Not supported by SBC SWe Lite in this release.

To create or modify an Entry to a DTLS-SRTP Profile Table:

  1. In the WebUI, click the Settings tab.
  2. In the left navigation pane, go to Media > DTLS-SRTP Profiles.

    DTLS-SRTP Table

     

  3. Click the Create DTLS -SRTP Profile () icon.

    Create DTLS-SRTP Profile

  4. Enter the field configurations. See DTLS-SRTP Profile Table Entry - Field Definitions.
  5. Click OK.

DTLS-SRTP Profile Table Entry - Field Definitions

For detailed DTLS-SRTP configuration as part of Microsoft Direct Routing between the SBC Edge and Microsoft Teams, refer to Best Practice - Configuring SBC Edge for Microsoft Teams Direct Routing.

Description

Descriptive name of DTLS-SRTP profile. Default entry: Blank.

DTLS Version

Defines the common DTLS protocol versions the SBC supports. By default, the system accepts all DTLS protocol versions up to DTLS version 1.2. The SBC client initiates the highest supported version, up to and including DTLS version 1.2.

Valid entries: DTLS 1.0 and DTLS 1.2.

How to Use:

Up. Moves the selected entry up in priority.

Down. Moves the selected entry down in priority.

Add/Edit. Adds/edits entries.

Remove. Removes the selected entry from the list.

Helpful Hint

This field presents a multi-select widget when the Add/Edit button is clicked.
Click here for more information about using the Multi-select widget.

Mutual Authentication

Enables the DTLS server to authenticate the DTLS client's certificate using the finger print received in the SDP. Valid entry: Enabled (enables authentication) or Disabled (disables authentication). Default value: Enabled.

DTLS Handshake Timer

Configures the number of seconds to wait for the DTLS handshake to complete. Valid entry 5 - 60 seconds. Default entry: 10 seconds.

Hash Type

Hash Type is used to generate the fingerprint of the SBC X.509 certificate, which is included in the SIP offer message. The fingerprint binds the DTLS key changed in the media plane to the signaling plane.

Valid options:

DTLS_MEDIA_CRYPTO_HASH_SHA1

DTLS_MEDIA_CRYPTO_HASH_SHA224

DTLS_MEDIA_CRYPTO_HASH_SHA256

DTLS_MEDIA_CRYPTO_HASH_SHA384

DTLS_MEDIA_CRYPTO_HASH_SHA512

DTLS_MEDIA_CRYPTO_HASH_MD5


DTLS Role when Answerer

Configures the DTLS Role when Answerer.

Valid options:

  • Active The endpoint will initiate an outgoing DTLS connection.
  • Passive The endpoint will accept an incoming DTLS connection.

Default value: Active.

Client Cipher List

Specifies the cipher suite IDs (in order of preference) as the security parameter negotiation with the peer; this list includes the cryptographic options supported by the client. 

Valid options:

TLS_RSA_WITH_AES128_CBC_SHA

TLS_RSA_WITH_AES256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA3

Cookie Exchange

Enables a Denial of Service attack counter measure initiated by the server. When the server receives ClientHello, it responds with the HelloVerifyRequest message with a generated cookie. The client must re-transmit the ClientHello with the received cookie added. Valid options: Enabled (enables DoS countermeasure) or Disabled (disables DoS countermeasure). Default value: Disabled.

Crypto Suite Sequence

Specifies the comma-separated crypto suite IDs (in order of preference) to negotiate the crypto used for encryption and decryption of media.

Available options:

AES_CM_128_HMAC_SHA1_32

AES_CM_128_HMAC_SHA1_80


How to Use:

Up. Moves the selected entry up in priority.

Down. Moves the selected entry down in priority.

Add/Edit. Adds/edits entries.

Remove. Removes the selected entry from the list.

Helpful Hint

This field presents a multi-select widget when the Add/Edit button is clicked.
Click here for more information about using the Multi-select widget.


Key Identifier Length

Specifies the length of the Master Key Identifier, in bytes, sent in the SRTP packet.

The Master Key Identifier (MKI) identifies the master key from which the session key(s) were derived that authenticate and/or encrypt the particular packet.

If the MKI indicator is set to one (key identifier length > 0), the length (in octets) of the MKI field and (for the sender) the actual value of the currently active MKI (the value of the MKI indicator and length) MUST be kept fixed for the lifetime of the context.

To disable the MKI in the SDP, configure this value to 0.