SRTP Parameters

The Secure Real-Time Transport Protocol (SRTP) parameters are described in the table below.

SRTP Parameters

Parameter

Description

'Media Security'

configure voip > media security > media-security-enable

[EnableMediaSecurity]

Enables Secure Real-Time Transport Protocol (SRTP).

[0] Disable (default)
[1] Enable

Note:

'Media Security Behavior'

configure voip > media security > media-sec-bhvior

[MediaSecurityBehaviour]

Global parameter that defines the handling of SRTP, when the [EnableMediaSecurity] parameter is configured to 1. You can also configure this feature per specific calls, using IP Profiles ('Gateway Media Security Mode' parameter). For a detailed description of the parameter and for configuring this feature in the IP Profiles table, see Configuring IP Profiles.

Note:

If you configure this feature for a specific IP Profile, the device ignores this global parameter for calls associated with the IP Profile.
The parameter is applicable only to the Gateway application.

'Master Key Identifier (MKI) Size'

configure voip > media security > srtp-tx-packet-mki-size

[SRTPTxPacketMKISize]

Global parameter that defines the size (in bytes) of the Master Key Identifier (MKI) in SRTP Tx packets. You can also configure this feature per specific calls, using IP Profiles ('MKI Size' parameter). For a detailed description of the parameter and for configuring this feature in the IP Profiles table, see Configuring IP Profiles.

Note: If you configure this feature for a specific IP Profile, the device ignores this global parameter for calls associated with the IP Profile.

'Symmetric MKI Negotiation'

configure voip > media security > symmetric-mki

[EnableSymmetricMKI]

Global parameter that enables symmetric MKI negotiation. You can also configure this feature per specific calls, using IP Profiles ('Symmetric MKI' parameter). For a detailed description of the parameter and for configuring this feature in the IP Profiles table, see Configuring IP Profiles.

Note: If you configure this feature for a specific IP Profile, the device ignores this global parameter for calls associated with the IP Profile.

'Offered SRTP Cipher Suites'

configure voip > media security > offer-srtp-cipher

[SRTPofferedSuites]

Defines the offered crypto suites (cipher encryption algorithms) for SRTP.

[0] All = (Default) All available crypto suites.
[1] AES-CM-128-HMAC-SHA1-80 = device uses AES-CM encryption with a 128-bit key and HMAC-SHA1 message authentication with a 80-bit tag.
[2] AES-CM-128-HMAC-SHA1-32 = device uses AES-CM encryption with a 128-bit key and HMAC-SHA1 message authentication with a 32-bit tag.
[4] ARIA-CM-128-HMAC-SHA1-80 = device uses ARIA encryption algorithm with a 128-bit key and HMAC-SHA1 message authentication with a 32-bit tag.
[8] ARIA-CM-192-HMAC-SHA1-80 = device uses ARIA encryption algorithm with a 192-bit key and HMAC-SHA1 message authentication with a 32-bit tag.
[16] AES-256-CM-HMAC-SHA1-32 = AES-CM encryption with a 256-bit key and HMAC-SHA1 message authentication with a 32-bit tag.
[32] AES-256-CM-HMAC-SHA1-80 = AES-CM encryption with a 256-bit key and HMAC-SHA1 message authentication with an 80-bit tag.

Note:

For enabling ARIA encryption, use the [AriaProtocolSupport] parameter.
For the Gateway application, if you configure the parameter to All, the device sends only four crypto lines ('a=crypto') in the SDP Offer, which excludes the AES 256 crypto suites. Therefore, if you want to offer an AES 256 crypto suite, you need to configure the parameter to AES-256-CM-HMAC-SHA1-32 or AES-256-CM-HMAC-SHA1-80.
The parameter also affects the selection of the crypto in the device's answer. For example, if the device receives an offer with two crypto lines ('a=crypto:') containing HMAC_SHA1_80 and HMAC_SHA_32, it uses the HMAC_SHA_32 key in its SIP 200 OK response if the parameter is configured to AES-CM-128-HMAC-SHA1-32.

'ARIA Protocol Support'

configure voip > media security > ARIA-protocol-support

[AriaProtocolSupport]

Enables ARIA algorithm cipher encryption for SRTP. This is an alternative option to the existing support for the AES algorithm. ARIA is a symmetric key block cipher algorithm standard developed by the Korean National Security Research Institute.

