AudioCodes Mediant 500L User Manual page 441

User's Manual
Parameter
Symmetric MKI
enable-symmetric-mki
[IpProfile_EnableSymmetric
MKI]
MKI Size
mki-size
[IpProfile_MKISize]
SBC Enforce MKI Size
sbc-enforce-mki-size
[IpProfile_SBCEnforceMKISi
ze]
Version 7.2

The parameter is applicable only when the EnableMediaSecurity
parameter is set to 1.

The corresponding global parameter is MediaSecurityBehaviour.
Enables symmetric MKI negotiation.

[0] Disable = (Default) The device includes the MKI in its SIP 200
OK response according to the SRTPTxPacketMKISize parameter
(if set to 0, it is not included; if set to any other value, it is included
with this value).

[1] Enable = The answer crypto line contains (or excludes) an MKI
value according to the selected crypto line in the offer. For
example, assume that the device receives an INVITE containing
the following two crypto lines in SDP:
a=crypto:2 AES_CM_128_HMAC_SHA1_80
inline:TAaxNnQt8/qLQMnDuG4vxYfWl6K7eBK/ufk04pR4|2
^31|1:1
a=crypto:3 AES_CM_128_HMAC_SHA1_80
inline:bnuYZnMxSfUiGitviWJZmzr7OF3AiRO0l5Vnh0kH|2
^31
The first crypto line includes the MKI parameter "1:1". In the 200
OK response, the device selects one of the crypto lines (i.e., '2' or
'3'). Typically, it selects the first line that supports the crypto suite.
However, for SRTP-to-SRTP in SBC sessions, it can be
determined by the remote side on the outgoing leg. If the device
selects crypto line '2', it includes the MKI parameter in its answer
SDP, for example:
a=crypto:2 AES_CM_128_HMAC_SHA1_80
inline:R1VyA1xV/qwBjkEklu4kSJyl3wCtYeZLq1/QFuxw|2
^31|1:1
If the device selects a crypto line that does not contain the MKI
parameter, then the MKI parameter is not included in the crypto
line in the SDP answer (even if the SRTPTxPacketMKISize
parameter is set to any value other than 0).
Note: The corresponding global parameter is EnableSymmetricMKI.
Defines the size (in bytes) of the Master Key Identifier (MKI) in SRTP
Tx packets.
The valid value is 0 to 4. The default is 0 (i.e., new keys are
generated without MKI).
Note:

Gateway application: The device only initiates the MKI size.

SBC application: The device can forward MKI size as is for SRTP-
to-SRTP flows or override the MKI size during negotiation. This
can be done on the inbound or outbound leg.

The corresponding global parameter is SRTPTxPacketMKISize.
Enables negotiation of the Master Key Identifier (MKI) length for
SRTP-to-SRTP flows between SIP networks (i.e., IP Groups). This
includes the capability of modifying the MKI length on the inbound or
outbound SBC call leg for the SIP entity associated with the IP Profile.

[0] Don't enforce = (Default) Device forwards the MKI size as is.

[1] Enforce = Device changes the MKI length according to the
settings of the IP Profile parameter, MKISize.
441
20. Coders and Profiles
Description
Mediant 500L Gateway & E-SBC