SRTP Parameters

The Secure Real-Time Transport Protocol (SRTP) parameters are described in the table below.

SRTP Parameters

Parameter

Description

'Media Security'

configure voip > media security > media-security-enable

[EnableMediaSecurity]

Enables Secure Real-Time Transport Protocol (SRTP).

[0] Disable (default)
[1] Enable

Note:

The parameter is not applicable to WebRTC.

'Master Key Identifier (MKI) Size'

configure voip > media security > srtp-tx-packet-mki-size

[SRTPTxPacketMKISize]

Global parameter that defines the size (in bytes) of the Master Key Identifier (MKI) in SRTP Tx packets. You can also configure this feature per specific calls, using IP Profiles ('MKI Size' parameter). For a detailed description of the parameter and for configuring this feature in the IP Profiles table, see Configuring IP Profiles.

Note: If you configure this feature for a specific IP Profile, the device ignores this global parameter for calls associated with the IP Profile.

'Symmetric MKI Negotiation'

configure voip > media security > symmetric-mki

[EnableSymmetricMKI]

Global parameter that enables symmetric MKI negotiation. You can also configure this feature per specific calls, using IP Profiles ('Symmetric MKI' parameter). For a detailed description of the parameter and for configuring this feature in the IP Profiles table, see Configuring IP Profiles.

Note: If you configure this feature for a specific IP Profile, the device ignores this global parameter for calls associated with the IP Profile.

'Offered SRTP Cipher Suites'

configure voip > media security > offer-srtp-cipher

[SRTPofferedSuites]

Defines the offered crypto suites (cipher encryption algorithms) for SRTP.

[0] All = (Default) All available crypto suites.
[1] AES-CM-128-HMAC-SHA1-80 = device uses AES-CM encryption with a 128-bit key and HMAC-SHA1 message authentication with a 80-bit tag.
[2] AES-CM-128-HMAC-SHA1-32 = device uses AES-CM encryption with a 128-bit key and HMAC-SHA1 message authentication with a 32-bit tag.
[16] AES-256-CM-HMAC-SHA1-32 = AES-CM encryption with a 256-bit key and HMAC-SHA1 message authentication with a 32-bit tag.
[32] AES-256-CM-HMAC-SHA1-80 = AES-CM encryption with a 256-bit key and HMAC-SHA1 message authentication with an 80-bit tag.

Note:

The parameter also affects the selection of the crypto in the device's answer. For example, if the device receives an offer with two crypto lines ('a=crypto:') containing HMAC_SHA1_80 and HMAC_SHA_32, it uses the HMAC_SHA_32 key in its SIP 200 OK response if the parameter is configured to AES-CM-128-HMAC-SHA1-32.

configure voip > sbc settings > sbc-dtls-mtu

[SbcDtlsMtu]

Defines the maximum transmission unit (MTU) size for the DTLS handshake. The device doesn't attempt to send handshake packets that are larger than the configured value. Adjusting the MTU is useful when there are network constraints on the size of packets that can be sent.

The valid value range is 228 to 1500. The default is 1400.

Note: The parameter is applicable only to the SBC application.

configure voip > sbc settings > dtls-time-between-transmissions

[DTLSTimeBetweenTransmissions]

Defines the minimum interval (in msec) that the device waits between transmission of DTLS packets in the same DTLS handshake. The configured value is applied in a "best-effort" manner (i.e., time between transmitted DTLS packets in the same handshake may differ due to constraints on the network layer and load on the device).

The valid value is 0 (no forced delay between DTLS packet transmissions) to 100. The default is 5.

'Authentication on Transmitted RTP Packets'

configure voip > media security > RTP-authentication-disable-tx

[RTPAuthenticationDisableTx]

Enables authentication on transmitted RTP packets in a secured RTP session.

[0] Enable (default)
[1] Disable

'Encryption on Transmitted RTP Packets'

configure voip > media security > RTP-encryption-disable-tx

[RTPEncryptionDisableTx]

Enables encryption on transmitted RTP packets in a secured RTP session.

[0] Enable (default)
[1] Disable

'Encryption on Transmitted RTCP Packets'

configure voip > media security > RTCP-encryption-disable-tx

[RTCPEncryptionDisableTx]

Enables encryption on transmitted RTCP packets (outgoing leg) in a secured RTP session (i.e., SRTCP). The device generates the cryptos.

[0] Enable (default)
[1] Disable

Note: The parameter is applicable only if the IP Profile parameter 'Encryption on RTCP Packets' is configured to As Is for the outgoing leg.

'SRTP Tunneling Authentication for RTP'

configure voip > media security > srtp-tnl-vld-rtp-auth

[SRTPTunnelingValidateRTPRxAuthentication]

Enables validation of SRTP tunneling authentication for RTP.

[0] Disable = (Default) The device doesn't perform any validation and forwards the packets as is.
[1] Enable = The device validates the packets (e.g., sequence number) and if successful, forwards the packets. If validation fails, it drops the packets.

Note:

The parameter is applicable only to SRTP-to-SRTP calls and when both endpoints use the same authentication keys.

'SRTP Tunneling Authentication for RTCP'

configure voip > media security > srtp-tnl-vld-rtcp-auth

[SRTPTunnelingValidateRTCPRxAuthentication]

Enables validation of RTP tunneling authentication for RTCP.

[0] Disable = (Default) The device doesn't perform any validation and forwards the packets as is.
[1] Enable = The device validates the packets (e.g., sequence number) and if successful, forwards the packets. If validation fails, it drops the packets.

Note:

The parameter is applicable only to SRTP-to-SRTP calls and when both endpoints use the same authentication keys.

configure voip > sip-definition settings > srtp-state-behavior-mode

[ResetSRTPStateUponRekey]

Global parameter that enables synchronization of the SRTP state between the device and a server when a new SRTP key is generated upon a SIP session expire. You can also configure this feature per specific calls, using IP Profiles ('Reset SRTP Upon Re-key' parameter). For a detailed description of the parameter and for configuring this feature in the IP Profiles table, see Configuring IP Profiles.

Note:

If you configure this feature for a specific IP Profile, the device ignores this global parameter for calls associated with the IP Profile.
This parameter resets the SRTP stream on both legs. If you want the device to reset only the SRTP stream with the leg (call party) that changed the crypto key, enable this parameter and the [SrtpResetTxRxSeparately] parameter (below).

configure voip > media security > srtp-reset-tx-rx-separately

[SrtpResetTxRxSeparately]

Enables the device to reset only the SRTP stream (roll-over counter / ROC index and other SRTP fields) with the call party that changed the SRTP key (‘a=crypto’ line in SDP body) during a call. It doesn't reset the SRTP stream with the other call party. The SRTP key is sometimes updated by the call party, using a SIP re-INVITE message (for example, due to a session refresh).

[0] = (Default) Disabled
[1] = Enabled

Note:

For this functionality, you also need to enable the 'Reset SRTP Upon Re-key' (ResetSRTPStateUponRekey) parameter.
If the [SrtpResetTxRxSeparately] parameter is disabled and the 'Reset SRTP Upon Re-key' parameter is enabled, the device resets the SRTP stream of both call parties if the key is changed.