Versions Compared

Old Version 1

changes.mady.by.user Ribbon Communications

Saved on

compared with

New Version Current

changes.mady.by.user Ribbon Communications

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Include Page
_SBC7000_only
_SBC7000_only


Panel

In this section:

Table of Contents



Info
iconfalse

Related articles:


Overview

Multiexcerpt
MultiExcerptNameIPsec for Media Overview

The SBC secures (encrypts and authenticates) RTP media streams using IPsec tunnels. Previously, this was accomplished with Secure RTP (sRTP), with symmetric keys exchanged on a per RTP stream basis through a secure signaling channel over TLS or IPsec. The SBC uses a single IPsec tunnel to secure the media for all calls between the SBC and a remote SBC/router using one set of keys.

In earlier versions, the SBC supported bidirectional IPsec communication for signaling, as well as unidirectional (send only) IPsec communication for Lawful Intercept (LI) of signaling and media in a limited capacity. The SBC is enhanced to secure bidirectional RTP media streams to remote peer carriers over an untrusted network using IPsec tunnels. The symmetric encryption keys are exchanged on a per IPsec tunnel basis using the Internet Key Exchange (IKE) protocol.

Typically, in a carrier peering scenario, the SBC is configured to isolate each peer carrier network on its own Trunk Group (TG). The TG is configured to use one media LIF Group (IP Interface Group). The media LIF Group may be used to carry both signaling and media traffic. IPsec control is enabled/disabled at the LIF Group level. For backward compatibility reasons, IPsec is controlled separately for signaling/LI when compared to media.

A media IPsec tunnel terminates on a LIF within a media LIF Group using the LIF Primary IP address. Multiple media IPsec tunnels may be terminated on the same local LIF to different remote IPsec peer SBC's or routers. The signaling IPsec tunnels also terminate on a LIF, but use the signaling IP address bound to the LIF as the local tunnel IP. LIF Groups may carry a mix of signaling and media traffic, but they are carried on different IPsec tunnels.

Spacevars
0product
 media IPsec tunnels only support IPsec Tunnel Mode (not Transport Mode) using the Encapsulating Security Payload (ESP) protocol. IPsec Transport Mode is not supported for media, but is still used for signaling IPsec tunnels.

The media packets that comprise an RTP stream are fully encapsulated within ESP packets, encrypted, and authenticated to traverse the media IPsec tunnel. For these ESP packets, outer IP header contains the LIF Primary IP as the local IP and the IPsec Peer IP as the remote (typically an interface IP).

Media Over IPsec Use Case