User's Manual 440 Document #: LTRT-10632
Mediant 800B Gateway & E-SBC
Parameter Description
inline:bnuYZnMxSfUiGitviWJZmzr7OF3AiRO0l5Vnh0kH|2^
31
The first crypto line includes the MKI parameter "1:1". In the 200
OK response, the device selects one of the crypto lines (i.e., '2' or
'3'). Typically, it selects the first line that supports the crypto suite.
However, for SRTP-to-SRTP in SBC sessions, it can be
determined by the remote side on the outgoing leg. If the device
selects crypto line '2', it includes the MKI parameter in its answer
SDP, for example:
a=crypto:2 AES_CM_128_HMAC_SHA1_80
inline:R1VyA1xV/qwBjkEklu4kSJyl3wCtYeZLq1/QFuxw|2^
31|1:1
If the device selects a crypto line that does not contain the MKI
parameter, then the MKI parameter is not included in the
in the SDP answer (even if the SRTPTxPacketMKISize parameter
is set to any value other than 0).
Note: The corresponding global parameter is EnableSymmetricMKI.
MKI Size
mki-size
[IpProfile_MKISize]
Defines the size (in bytes) of the Master Key Identifier (MKI) in SRTP
Tx packets.
The valid value is 0 to 4. The default is 0 (i.e., new keys are generated
without MKI).
Note:
Gateway application: The device only initiates the MKI size.
SBC application: The device can forward MKI size as is for SRTP-
to-SRTP flows or override the MKI size during negotiation. This can
be done on the inbound or outbound leg.
The corresponding global parameter is SRTPTxPacketMKISize.
SBC Enforce MKI Size
sbc-enforce-mki-size
[IpProfile_SBCEnforceMKISi
ze]
Enables negotiation of the Master Key Identifier (MKI) length for
SRTP-to-SRTP flows between SIP networks (i.e., IP Groups). This
includes the capability of modifying the MKI length on the inbound or
outbound SBC call leg for the SIP entity associated with the IP Profile.
[0] Don't enforce = (Default) Device forwards the MKI size as is.
[1] Enforce = Device changes the MKI length according to the
settings of the IP Profile parameter, MKISize.
SBC Media Security Method
sbc-media-security-method
[IpProfile_SBCMediaSecurity
Method]
Defines the media security protocol for SRTP, for the SIP entity
associated with the IP Profile.
[0] SDES = (Default) The device secures RTP using the Session
Description Protocol Security Descriptions (SDES) protocol to
negotiate the cryptographic keys (RFC 4568). The keys are sent in
the SDP body ('a=crypto') of the SIP message and are typically
secured using SIP over TLS (SIPS). The encryption of the keys is
in plain text in the SDP. SDES implements TLS over TCP.
[1] DTLS = The device uses Datagram Transport Layer Security
(DTLS) protocol to secure UDP-based media streams (RFCs 5763
and 5764). For more information on DTLS, see SRTP using DTLS
Protocol on page 224.
[2] Both = SDES and DTLS protocols are supported.
Note:
To support DTLS, you must also configure the following for the SIP
entity:
TLS Context for DTLS (see Configuring TLS Certificate
To Next Page
Loading...
