CHAPTER 15 Media
Mediant 4000 SBC | User's Manual
2.
From the 'Media Security' drop-down list (EnableMediaSecurity), select
Enable
to enable
SRTP.
3.
From the 'Offered SRTP Cipher Suites' drop-down list (SRTPofferedSuites), select the
supported cipher suite.
4.
Configure the other SRTP parameters as required.
5.
Click
Apply
.
SRTP using DTLS Protocol
For SBC calls, you can configure the device to use the Datagram Transport Layer Security (DTLS)
protocol to secure UDP-based traffic (according to RFC 4347 and 6347) for specific SIP entities,
using IP Profiles. DTLS allows datagram-based applications to communicate in a way that is
designed to prevent eavesdropping, tampering or message forgery. The DTLS protocol is based on
the stream-oriented TLS protocol, providing similar security. The device can therefore, interwork in
mixed environments where one network may require DTLS and the other may require Session
Description Protocol Security Descriptions (SDES) or even non-secure RTP. The device supports
DTLS negotiation for RTP-to-SRTP and SRTP-to-SRTP calls.
DTLS support is important for deployments with WebRTC. WebRTC requires that media channels
be encrypted through DTLS for SRTP key exchange. Negotiation of SRTP keys through DTLS is
done during the DTLS handshake between WebRTC client and peer. For more information on
WebRTC, see
.
In contrast to SDES, DTLS key encryption is done over the media channel (UDP), not signaling.
Thus, DTLS-SRTP is generally known as "secured key exchange over media". DTLS is similar to
TLS, but runs over UDP, whereas TLS is over TCP. Before the DTLS handshake, the peers
exchange DTLS parameters (fingerprint and setup) and algorithm types in the SDP body of the SIP
messages exchanged for establishing the call (INVITE request and response). The peers
participate in a DTLS handshake during which they exchange certificates. These certificates are
used to derive a symmetric key, which is used to encrypt data (SRTP) flow between the peers. A
hash value calculated over the certificate is transported in the SDP using the 'a=fingerprint'
attribute. At the end of the handshake, each side verifies that the certificate it received from the
other side fits the fingerprint from the SDP. To indicate DTLS support, the SDP offer/answer of the
SIP message uses the 'a=setup' attribute. The 'a=setup:actpass' attribute value is used in the SDP
offer by the device. This indicates that the device is willing to be either a client ('act') or a server
('pass') in the handshake. The 'a=setup:active' attribute value is used in the SDP answer by the
device. This means that the device wishes to be the client ('active') in the handshake.
a=setup:actpass
a=fingerprint: SHA-1 \4A:AD:B9:B1:3F:82:18:3B:54:02:12:DF:3E:5D:49:6B:19:E5:7C:AB
- 182 -
Содержание Mediant 4000 SBC
Страница 1: ...User s Manual AudioCodes Series of Session Border Controllers SBC Mediant 4000 SBC Version 7 2...
Страница 40: ...Part I Getting Started with Initial Connectivity...
Страница 48: ...Part II Management Tools...
Страница 113: ...Part III General System Settings...
Страница 118: ...Part IV General VoIP Configuration...
Страница 525: ...Part V Session Border Controller Application...
Страница 654: ...Part VI Cloud Resilience Package...
Страница 663: ...Part VII High Availability System...
Страница 685: ...Part VIII Maintenance...
Страница 759: ...Part IX Status Performance Monitoring and Reporting...
Страница 844: ...Part X Diagnostics...
Страница 888: ...Part XI Appendix...
Страница 1036: ...This page is intentionally left blank CHAPTER 62 Technical Specifications Mediant 4000 SBC User s Manual 1003...