[0] Disable (default)
[1] Enable

Note:

To configure the ARIA bit-key encryption size (128 or 192 bit) with HMAC SHA-1 cryptographic hash function, use the SRTPofferedSuites parameter.
The ARIA feature is available only if the device is installed with a License Key that includes this feature. For installing a License Key, see License Key.

'Authentication on Transmitted RTP Packets'

configure voip > media security > RTP-authentication-disable-tx

[RTPAuthenticationDisableTx]

Enables authentication on transmitted RTP packets in a secured RTP session.

[0] Enable (default)
[1] Disable

'Encryption on Transmitted RTP Packets'

configure voip > media security > RTP-encryption-disable-tx

[RTPEncryptionDisableTx]

Enables encryption on transmitted RTP packets in a secured RTP session.

[0] Enable (default)
[1] Disable

'Encryption on Transmitted RTCP Packets'

configure voip > media security > RTCP-encryption-disable-tx

[RTCPEncryptionDisableTx]

Enables encryption on transmitted RTCP packets (outgoing leg) in a secured RTP session (i.e., SRTCP). The device generates the cryptos.

[0] Enable (default)
[1] Disable

Note: The parameter is applicable only if the IP Profile parameter 'Encryption on RTCP Packets' is configured to As Is for the outgoing leg.

'SRTP Tunneling Authentication for RTP'

configure voip > media security > srtp-tnl-vld-rtp-auth

[SRTPTunnelingValidateRTPRxAuthentication]

Enables validation of SRTP tunneling authentication for RTP.

[0] Disable = (Default) The device doesn't perform any validation and forwards the packets as is.
[1] Enable = The device validates the packets (e.g., sequence number) and if successful, forwards the packets. If validation fails, it drops the packets.

Note:

The parameter is applicable only to SRTP-to-SRTP calls and when both endpoints use the same authentication keys.
The parameter is applicable only to the SBC application.

'SRTP Tunneling Authentication for RTCP'

configure voip > media security > srtp-tnl-vld-rtcp-auth

[SRTPTunnelingValidateRTCPRxAuthentication]

Enables validation of RTP tunneling authentication for RTCP.

[0] Disable = (Default) The device doesn't perform any validation and forwards the packets as is.
[1] Enable = The device validates the packets (e.g., sequence number) and if successful, forwards the packets. If validation fails, it drops the packets.

Note:

The parameter is applicable only to SRTP-to-SRTP calls and when both endpoints use the same authentication keys.
The parameter is applicable only to the SBC application.

configure voip > sip-definition settings > srtp-state-behavior-mode

[ResetSRTPStateUponRekey]

Global parameter that enables synchronization of the SRTP state between the device and a server when a new SRTP key is generated upon a SIP session expire. You can also configure this feature per specific calls, using IP Profiles ('Reset SRTP Upon Re-key' parameter). For a detailed description of the parameter and for configuring this feature in the IP Profiles table, see Configuring IP Profiles.

Note:

If you configure this feature for a specific IP Profile, the device ignores this global parameter for calls associated with the IP Profile.
This parameter resets the SRTP stream on both legs. If you want the device to reset only the SRTP stream with the leg (call party) that changed the crypto key, enable this parameter and the [SrtpResetTxRxSeparately] parameter (below).

configure voip > media security > srtp-reset-tx-rx-separately

[SrtpResetTxRxSeparately]

Enables the device to reset only the SRTP stream (roll-over counter / ROC index and other SRTP fields) with the call party that changed the SRTP key (‘a=crypto’ line in SDP body) during a call. It doesn't reset the SRTP stream with the other call party. The SRTP key is sometimes updated by the call party, using a SIP re-INVITE message (for example, due to a session refresh).

[0] = (Default) Disabled
[1] = Enabled

Note:

For this functionality, you also need to enable the 'Reset SRTP Upon Re-key' (ResetSRTPStateUponRekey) parameter.
If the [SrtpResetTxRxSeparately] parameter is disabled and the 'Reset SRTP Upon Re-key' parameter is enabled, the device resets the SRTP stream of both call parties if the key is changed.