SRTP for Media

Secure real-time transport protocol (Secure RTP or SRTP) is an IETF cryptographic protocol used to provide secure communications over an untrusted network. SRTP provides confidentiality, message authentication and replay protection to Internet media traffic such as audio and video. The 

supports Secure RTP and its associated secure real-time transport control protocol (Secure RTCP) for IPv4/IPv6 addressing for both audio and video streams.

SRTP Functionality

Secure RTP on the SBC is available using SIP signaling over UDP, TCP, and TLS (Transport Layer Security) protocol, and is signaled by specifying Secure RTP transport in an SDP (Session Description Protocol) media (m=) line. The

uses the RFC4568 Security Descriptions ("sdescriptions") standard for negotiating the use of Secure RTP. TLS over TCP is recommended for SIP transport when negotiating Secure RTP, because it protects the integrity and confidentiality of the sRTP keys which would otherwise be exposed. The  supports sRTP on all call legs.

The use of Secure RTP on one call leg is independent of its use on other legs of the same call, and is negotiated for each packet leg. Secure RTP may be used outside or inside the network. All Secure RTP calls are routed through the

. 

Use of Secure RTP is provisioned on a Packet Service Profile basis; separate packet service profiles may be applied to Ingress and Egress packet signaling. 

The 

supports the crypto-suite "aes-cm-128-hmac-sha1-80" and "aes-cm-128-hmac-sha1-32" for Secure RTP. Secure RTP is requested by the presence of RTP/SAVP or RTP/SAVPF in the m= line.

The appropriate crypto suite profile may also include valid combinations of the following session parameters:

• UNENCRYPTED_SRTP—SRTP packet payloads are not encrypted.
• UNENCRYPTED_SRTCP—SRTCP packet payloads are not encrypted.
• UNAUTHENTICATED_SRTP—SRTP packet payloads are not authenticated.

By default, SRTP and SRTCP packet payloads are both authenticated and encrypted. The SRTP specification requires message authentication for SRTCP, but not for sRTP (RFC3711). Use of UNAUTHENTICATED_SRTP is not recommended.

The

negotiates the use of Secure RTP/RTCP with its peer. If the and its peer cannot agree on the RTP/RTCP parameters for the connection, they can either terminate the call or continue the call with no security based on the provisioning of a fallback parameter.

Direct Media Using SIP-TLS SRTP

The 

supports the following Direct Media functionality:

• Direct Media over SRTP/TLS between subscribers in the same Media Group for both audio and video calls.
• Direct Media between endpoints in the same media zone belonging to the same or different
  Unable to show "metadata-from": No such page "_space_variables"
  . For example, Direct Media with TLS/SRTP is applicable for a distributed network containing two
  Unable to show "metadata-from": No such page "_space_variables"
  s.

Media Pass-through

In prior releases,

terminates all SRTP and SRTCP media for authentication, encryption, and decryption based on the Packet Service Profile (PSP) Secure RTP/RTCP configuration. It negotiates the required cryptographic security description with peers by terminating the signaling session. It uses locally generated keys and other security descriptors for media encryption and decryption by conveying them to peers in signaling Session Description Protocol (SDP).

is enhanced to support SRTP media pass-through for SRTP and SRTCP media streams. does not terminate the SDP security description or SRTP media streams and passes them through without authenticating, decrypting, and encrypting. In this pass-through mode of operation,  treats SRTP media as plain text RTP pass-through media.

The following diagram illustrates the media flow for an SRTP pass-through call.