AudioCodes Mediant 4000 SBC User Manual page 214

CHAPTER 15 Media
●
The key lifetime field is not supported. However, if it is included in the key it is ignored and the call
does not fail. For SBC calls belonging to a specific SIP entity, you can configure the device to
remove the lifetime field in the 'a=crypto' attribute (using the IP Profile parameter, IpProfile_
SBCRemoveCryptoLifetimeInSDP).
For SDES, the keys are sent in the SDP body ('a=crypto') of the SIP message and are typically
secured using SIP over TLS (SIPS). The encryption of the keys is in plain text in the SDP. The
device supports the following session parameters:
■ UNENCRYPTED_SRTP
■ UNENCRYPTED_SRTCP
■ UNAUTHENTICATED_SRTP
Session parameters should be the same for the local and remote sides. When the device is the
offering side, the session parameters are configured by the following parameters - 'Authentication
on Transmitted RTP Packets', 'Encryption on Transmitted RTP Packets, and 'Encryption on
Transmitted RTCP Packets'. When the device is the answering side, the device adjusts these
parameters according to the remote offering. Unsupported session parameters are ignored, and do
not cause a call failure.
Below is an example of crypto attributes usage:
a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:PsKoMpHlCg+b5X0YLuSvNrImEh/dAe
a=crypto:2 AES_CM_128_HMAC_SHA1_32
inline:IsPtLoGkBf9a+c6XVzRuMqHlDnEiAd
The device also supports symmetric MKI negotiation, whereby it can forward the MKI size received
in the SDP offer 'a=crypto' line in the SDP answer. You can enable symmetric MKI globally (using
the EnableSymmetricMKI parameter) or per SIP entity (using the IP Profile parameter, IpProfile_
EnableSymmetricMKI and for SBC calls, IpProfile_SBCEnforceMKISize). For more information on
symmetric MKI, see
You can configure the enforcement policy of SRTP, using the EnableMediaSecurity parameter and
IpProfile_SBCMediaSecurityBehaviour parameter for SBC calls. For example, if negotiation of the
cipher suite fails or if incoming calls exclude encryption information, the device can be configured to
reject the calls.
You can also enable the device to validate the authentication of packets for SRTP tunneling for
RTP and RTCP. This applies only to SRTP-to-SRTP SBC calls and where the endpoints use the
same key. This is configured using the 'SRTP Tunneling Authentication for RTP' and 'SRTP
Tunneling Authentication for RTCP' parameters.
●
●
The procedure below describes how to configure SRTP through the Web interface.
➢
To enable and configure SRTP:
1. Open the Media Security page (Setup menu > Signaling & Media tab > Media folder > Media
Security).
The device can forward MKI size transparently for SRTP-to-SRTP media flows or
override the MKI size during negotiation (inbound or outbound leg).
Configuring IP Profiles.
For a detailed description of the SRTP parameters, see
SRTP Parameters.
When SRTP is used, channel capacity may be reduced.
- 181 -
Mediant 4000 SBC | User's Manual
Configuring IP Profiles and