274
Signaling encryption
TLS runs over TCP and provides a complete set of authentication and encryption solutions for
application layer protocols. When you establish a TLS connection, both sides must authenticate
each other by using their own digital certificates. They can communicate with each other only after
passing authentication. SIP messages are encrypted during SIP over TLS transmissions to prevent
your data from being sniffed and increases the security of voice communications.
Media flow encryption
RTP and RTCP are the supported media flow protocols. RTP provides end-to-end real-time
transmission for real-time data such as audio and video data. RTCP monitors data transmission in
real time and performs congestion and traffic control in time. RTP and RTCP can work together to
optimize the transmission efficiency by providing efficient replies and minimizing overheads.
Media flows are transmitted in plain text. To ensure transmission security, the Secure Real-Time
Transport Protocol (SRTP) was introduced.
SRTP provides for encryption of the RTP/RTCP packet payload, for authentication of the entire
RTP/RTCP packet, and for packet replay protection.
The first step of SRTP encryption is to negotiate encryption information, which can only be carried in
the crypto header field of the Session Description Protocol (SDP). The initiator sends its encryption
information to the receiver for negotiation. If the negotiation is successful, the receiver returns
corresponding encryption information. After you establish a session, each end uses its own key to
encrypt sent RTP/RTCP packets and uses the key of the peer to decrypt received RTP/RTCP
packets.
SDP negotiation includes the following cryptographic attributes:
Table 238 Cryptographic attributes
Attribute Description Remarks
Tag
The tag attribute is an identifier for a particular cryptographic
attribute to determine which of the several offered
cryptographic attributes was chosen by the receiver.
Required.
Crypto-Suite
The crypto-suite attribute defines the encryption and
authentication algorithm. The device supports suites
AES_CM_128_HMAC_SHA1_80 and
AES_CM_128_HMAC_SHA1_32.
Required.
Key Parameters
The key parameters attribute defines key information,
including the key generation algorithm and the key value.
Required.
Session
Parameters
The session parameters attribute defines session parameters,
such as key generation rate, UNENCRYPTED_SRTP,
UNENCRYPTED_SRTCP, UNAUTHENTICATED_SRTP, and
FEC.
Optional.
Not supported.
When you use SRTP to encrypt RTP/RTCP packets, the encryption engine, if enabled, encrypts and
authenticates RTP/RTCP packets. If the encryption engine is disabled, the CPU encrypts and
authenticates RTP/RTCP packets. For more information about the encryption engine, see HPE
FlexNetwork MSR Router Series Comware 5 Security Configuration Guide.
SRTP is available only for SIP calls. SIP trunk devices do not support SRTP. For information about
SIP trunk, see "Configuring SIP trunk."
To Next Page
Loading...
Need help?
General
