SRTP Parameters

The Secure Real-Time Transport Protocol (SRTP) parameters are described in the table below.

SRTP Parameters

Parameter

Description

'Media Security'

configure voip > media security > media-security-enable

[EnableMediaSecurity]

Enables Secure Real-Time Transport Protocol (SRTP).

[0] Disable (default)
[1] Enable

Note:

The parameter is not applicable to WebRTC.

'Media Security Behavior'

configure voip > media security > media-sec-bhvior

[MediaSecurityBehaviour]

Global parameter that defines the handling of SRTP, when the [EnableMediaSecurity] parameter is configured to 1. You can also configure this feature per specific calls, using IP Profiles ('Gateway Media Security Mode' parameter). For a detailed description of the parameter and for configuring this feature in the IP Profiles table, see Configuring IP Profiles.

Note:

If you configure this feature for a specific IP Profile, the device ignores this global parameter for calls associated with the IP Profile.
The parameter is applicable only to the Gateway application.

'Master Key Identifier (MKI) Size'

configure voip > media security > srtp-tx-packet-mki-size

[SRTPTxPacketMKISize]

Global parameter that defines the size (in bytes) of the Master Key Identifier (MKI) in SRTP Tx packets. You can also configure this feature per specific calls, using IP Profiles ('MKI Size' parameter). For a detailed description of the parameter and for configuring this feature in the IP Profiles table, see Configuring IP Profiles.

Note: If you configure this feature for a specific IP Profile, the device ignores this global parameter for calls associated with the IP Profile.

'Symmetric MKI Negotiation'

configure voip > media security > symmetric-mki

[EnableSymmetricMKI]

Global parameter that enables symmetric MKI negotiation. You can also configure this feature per specific calls, using IP Profiles ('Symmetric MKI' parameter). For a detailed description of the parameter and for configuring this feature in the IP Profiles table, see Configuring IP Profiles.

Note: If you configure this feature for a specific IP Profile, the device ignores this global parameter for calls associated with the IP Profile.

'Offered SRTP Cipher Suites'

configure voip > media security > offer-srtp-cipher

[SRTPofferedSuites]

Defines the offered crypto suites (cipher encryption algorithms) for SRTP.

[0] All = (Default) All available crypto suites.
[1] AES-CM-128-HMAC-SHA1-80 = device uses AES-CM encryption with a 128-bit key and HMAC-SHA1 message authentication with a 80-bit tag.
[2] AES-CM-128-HMAC-SHA1-32 = device uses AES-CM encryption with a 128-bit key and HMAC-SHA1 message authentication with a 32-bit tag.
[4] ARIA-CM-128-HMAC-SHA1-80 = device uses ARIA encryption algorithm with a 128-bit key and HMAC-SHA1 message authentication with a 32-bit tag.
[8] ARIA-CM-192-HMAC-SHA1-80 = device uses ARIA encryption algorithm with a 192-bit key and HMAC-SHA1 message authentication with a 32-bit tag.
[16] AES-256-CM-HMAC-SHA1-32 = AES-CM encryption with a 256-bit key and HMAC-SHA1 message authentication with a 32-bit tag.
[32] AES-256-CM-HMAC-SHA1-80 = AES-CM encryption with a 256-bit key and HMAC-SHA1 message authentication with an 80-bit tag.

Note:

For enabling ARIA encryption, use the [AriaProtocolSupport] parameter.
For the Gateway application, if you configure the parameter to All, the device sends only four crypto lines ('a=crypto') in the SDP Offer, which excludes the AES 256 crypto suites. Therefore, if you want to offer an AES 256 crypto suite, you need to configure the parameter to AES-256-CM-HMAC-SHA1-32 or AES-256-CM-HMAC-SHA1-80.
The parameter also affects the selection of the crypto in the device's answer. For example, if the device receives an offer with two crypto lines ('a=crypto:') containing HMAC_SHA1_80 and HMAC_SHA_32, it uses the HMAC_SHA_32 key in its SIP 200 OK response if the parameter is configured to AES-CM-128-HMAC-SHA1-32.

configure voip > sbc settings > sbc-dtls-mtu

[SbcDtlsMtu]

Defines the maximum transmission unit (MTU) size for the DTLS handshake. The device doesn't attempt to send handshake packets that are larger than the configured value. Adjusting the MTU is useful when there are network constraints on the size of packets that can be sent.

The valid value range is 228 to 1500. The default is 1400.

Note: The parameter is applicable only to the SBC application.

configure voip > sbc settings > dtls-time-between-transmissions

[DTLSTimeBetweenTransmissions]

Defines the minimum interval (in msec) that the device waits between transmission of DTLS packets in the same DTLS handshake. The configured value is applied in a "best-effort" manner (i.e., time between transmitted DTLS packets in the same handshake may differ due to constraints on the network layer and load on the device).

The valid value is 0 (no forced delay between DTLS packet transmissions) to 100. The default is 5.

'ARIA Protocol Support'

configure voip > media security > ARIA-protocol-support

[AriaProtocolSupport]

Enables ARIA algorithm cipher encryption for SRTP. This is an alternative option to the existing support for the AES algorithm. ARIA is a symmetric key block cipher algorithm standard developed by the Korean National Security Research Institute.

[0] Disable (default)
[1] Enable

Note:

To configure the ARIA bit-key encryption size (128 or 192 bit) with HMAC SHA-1 cryptographic hash function, use the SRTPofferedSuites parameter.
The ARIA feature is available only if the device is installed with a License Key that includes this feature. For installing a License Key, see License Key.

'Authentication on Transmitted RTP Packets'

configure voip > media security > RTP-authentication-disable-tx

[RTPAuthenticationDisableTx]

Enables authentication on transmitted RTP packets in a secured RTP session.

[0] Enable (default)
[1] Disable

'Encryption on Transmitted RTP Packets'

configure voip > media security > RTP-encryption-disable-tx

[RTPEncryptionDisableTx]

Enables encryption on transmitted RTP packets in a secured RTP session.

[0] Enable (default)
[1] Disable

'Encryption on Transmitted RTCP Packets'

configure voip > media security > RTCP-encryption-disable-tx

[RTCPEncryptionDisableTx]

Enables encryption on transmitted RTCP packets (outgoing leg) in a secured RTP session (i.e., SRTCP). The device generates the cryptos.

[0] Enable (default)
[1] Disable

Note: The parameter is applicable only if the IP Profile parameter 'Encryption on RTCP Packets' is configured to As Is for the outgoing leg.

'SRTP Tunneling Authentication for RTP'

configure voip > media security > srtp-tnl-vld-rtp-auth

[SRTPTunnelingValidateRTPRxAuthentication]

Enables validation of SRTP tunneling authentication for RTP.

[0] Disable = (Default) The device doesn't perform any validation and forwards the packets as is.
[1] Enable = The device validates the packets (e.g., sequence number) and if successful, forwards the packets. If validation fails, it drops the packets.

Note:

The parameter is applicable only to SRTP-to-SRTP calls and when both endpoints use the same authentication keys.
The parameter is applicable only to the SBC application.

'SRTP Tunneling Authentication for RTCP'

configure voip > media security > srtp-tnl-vld-rtcp-auth

[SRTPTunnelingValidateRTCPRxAuthentication]

Enables validation of RTP tunneling authentication for RTCP.

[0] Disable = (Default) The device doesn't perform any validation and forwards the packets as is.
[1] Enable = The device validates the packets (e.g., sequence number) and if successful, forwards the packets. If validation fails, it drops the packets.

Note:

The parameter is applicable only to SRTP-to-SRTP calls and when both endpoints use the same authentication keys.
The parameter is applicable only to the SBC application.

configure voip > sip-definition settings > srtp-state-behavior-mode

[ResetSRTPStateUponRekey]

Global parameter that enables synchronization of the SRTP state between the device and a server when a new SRTP key is generated upon a SIP session expire. You can also configure this feature per specific calls, using IP Profiles ('Reset SRTP Upon Re-key' parameter). For a detailed description of the parameter and for configuring this feature in the IP Profiles table, see Configuring IP Profiles.

Note: If you configure this feature for a specific IP Profile, the device ignores this global parameter for calls associated with the IP Profile.