CHAPTER19 Coders and Profiles
Mediant 800 Gateway & E-SBC | User's Manual
Parameter Description
■ Gateway application: The device only initiates the MKI
size.
■ SBC application: The device can forward MKI size as
is for SRTP-to-SRTP flows or override the MKI size
during negotiation. This can be done on the inbound or
outbound leg.
■ The corresponding global parameter is
SRTPTxPacketMKISize.
'SBC Enforce MKI Size'
sbc-enforce-mki-size
[IpProfile_SBCEnforceMKISize]
Enables negotiation of the Master Key Identifier (MKI)
length for SRTP-to-SRTP flows between SIP networks
(i.e., IP Groups). This includes the capability of modifying
the MKI length on the inbound or outbound SBC call leg for
the SIP entity associated with the IP Profile.
■ [0] Don't enforce = (Default) Device forwards the MKI
size as is.
■ [1] Enforce = Device changes the MKI length
according to the settings of the IP Profile parameter,
MKISize.
'SBC Media Security Method'
sbc-media-security-
method
[IpProfile_
SBCMediaSecurityMethod]
Defines the media security protocol for SRTP, for the SIP
entity associated with the IP Profile.
■ [0] SDES = (Default) The device secures RTP using
the Session Description Protocol Security Descriptions
(SDES) protocol to negotiate the cryptographic keys
(RFC 4568). The keys are sent in the SDP body
('a=crypto') of the SIP message and are typically
secured using SIP over TLS (SIPS). The encryption of
the keys is in plain text in the SDP. SDES implements
TLS over TCP.
■ [1] DTLS = The device uses Datagram Transport Layer
Security (DTLS) protocol to secure UDP-based media
streams (RFCs 5763 and 5764). For more information
on DTLS, see SRTP using DTLS Protocol.
■ [2] Both = SDES and DTLS protocols are supported.
Note:
■ To support DTLS, you must also configure the following
for the SIP entity:
✔ TLS Context for DTLS (see Configuring TLS
Certificate Contexts). The server cipher ('Cipher
Server') must be configured to All.
✔ IpProfile_SBCMediaSecurityBehaviourMedia
configured to SRTP or Both.
✔ IpProfile_SBCRTCPMux configured to Supported.
The setting is required as the DTLS handshake is
done for the port used for RTP. Therefore, RTCP
and RTP should be multiplexed over the same port.
■ The device does not support forwarding of DTLS
transparently between endpoints (SIP entities).
- 418 -
To Next Page
Loading...
