Technical Bulletin 25751



Similar documents
Configuring SIP Support for SRTP

TLS and SRTP for Skype Connect. Technical Datasheet

IP Office Technical Tip

Best Practices for SIP Security

Three-Way Calling using the Conferencing-URI

NATIONAL SECURITY AGENCY Ft. George G. Meade, MD

Mobicents 2.0 The Open Source Communication Platform. DERUELLE Jean JBoss, by Red Hat 138

Grandstream Networks, Inc.

TraceSim 3.0: Advanced Measurement Functionality. of Video over IP Traffic

TECHNICAL SUPPORT NOTE. 3-Way Call Conferencing with Broadsoft - TA900 Series

Asterisk with Twilio Elastic SIP Trunking Interconnection Guide using Secure Trunking (SRTP/TLS)

This specification this document to get an official version of this User Network Interface Specification

Alcatel OmniPCX Enterprise R11 Supported SIP RFCs

SIP Security. ENUM-Tag am 28. September in Frankfurt. Prof. Dr. Andreas Steffen. Agenda.

Session Initiation Protocol (SIP) The Emerging System in IP Telephony

Basic Vulnerability Issues for SIP Security

NTP VoIP Platform: A SIP VoIP Platform and Its Services

WebSOCKET based Real time text (RTT) WebRTC gateway For WebRTC and SIP interop. Version 2.5a. Projet Sécuritas

VegaStream Information Note T.38 protocol interactions

Enabling Security Features in Firmware DGW v2.0 June 22, 2011

Application Note. Firewall Requirements for the Onsight Mobile Collaboration System and Hosted Librestream SIP Service v5.0

MyIC setup and configuration (with sample configuration for Alcatel Lucent test environment)

Application Notes for Configuring SIP Trunking between McLeodUSA SIP Trunking Solution and an Avaya IP Office Telephony Solution 1.

Whitepaper: Microsoft Office Communications Server 2007 R2 and Cisco Unified Communications Manager Integration Options

Master Kurs Rechnernetze Computer Networks IN2097

Abstract. Avaya Solution & Interoperability Test Lab

VoIP some threats, security attacks and security mechanisms. Lars Strand RiskNet Open Workshop Oslo, 24. June 2009

Encapsulating Voice in IP Packets

IP Office 4.2 SIP Trunking Configuration Guide AT&T Flexible Reach and AT&T Flexible Reach with Business in a Box (SM)

Aastra BluStar TM 8000i Desktop Media Phone / Aastra BluStar TM for Conference Room SIP Call Server Release Notes. Draft

Man-in-the-Middle Attack on T-Mobile Wi-Fi Calling

Session Initiation Protocol and Services

CHAPTER 1 INTRODUCTION

Application Note. Onsight Connect Network Requirements V6.1

Technical Bulletin Using Polycom SoundPoint IP and Polycom SoundStation IP Phones with Asterisk

Dialogic 4000 Media Gateway Series

Release Notes for NeoGate TE X

White paper. SIP An introduction

SIP Basics. CSG VoIP Workshop. Dennis Baron January 5, Dennis Baron, January 5, 2005 Page 1. np119

Secured Communications using Linphone & Flexisip

SIP: Ringing Timer Support for INVITE Client Transaction

SIP ALG - Session Initiated Protocol Applications- Level Gateway

Interactive Intelligence CIC 2015 R4 Patch1 Configuration Guide

Deployment Guide for the Polycom SoundStructure VoIP Interface for Cisco Unified Communications Manager (SIP)

Computer Networks. Voice over IP (VoIP) Professor Richard Harris School of Engineering and Advanced Technology (SEAT)

SIP 2.0 Administrator s Guide SoundPoint /SoundStation IP SIP

Technical Bulletin 5844

SIP: Session Initiation Protocol. Copyright by Elliot Eichen. All rights reserved.

