Srtp Using Dtls Protocol - AudioCodes Mediant 4000 SBC User Manual
Session border controllers
Hide thumbs
Also See for Mediant 4000 SBC:
- User manual (964 pages) ,
- Hardware installation manual (40 pages) ,
- User manual (930 pages)
Table of Contents
Advertisement
CHAPTER 15 Media
2.
From the 'Media Security' drop-down list (EnableMediaSecurity), select Enable to enable
SRTP.
3.
From the 'Offered SRTP Cipher Suites' drop-down list (SRTPofferedSuites), select the
supported cipher suite.
4.
Configure the other SRTP parameters as required.
5.
Click Apply.
SRTP using DTLS Protocol
For SBC calls, you can configure the device to use the Datagram Transport Layer Security (DTLS)
protocol to secure UDP-based traffic (according to RFC 4347 and 6347) for specific SIP entities,
using IP Profiles. DTLS allows datagram-based applications to communicate in a way that is
designed to prevent eavesdropping, tampering or message forgery. The DTLS protocol is based on
the stream-oriented TLS protocol, providing similar security. The device can therefore, interwork in
mixed environments where one network may require DTLS and the other may require Session
Description Protocol Security Descriptions (SDES) or even non-secure RTP. The device supports
DTLS negotiation for RTP-to-SRTP and SRTP-to-SRTP calls.
DTLS support is important for deployments with WebRTC. WebRTC requires that media channels
be encrypted through DTLS for SRTP key exchange. Negotiation of SRTP keys through DTLS is
done during the DTLS handshake between WebRTC client and peer. For more information on
WebRTC, see WebRTC.
In contrast to SDES, DTLS key encryption is done over the media channel (UDP), not signaling.
Thus, DTLS-SRTP is generally known as "secured key exchange over media". DTLS is similar to
TLS, but runs over UDP, whereas TLS is over TCP. Before the DTLS handshake, the peers
exchange DTLS parameters (fingerprint and setup) and algorithm types in the SDP body of the SIP
messages exchanged for establishing the call (INVITE request and response). The peers
participate in a DTLS handshake during which they exchange certificates. These certificates are
used to derive a symmetric key, which is used to encrypt data (SRTP) flow between the peers. A
hash value calculated over the certificate is transported in the SDP using the 'a=fingerprint'
attribute. At the end of the handshake, each side verifies that the certificate it received from the
other side fits the fingerprint from the SDP. To indicate DTLS support, the SDP offer/answer of the
SIP message uses the 'a=setup' attribute. The 'a=setup:actpass' attribute value is used in the SDP
offer by the device. This indicates that the device is willing to be either a client ('act') or a server
('pass') in the handshake. The 'a=setup:active' attribute value is used in the SDP answer by the
device. This means that the device wishes to be the client ('active') in the handshake.
a=setup:actpass
a=fingerprint: SHA-1 \4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB
- 182 -
Mediant 4000 SBC | User's Manual
Advertisement
Table of Contents
Troubleshooting
