AudioCodes Mediant 4000 SBC User Manual page 205
Session border controller
Hide thumbs
Also See for Mediant 4000 SBC:
- User manual (1037 pages) ,
- Hardware installation manual (40 pages) ,
- User manual (822 pages)
Table of Contents
Advertisement
User's Manual
parameter) or per SIP entity (using the IP Profile parameter, IpProfile_MKISize). The length
of the MKI is limited to four bytes. If the remote side sends a longer MKI, the key is ignored.
Note:
or override the MKI size during negotiation (inbound or outbound leg).
The key lifetime field is not supported. However, if it is included in the key it is ignored and
the call does not fail. For SBC calls belonging to a specific SIP entity, you can configure the
device to remove the lifetime field in the 'a=crypto' attribute (using the IP Profile parameter,
IpProfile_SBCRemoveCryptoLifetimeInSDP).
For SDES, the keys are sent in the SDP body ('a=crypto') of the SIP message and are
typically secured using SIP over TLS (SIPS). The encryption of the keys is in plain text in
the SDP. The device supports the following session parameters:
UNENCRYPTED_SRTP
UNENCRYPTED_SRTCP
UNAUTHENTICATED_SRTP
Session parameters should be the same for the local and remote sides. When the device is
the offering side, the session parameters are configured by the following parameter -
'Authentication On Transmitted RTP Packets', 'Encryption On Transmitted RTP Packets,
and 'Encryption On Transmitted RTCP Packets'. When the device is the answering side,
the device adjusts these parameters according to the remote offering. Unsupported
session parameters are ignored, and do not cause a call failure.
Below is an example of crypto attributes usage:
a=crypto:1 AES_CM_128_HMAC_SHA1_80
inline:PsKoMpHlCg+b5X0YLuSvNrImEh/dAe
a=crypto:2 AES_CM_128_HMAC_SHA1_32
inline:IsPtLoGkBf9a+c6XVzRuMqHlDnEiAd
The device also supports symmetric MKI negotiation, whereby it can forward the MKI size
received in the SDP offer 'a=crypto' line in the SDP answer. You can enable symmetric
MKI globally (using the EnableSymmetricMKI parameter) or per SIP entity (using the IP
Profile parameter, IpProfile_EnableSymmetricMKI and IpProfile_SBCEnforceMKISize). For
more information on symmetric MKI, see ''Configuring IP Profiles'' on page 418.
You
can
IpProfile_SBCMediaSecurityBehaviour parameter. For example, if negotiation of the cipher
suite fails or if incoming calls exclude encryption information, the device can be configured
to reject the calls.
Note:
•
For a detailed description of the SRTP parameters, see ''Configuring IP Profiles''
on page 418 and ''SRTP Parameters'' on page 841.
•
When SRTP is used, the channel capacity may be reduced.
The procedure below describes how to configure SRTP through the Web interface.
Version 7.2
The device can forward MKI size transparently for SRTP-to-SRTP media flows
configure
the
enforcement
policy
205
14. Media
of
SRTP,
using
Mediant 4000 SBC
the
Advertisement
Table of Contents