A Comparative Study of Signalling Protocols Used In VoIP

NAT TCP SIP ALG Support

Voice over IP & Other Multimedia Protocols. SIP: Session Initiation Protocol. IETF service vision. Advanced Networking

Alkit Reflex RTP reflector/mixer

Asymetrical keys. Alices computer generates a key pair. A public key: XYZ (Used to encrypt) A secret key: ABC98765 (Used to decrypt)

Best Practices for Role Based Video Streams (RBVS) in SIP. IMTC SIP Parity Group. Version 33. July 13, 2011

Technical Bulletin 18292

OSSIR, November /45

NAT and Firewall Traversal. VoIP and MultiMedia /77

Deploying Secure Enterprise Wide IP Videoconferencing Across Virtual Private Networks

Media Gateway Controller RTP

Overview of VoIP Systems

Avaya IP Office 4.0 Customer Configuration Guide SIP Trunking Configuration For Use with Cbeyond s BeyondVoice with SIPconnect Service

Unit 23. RTP, VoIP. Shyam Parekh

An outline of the security threats that face SIP based VoIP and other real-time applications

Application Notes for Configuring SIP Trunking between Metaswitch MetaSphere CFS and Avaya IP Office Issue 1.0

Spirent Abacus. SIP over TLS Test 编 号 版 本 修 改 时 间 说 明

High Definition PoE IP Phone

How To Use A Microsoft Vc.Net (Networking) On A Microsatellite (Netnet) On An Ipod Or Ipod (Netcom) On Your Computer Or Ipad (Net) (Netbook) On The

Internet Engineering Task Force (IETF) Request for Comments: 7088 Category: Informational February 2014 ISSN:

Release Notes. Version 6.0

Voice over IP (VoIP) Part 2

Intel NetStructure Host Media Processing Software Release 1.0 for the Windows * Operating System

How To Understand The Purpose Of A Sip Aware Firewall/Alg (Sip) With An Alg (Sip) And An Algen (S Ip) (Alg) (Siph) (Network) (Ip) (Lib

SIP Forum Fax Over IP Task Group Problem Statement

VoIP Security regarding the Open Source Software Asterisk

Internet Security. Internet Security Voice over IP. Introduction. ETSF10 Internet Protocols ETSF10 Internet Protocols 2011

VIDEOCONFERENCING. Video class

SIP: Protocol Overview

TECHNICAL CHALLENGES OF VoIP BYPASS

CVOICE Exam Topics Cisco Voice over IP Exam # /14/2005

IP Ports and Protocols used by H.323 Devices

Bridgit Conferencing Software: Security, Firewalls, Bandwidth and Scalability

Voice over IP (SIP) Milan Milinković

Sample Configuration for SIP Trunking between Avaya IP Office R8.0 and Cisco Unified Communications Manager Issue 1.0

LifeSize UVC Multipoint Deployment Guide

Acano solution. Third Party Call Control Guide. March E

SIP Security Controllers. Product Overview

CONNECTING TO LYNC/SKYPE FOR BUSINESS OVER THE INTERNET NETWORK PREP GUIDE

Aculab digital network access cards

Introducing Cisco Voice and Unified Communications Administration Volume 1

MITEL SIP CoE. Technical. Configuration Notes. Configure MCD 4.1 for use with SKYPE SIP Trunking. SIP CoE

District of Columbia Courts Attachment 1 Video Conference Bridge Infrastructure Equipment Performance Specification

Adaptation of TURN protocol to SIP protocol

Request for Comments: August 2006

EarthLink Business SIP Trunking. ININ IC3 IP PBX Customer Configuration Guide

Transcription:

25751 Secure Real-Time Transport Protocol on SoundPoint IP Phones This technical bulletin provides detailed information on how the SIP application has been enhanced to support Secure Real-Time Transport Protocol (SRTP). This information applies to SoundPoint IP phones running SIP application version 2.2.1 or later, except for SoundPoint IP 300 and 500 phones. Introduction Secure Real-Time Transport Protocol (SRTP) provides means of encrypting the audio stream(s) of VoIP phone calls to avoid interception and eavesdropping on phone calls. Both RTP and RTCP signaling may be encrypted using an AES algorithm as described in RFC3711. When this feature is enabled, phones will negotiate with the other end-point whether and what type of encryption or authentication to utilize for the session. This negotiation process is compliant with RFC4568 (Session Description Protocol (SDP) Security Descriptions for Media Streams). Authentication proves to the phone receiving the RTP/RTCP stream that the packets are from the expected source and have not been tampered with. Encryption modifies the data in the RTP/RTCP streams so that, if the data is captured or intercepted, it cannot be understood it sounds like noise. Only the receiver knows the key to restore the data. A number of configuration parameters have been added to allow you to turn off authentication and encryption for RTP and RTCP streams. This is done mainly to allow the system administrator to reduce the CPU usage on legacy Polycom phones in certain deployment scenarios (for example, if three-way local conferencing is required). The SoundPoint IP 301, 501, 600 and 601 are collectively referred to a legacy platforms in this document. Note When SRTP is enabled on Polycom's legacy platforms, they may exceed their CPU capacity if local conference bridging is attempted using authentication and encryption of the media stream. Local Conference Bridging on SoundPoint IP 301, 501, 600 and 601 phones should be disabled when SRTP is utilized using G.711 codecs. If the call is completely secure (RTP authentication and encryption and RTCP authentication and RTCP encryption are enabled), then the user sees a padlock symbol appearing in the last frame of the connected context animation (two arrow moving towards each other). <December, 2007> 3725-17495-001/B

In SIP 2.2, the SRTP feature has been implemented in a very configurable manner. The reasons for this are: To allow deployment in a mixed environment where some elements of the solution are SRTP capable and some are not To allow for partial security and controlled CPU usage by Polycom legacy devices (SoundPoint IP 301, 501, 600, and 601) which do not have sufficient processor power to run full SRTP in a three-way conference with G.711 as the codec. The subsequent sections of this technical bulletin outline possible deployment scenarios for the feature. Terminology Before you read this document, it is important to understand certain terminology and become familiar with the authentication/encryption configuration as described in the RFC 3711 and RFC 4568 (listed in the References on page 10). Note In the sip.cfg configuration file, parameters for legacy phones are denoted by leg. SIP 2.2 Secure Real-Time Transport Protocol Implementation Overview In this scenario a local media server is used for functions such as call recording and voice mail operations. This media server is SRTP capable. A PSTN gateway is deployed that is not SRTP capable. The various connections possible are depicted in the figure below. As a result the phones need to be capable of one of the following: Connecting using SRTP when connecting to the media server or one another Connecting using regular RTP when connecting directly to the gateway Note The figures in the following sections show the audio connection paths with SIP server and signalling paths. The following sections describe three SRTP scenarios. Configuration file parameters are described in Configuration File Changes on page 7. 2

Scenario One: Mixed SRTP and Non-SRTP Endpoints In this scenario, the following assumptions are made: Legacy phones are used, including a SoundPoint IP 601 with full SRTP for point-to-point calls. The system administrator disables local conferencing on the legacy phones. The following sip.cfg configuration file changes are suggested: sec.srtp.enable="1" sec.srtp.leg.enable="1" sec.srtp.offer="1" sec.srtp.leg.allowlocalconf="0" 3

A SoundPoint IP phone configured as above will send the following media descriptions in its SDP: m=audio 2230 RTP/SAVP 0 8 18 101 a=sendrecv a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:nl326xlshguixlmkyqo+exm5gpbz+mlbwmzotrri a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:18 G729/8000 a=rtpmap:101 telephone-event/8000 m=audio 2230 RTP/AVP 0 8 18 101 a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:18 G729/8000 a=rtpmap:101 telephone-event/8000 Scenario Two: Full Security In this scenario, the following assumptions are made: All elements of the solution are SRTP-capable so security is mandated. 4

The following sip.cfg configuration file changes are suggested: sec.srtp.enable="1" sec.srtp.leg.enable="1" sec.srtp.offer="1" sec.srtp.require="1" A SoundPoint IP phone configured as above will send the following media descriptions in its SDP: m=audio 2222 RTP/SAVP 0 8 18 101 a=sendrecv a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:w1agu0fjvjv0avrw8jgztcoe6b2dbayilxcdqh7w a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:18 G729/8000 a=rtpmap:101 telephone-event/8000 Scenario Three: SoundPoint IP 601 Endpoint In this scenario, the following assumptions are made: The SoundPoint IP 601 is configured with full SRTP on, but encryption only. The SoundPoint IP 601 will not accept authentication (calls ignored if offered) and all other phones will not offer authentication. 5

