTP. Refer to the topic for more licensing information.

  • SRTP is supported using SIP only. H.323 is not supported.

  • The IMG 2020 supports the following crypto-suites for incoming and outgoing SIP. The parameters can be a mix of uppercase and lowercase values as specified in RFC 4568.

Supported Crypto-suites

  • AES_CM_128_HMAC_SHA1_80

  • AES_CM_128_HMAC_SHA1_32

  • F8_128_HMAC_SHA1_80

  • The optional parameter FEC (Forward Error Correction) Control is not supported.

  • T.38 fax is transmitted over UDPTL and will not be encrypted even if the initial voice data in the same session was encrypted using SRTP. Fax/Modem bypass using G.711 u/A shall be encrypted using the same rules that applied to the initial voice data for the session.

  • SRTP is first enabled or disabled in the SRTP Mode field of the Physical Node object. This needs to be set when the node is first configured. To enable SRTP to an existing node will require the node to be completely reconfigured.

  • SRTP functionality is enabled/disabled in each SIP channel group by first configuring the SRTP functionality in the SIP Profile (SGP) object and then linking the SIP Profile (SGP) to the Channel Group. Refer to the topic for more information on this.

  • Because SRTP is configured in the SIP Profile (SGP) object and linked to the channel group, the individual SIP Channel Group can be selected to support SRTP or not.

  • When enabling SRTP, the number of IP Channels/Ports available changes. Refer to the tables under the Media Mode section of the object for max channel densities supported for each codec supporting the SRTP protocol.

  • RTP Redundancy cannot be applied when SRTP is enabled.

Return to Documentation Home I Return to Sangoma Support