SRTP for Media

Overview

The Secure Real-time Transport Protocol (Secure RTP or SRTP) is an IETF cryptographic protocol used to provide secure communications over untrusted networks as described in RFC 3711. SRTP provides confidentiality, message authentication and replay protection to Internet media traffic such as audio and video. The 

supports Secure RTP and its associated secure real-time transport control protocol (Secure RTCP) for IPv4/IPv6 addressing for both audio and video streams.

SRTP Functionality

Secure RTP on the SBC is available using SIP signaling over UDP, TCP, and TLS (Transport Layer Security) protocol, and is signaled by specifying Secure RTP transport in an SDP (Session Description Protocol) media (m=) line. The

uses the RFC 4568 Security Descriptions ("sdescriptions") standard for negotiating the use of Secure RTP. TLS over TCP is recommended for SIP transport when negotiating Secure RTP, because it protects the integrity and confidentiality of the sRTP keys which would otherwise be exposed. The  supports sRTP on all call legs.

The use of Secure RTP on one call leg is independent of its use on other legs of the same call, and is negotiated for each packet leg. Secure RTP may be used outside or inside the network. All Secure RTP calls are routed through the

. 

Use of Secure RTP is provisioned on a Packet Service Profile basis; separate packet service profiles may be applied to Ingress and Egress packet signaling. 

The 

supports the crypto-suite "aes-cm-128-hmac-sha1-80" and "aes-cm-128-hmac-sha1-32" for Secure RTP. Secure RTP is requested by the presence of RTP/SAVP or RTP/SAVPF in the m= line.

The appropriate crypto suite profile may also include valid combinations of the following session parameters:

• UNENCRYPTED_SRTP—SRTP packet payloads are not encrypted.
• UNENCRYPTED_SRTCP—SRTCP packet payloads are not encrypted.
• UNAUTHENTICATED_SRTP—SRTP packet payloads are not authenticated.

By default, SRTP and SRTCP packet payloads are both authenticated and encrypted. The SRTP specification requires message authentication for SRTCP, but not for sRTP (RFC3711). Use of UNAUTHENTICATED_SRTP is not recommended.

The

negotiates the use of Secure RTP/RTCP with its peer. If the and its peer cannot agree on the RTP/RTCP parameters for the connection, they can either terminate the call or continue the call with no security based on the provisioning of a fallback parameter.

Direct Media Using SIP-TLS SRTP

The 

supports the following Direct Media functionality:

• Direct Media over SRTP/TLS between subscribers in the same Media Group for both audio and video calls.
• Direct Media between endpoints in the same media zone belonging to the same or different
  Unable to show "metadata-from": No such page "_space_variables"
  . For example, Direct Media with TLS/SRTP is applicable for a distributed network containing two
  Unable to show "metadata-from": No such page "_space_variables"
  s.

SRTP Crypto Suites

The

 platforms support the following crypto suites for SRTP and SRTCP encryption: