Media Flow Encryption - HP FlexNetwork MSR Series Configuration Manual

passing authentication. SIP messages are encrypted during SIP over TLS transmissions to prevent
your data from being sniffed. This increases the security of voice communications.
For more information about signaling encryption, see
SIP over TLS requires the configuration of TLS security policies. For information about how to
configure the TLS security policies, see HPE FlexNetwork MSR Router Series Comware 5 Security
Configuration Guide.

Media flow encryption

Real-time Transport Protocol (RTP) and Real-time Transport Control Protocol (RTCP) are supported
media flow protocols. RTP provides end-to-end real-time transmission for real-time data such as
audio and video data. RTCP monitors data transmission in real time and performs congestion and
traffic control in time. RTP and RTCP can work together to optimize the transmission efficiency by
providing efficient replies and minimizing overheads.
Media flows are transmitted in plain text. To ensure transmission security, the Secure Real-Time
Transport Protocol (SRTP) was introduced.
SRTP provides for encryption of the RTP/RTCP packet payload, for authentication of the entire
RTP/RTCP packet, and for packet replay protection. For more information about media flow
encryption, see
The first step of SRTP encryption is to negotiate encryption information, which can only be carried in
the crypto header field of the Session Description Protocol (SDP) at present. The initiator sends its
encryption information to the receiver for negotiation. If the negotiation is successful, the receiver
returns corresponding encryption information. After a session is established, each end uses its own
key to encrypt sent RTP/RTCP packets and uses the key of the peer to decrypt received RTP/RTCP
packets.
As shown in
Table 14 Cryptographic attributes
Attribute
Tag
Crypto-Suite
Key Parameters
Session
Parameters
When SRTP is used to encrypt RTP/RTCP packets, the encryption engine, if enabled, encrypts and
authenticates RTP/RTCP packets. If the encryption engine is disabled, the CPU encrypts and
authenticates RTP/RTCP packets. For more information about the encryption engine, see HPE
FlexNetwork MSR Router Series Comware 5 Security Configuration Guide.
SRTP is available only for SIP calls. SIP trunk devices do not support SRTP.
"Configuring media flow protocols for SIP
Table 14, SDP negotiation includes the following cryptographic attributes:
Description
The tag attribute is an identifier for a particular cryptographic
attribute to determine which of the several offered
cryptographic attributes was chosen by the receiver.
The crypto-suite attribute defines the encryption and
authentication algorithm. The device supports suites
AES_CM_128_HMAC_SHA1_80 and
AES_CM_128_HMAC_SHA1_32.
The key parameters attribute defines key information,
including the key generation algorithm and the key value.
The session parameters attribute defines session parameters,
such as key generation rate, UNENCRYPTED_SRTP,
UNENCRYPTED_SRTCP, UNAUTHENTICATED_SRTP, and
FEC.
"Configuring TLS for SIP
calls."
136
sessions."
Remarks
Required.
Required.
Required.
Optional.
Not supported.