SIP SRTP on the IMG 1010 utilizes RFC 3711 (The IP media layer security standard) and RFC 4568 (The IP signaling security standard). The IMG provides security, confidentiality, message authentication, and replay protection for both RTP and RTCP packets. This is accomplished using a cryptographic key and other parameters that serve to configure security. Initially feature F-0784 SIP Signaling over TLS was introduced to make the IP signaling layer secure. Now in software 10.5.3 SRTP and SRTCP are added to make the voice and data secure over the RTP stream. The information below is an Overview of what is supported on the IMG. Also there are links in the Related Topics section. Click on each link for more information on the SRTP feature.
Below is a basic SIP Call Flow which has TLS and SRTP enabled. Click on each of the messages to display the Call Trace information for that message.
Below is a basic SIP Call Flow which has TLS and SRTP enabled. Click on each of the messages to display the Call Trace information for that message.
TLS must be configured first before configuring SRTP. SRTP is available only when SIP signaling is accomplished over TLS.
A Secure Communications license is needed to configure SRTP and TLS. See License Info and IMG 1010 - Licensing for more information
SRTP is supported using SIP only. H.323 is not supported.
The IMG supports the following crypto-suites for incoming and
outgoing SIP. The parameters can be a mix of uppercase and lowercase
values as specified in RFC 4568
AES_CM_128_HMAC_SHA1_80
AES_CM_128_HMAC_SHA1_32
F8_128_HMAC_SHA1_80
The optional parameter FEC (Forward Error Correction) Control is not supported.
SRTP is supported on the Mindspeed VoIP module only.
Fax Relay using T.38 shall work as it always has. T.38 fax over UDPTL will not be encrypted even if the initial voice data in the same session was encrypted using SRTP.
Fax/Modem bypass using G.711 u/A shall be encrypted using the same rules that applied to the initial voice data for the session.
A new BooTP flag is defined to enable TLS/SRTP. See Setting Host Flags for more information.
SRTP functionality is enabled/disabled using SIP SGP pane from ClientView. See SRTP - Configuration.
Because SRTP is configured in the SIP SGP pane, SRTP can be configured a specific channel group and/or not configured on another channel group.
When enabling SRTP the number of channels available changes. Below is table displaying the Channel Densities when SRTP is enabled and when SRTP is disabled.
RTP Redundancy cannot be applied when SRTP is enabled. RTP Redundancy is configured in the IP Bearer Profile pane.
Profile # |
VoIP Module Resources (SRTP Enabled) |
VoIP Module PResources (SRTP Disabled) |
Profile 5 |
336 Resources |
512 Resources |
Profile 6 |
288 Resources |
336 Resources |
Profile 7 |
288 Resources |
336 Resources |