The following sip.cfg configuration file settings are suggested: sec.srtp.enable="1" sec.srtp.leg.enable="1" sec.srtp.offer="1" ms.noauth.offer="1" ms.leg.noauth.offer="1" ms.leg.noauth.require="1" ms.ip_4000.noauth.offer="1" A SoundPoint IP phone configured as above will send the following media descriptions in its SDP: m=audio 2224 RTP/SAVP 0 8 18 101 a=sendrecv a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:app9lqvxicbkc18r6p+obnerrm5jwa3kmhn84idw UNAUTHENTICATED_SRTP a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:18 G729/8000 a=rtpmap:101 telephone-event/8000 m=audio 2224 RTP/AVP 0 8 18 101 a=rtpmap:0 PCMU/8000 a=rtpmap:8 PCMA/8000 a=rtpmap:18 G729/8000 a=rtpmap:101 telephone-event/8000 Recommended Practices for Secure Real-Time Transport Protocol When secure media communications is required, the following practices are recommended: 1. All elements of the communication should be SRTP capable. 2. Transport Layer Security (TLS) should be used when SRTP is used. If TLS is not used, the initial encryption keys will be passed in the clear such that an eavesdropper can intercept them and potentially use them to decrypt the media streams. 3. Media encryption places an increased CPU loading onto devices and Polycom recommends that only SoundPoint IP 330/320, 430, 550, and 650 desktop phones are utilized. 4. The use of encrypted signalling and media will make it more difficult to diagnose any deployment issues that may arise. Careful thought should be given to how system level issues will be investigated as part of the system design, for example, provide a mechanism to turn off SRTP during testing. 6

Configuration File Changes Configuration changes can performed centrally at the boot server: Central (boot server) Configuration File: sip.cfg Specify the parameters to enable and disable SRTP. For more information, refer to the following section, Security in Application Configuration File. Security in Application Configuration File Note As per RFC 3711, you cannot turn off authentication of RTCP. This configuration attribute is defined as follows: Note For SoundPoint IP 301, 501, 600, and 601 legacy phones, use leg tagged session parameters. For example, use ms.leg.noauth.offer. For SoundStation IP 4000 phone, use IP_4000 tagged session parameters. For example, use ms.ip_4000.noauth.offer. For all other phones, use untagged session parameters. For example, use ms.noauth.offer. Attribute Permitted Values Default Interpretation. sec.srtp.enable 0, 1 Null If set to 1, the phone accepts SRTP offers. If set to 0 or Null, the phone always declines SRTP offers. sec.srtp.leg.allowloca lconf 0, 1 Null The error Service unavailable" is displayed if the user tried to create a conference with sec.srtp.leg.allowlocalconf set to 0 and without voipprot.sip.conference.address set. If voipprot.sip.conference.address is set, the value of sec.srtp.leg.allowlocalconf is irrelevant. If sec.srtp.leg.enable is set to 0 or Null, then the value of sec.srtp.leg.allowlocalconf is irrelevant, as the local conference is allowed. sec.srtp.leg.enable 0, 1 Null If set to 1, the phone always declines SRTP offers. If set to 0 or Null, the phone accepts SRTP offers. sec.srtp.offer 0, 1 Null If set to 1, the phone includes a secure media stream description along with the usual non-secure media description in the SDP of a SIP INVITE. This is for the phone initiating (offering) a phone call. If set to 0 or Null, no secure media stream is included in SDP of a SIP invite. 7

