DTLS Profile - CLI

 Use the DTLS Profile to configure various DTLS parameters to attach to a SIP trunk group in support of WebRTC functionality.

Similar to TLS, the Datagram Transport Layer Security (DTLS) protocol provides authentication, data integrity, and confidentiality for communications between two applications over an unreliable User Datagram Protocol (UDP) connection. The Secure Real-time Transport Protocol (SRTP) provides encryption, message authentication and integrity, and replay protection to the RTP data in both unicast and multicast applications. DTLS-SRTP is an extension to the DTLS protocol, where DTLS acts as the key management protocol. DTLS protocol is also extended to negotiate the SRTP crypto suites and parameters for use with those keys.

WebRTC is a signaling protocol defined for real-time communication between web browsers. WebRTC uses the DTLS-SRTP protocol for media exchange between browsers. The SBC includes the following functionality:

• Real-time communication between web browsers using DTLS-SRTP while inter-working with SIP networks.
• DTLS on the media path for key management for SRTP-based media.
• Self-signed certificates to secure and authenticate DTLS associations. DTLS connections are secured by the two browsers sharing self-signed certificates as part of the media connection during a DTLS handshake between the browsers. The certificates are authenticated by checking a fingerprint which is passed in the signaling path as part of the Session Description Protocol (SDP) negotiation.

The SBC includes crypto suites that define a set of ciphers (algorithms used for encrypting data) which allow the selection of an appropriate level of security. When a DTLS connection is established, the client and server exchange information about which cipher suites they have in common.

Command Syntax

% set profiles security dtlsProfile <profile name> 
	CertName <cert name>
	cipherSuite1 <cipher suite> 
	cipherSuite2 <cipher suite> 
	cipherSuite3 <cipher suite>
	cookieExchange <disabled | enabled>
	dtlsRole <client | server>
	handshakeTimer <1-60 seconds> 
	hashType <md2 | md5 | sha1 | sha224 | sha256 | sha384 | sha512>
	sessionResumpTimer <0-86400>
	v1_0 <disabled | enabled>
    v1_1 <disabled | enabled>
    v1_2 <disabled | enabled>

Command Parameters

The DTLS Profile Parameters are as shown below:

Crypto Suites

The following crypto suites are supported.

Table 2: Supported TLS/DTLS Crypto Suites

*  To use this cipher, TLS version 1.2 must be enabled in the TLS Profile.

**  To use this cipher, TLS version 1.2 must be enabled in the TLS Profile and SSL certificates must be created using ECC keys.

Command Examples

% show profiles security dtlsProfile defaultDtlsProfile
handshakeTimer     5;
sessionResumpTimer 300;
cipherSuite1       rsa-with-aes-128-cbc-sha;
dtlsRole           server;
hashType           sha1;
CertName           defaultDtlsSBCCert;
cookieExchange     enabled;
v1_0               enabled;
v1_1               disabled;
v1_2               disabled;