Attribute Permitted Values Default Interpretation sec.srtp.require 0, 1 Null If set to 1, the phone is only allowed to use secure media streams. Any offered SIP INVITEs must include a secure media description in the SDP or the call will be rejected. For outgoing calls, only a secure media stream description is include in the SDP of the SIP INVITE, meaning that the non-secure media description is not included. If sec.srtp.require is set to 1, sec.srtp.offer is logically set to 1 no matter what the value in the configuration file. If set to 0 or Null, secure media streams are not required. sec.srtp.offer.hmac_ SHA1_80 sec.srtp.offer.hmac_ SHA1_32 0, 1 Null If set to 1 or Null, a crypto line with the AES_CM_128_HMAC_SHA1_80 crypto-suite will be included in offered SDP. If set to 0, the crypto line is not included. Note: This attribute was added in SIP 2.2.1. 0, 1 Null If set to 1, a crypto line with the AES_CM_128_HMAC_SHA1_32 crypto-suite will be included in offered SDP. If set to 0 or Null, the crypto line is not included. Note: This attribute was added in SIP 2.2.1. sec.srtp.key.lifetime 0, positive integer minimum 1024 Null The master key lifetime used for the cryptographic attribute in the SDP. The value specified is the number of SRTP packets. If set to 0 or Null, the master key lifetime is not set. If set to 1 or greater, master key lifetime is set. The default setting should be suitable for most installations. When the lifetime is set greater than 0, a re-invite with a new key will be sent when the number of SRTP packets sent for an outgoing call exceeds half the value of the master key lifetime. Note: Setting this parameter to a non-zero value may affect performance of the phone. sec.srtp.mki.enabled 0, 1 Null The master key identifier (MKI) is an optional parameter for the cryptographic attribute in the SDP that uniquely identifies the SRTP stream within an SRTP session. MKI is expressed as a pair of decimal numbers in the form: mki:mki_length where mki is the MKI value and mki_length its length in bytes. If set to 1, a four-byte MKI parameter is sent within the SDP message of the SIP INVITE / 200 OK. If set to 0 or Null, the MKI parameter is not sent. 8

Attribute ms.noauth.offer ms.leg.noauth.offer ms.ip_4000.noauth.of fer ms.noauth.require ms.leg.noauth.require ms.ip_4000.noauth.r equire ms.noencryprtcp.off er ms.leg.noencryprtc P.offer ms.ip_4000.noencryp RTCP.offer ms.noencryprtcp.re quire ms.leg.noencryprtc P.require ms.ip_4000.noencryp RTCP.require Permitted Values Default Interpretation 0, 1 Null If set to 1, no authentication of RTP is offered. A session description that includes the UNAUTHENTICATED_SRTP session parameter is sent when initiating a call. If set to 0 or Null, authentication is offered. 0, 1 Null If set to 1, no authentication of RTP is required. A call placed to a phone configured with noauth.require must offer the UNAUTHENTICATED_SRTP session parameter in its SDP. If ms.noauth.require is set to 1, ms.noauth.offer is logically set to 1 no matter what the value in the configuration file. If set to 0 or Null, authentication is required. 0, 1 Null If set to 1, no encryption of RTCP is offered. A session description that includes the UNENCRYPTED_SRTCP session parameter is sent when initiating a call. If set to 0, or Null, encryption of RTCP is offered. 0, 1 Null If set to 1, no encryption of RTCP is required. A call placed to a phone configured with noauth.require must offer the UNENCRYPTED_SRTCP session parameter in its SDP. If ms.noencryptrtcp.require is set to 1, ms.noencryptrtcp.offer is logically set to 1 no matter what the value in the configuration file. If set to 0 or Null, encryption of RTCP is required. 9

Attribute ms.noencryprtp.offe r ms.noencryprtp.offe r ms.noencryprtp.offe r ms.noencryprtp.req uire ms.leg.noencryprtp.r equire ms.ip_4000.noencryp RTP.require Permitted Values Default Interpretation 0, 1 Null If set to 1, no encryption of RTP is offered. A session description that includes the UNENCRYPTED_SRTP session parameter is sent when initiating a call. If set to 0, or Null, encryption of RTP is offered. 0, 1 Null If set to 1, no encryption of RTP is required. A call placed to a phone configured with noauth.require must offer the UNENCRYPTED_SRTP session parameter in its SDP. If ms.noencryptrtp.require is set to 1, ms.noencryptrtp.offer is logically set to 1 no matter what the value in the configuration file. If set to 0 or Null, encryption of RTP is required. References 1. SIP 2.2 Administrator s Guide for the SoundPoint IP and SoundStation IP Phones, August 2007. Go to http://www.polycom.com/usa/en/support/voice/voice.html 2. RFC3711 - The Secure Real-time Transport Protocol (SRTP). Go to http://www.ietf.org/rfc/rfc3711.txt?number=3711 3. RFC4568 - Session Description Protocol (SDP) Security Descriptions for Media Streams. Go to http://www.ietf.org/rfc/rfc4568.txt?number=4568 Trademark Information Polycom, SoundPoint, and the Polycom logo design are registered trademarks of Polycom, Inc. in the U.S. and various countries. All other trademarks are the property of their respective companies. 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information