This documentation has been moved
Configuring SIP Support for SRTP
Downloads: This chapterpdf (PDF - 256.0KB) The complete bookPDF (PDF - 5.38MB) | Feedback

Configuring SIP Support for SRTP

Table Of Contents

Configuring SIP Support for SRTP

Finding Feature Information

Contents

Prerequisites for Configuring SIP Support for SRTP

Restrictions for Configuring SIP Support for SRTP

Information About Configuring SIP Support for SRTP

Cryptographic Parameters

SDP Negotiation

Call Control and Signaling

Default and Recommended SRTP Settings

Generating Master Keys

SRTP Offer and Answer Exchange

Rekeying Rules

Call-Feature Interactions

Call Hold

Signaling Forking

Call Redirection

Call Transfer

T.38 Fax

Conferencing Calls

How to Configure SIP Support for SRTP

Configuring SIPS Globally

Configuring SIPS on a Dial Peer

Configuring SRTP and SRTP Fallback Globally

Configuring SRTP and SRTP Fallback on a Dial Peer

Configuration Examples for Configuring SIP Support for SRTP

Additional References

Related Documents

RFCs

MIBs

Technical Assistance

Feature Information for Configuring SIP Support for SRTP

Glossary


Configuring SIP Support for SRTP


First Published: June 29, 2007
Last Updated: August 5, 2009

This module contains information about configuring Session Initiation Protocol (SIP) support for the Secure Real-time Transport Protocol (SRTP). SRTP is an extension of the Real-time Transport Protocol (RTP) Audio/Video Profile (AVP) and ensures the integrity of RTP and Real-Time Control Protocol (RTCP) packets that provide authentication, encryption, and the integrity of media packets between SIP endpoints.

SIP support for SRTP was introduced in Cisco IOS Release 12.4(15)T. In this and later releases, you can configure the handling of secure RTP calls on both a global level and on an individual dial peer basis on Cisco IOS voice gateways. You can also configure the gateway (or dial peer) either to fall back to (nonsecure) RTP or to reject (fail) the call for cases where an endpoint does not support SRTP.

The option to allow negotiation between SRTP and RTP endpoints was added for Cisco IOS Release 12.4(20)T and later releases, as was interoperability of SIP support for SRTP on Cisco IOS voice gateways with Cisco Unified Communications Manager. In Cisco IOS Release 12.4(22)T and later releases, you can configure SIP support for SRTP on Cisco Unified Border Elements (Cisco UBEs), as well.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring SIP Support for SRTP" section.

Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.

Contents

Prerequisites for Configuring SIP Support for SRTP

Restrictions for Configuring SIP Support for SRTP

Information About Configuring SIP Support for SRTP

How to Configure SIP Support for SRTP

Configuring SRTP and SRTP Fallback on a Dial Peer

Additional References

Feature Information for Configuring SIP Support for SRTP

Glossary

Prerequisites for Configuring SIP Support for SRTP

Establish a working IP network and configure VoIP.


Note For information about configuring VoIP, see Enhancements to the Session Initiation Protocol for VoIP on Cisco Access Platforms.


Ensure that the gateway has voice functionality configured for SIP.

Ensure that your Cisco router has adequate memory.

As necessary, configure the router to use Greenwich Mean Time (GMT). SIP requires that all times be sent in GMT. SIP INVITE messages are sent in GMT. However, the default for routers is to use Coordinated Universal Time (UTC). To configure the router to use GMT, issue the clock timezone command in global configuration mode and specify GMT.

Restrictions for Configuring SIP Support for SRTP

The SIP gateway does not support codecs other than those listed in the table titled "SIP Codec Support by Platform and Cisco IOS Release" in the "Enhanced Codec Support for SIP Using Dynamic Payloads" section of the Configuring SIP QoS Features module.

SIP requires that all times be sent in GMT.

Information About Configuring SIP Support for SRTP

The SIP Support for SRTP features use encryption to secure the media flow between two SIP endpoints. Cisco IOS voice gateways and Cisco Unified Border Elements use the Digest method for user authentication and, typically, they use Transport Layer Security (TLS) for signaling authentication and encryption.


Note To provide more flexibility, TLS signaling encryption is no longer required for SIP support of SRTP in Cisco IOS Release 12.4(22)T and later releases. Secure SIP (SIPS) is still used to establish and determine TLS but TLS is no longer a requirement for SRTP, which means calls established with SIP only (and not SIPS) can still successfully negotiate SRTP without TLS signaling encryption. This also means you could configure encryption using a different protocol, such as IPsec.

However, Cisco does not recommend configuring SIP support for SRTP without TLS signaling encryption because doing so compromises the intent of forcing media encryption (SRTP).


When TLS is used, the cryptographic parameters required to successfully negotiate SRTP rely on the cryptographic attribute in the Session Description Protocol (SDP). To ensure the integrity of cryptographic parameters across a network, SRTP uses the SIPS schema (sips:example.com). If the Cisco IOS voice gateway or Cisco Unified Border Element is configured to use TLS encryption and sends an invite to an endpoint that cannot provide TLS support, that endpoint rejects the INVITE message. For cases like these, you can configure the gateway or Cisco UBE either to fall back to an RTP-only call or to reject the call.

The SIP support for SRTP features provide the following security benefits:

Confidentiality of RTP packets—protects packet-payloads from being read by unapproved entities but does so without authorized entities having to enter a secret encryption key.

Message authentication of RTP packets—protects the integrity of the packet against forgery, alteration, or replacement.

Replay protection—protects the session address against denial of service attacks.

Table 1 describes the security level of SIP INVITE messages according to which of the four possible combinations of TLS and SRTP is configured.

Table 1 TLS-SRTP Combinations 

TLS
SRTP
Description

On

On

Signaling and media are secure.

Off

On

Signaling is insecure:

If you use the srtp fallback command, the gateway sends an RTP-only SDP.

If you do not configure the srtp fallback command, the call fails and the gateway does not send an INVITE message.

Note In Cisco IOS Release 12.4(20)T and later releases (and, for Cisco UBEs, in Cisco IOS Release 12.4(22)T and later releases), calls established with SRTP only (and not SIPS) will succeed even if the srtp fallback command is not configured.

On

Off

RTP-only call.

Off

Off

Signaling and media are not secure.


Cryptographic Parameters

RFC 3711 defines the SRTP cryptographic parameters, including valid syntax and values for attribute a=crypto (see Table 2). Some of these parameters are declarative and apply only to the send direction of the declarer, while others are negotiable and apply to both send and receive directions.

The following shows the cryptographic attribute syntax:

a=crypto:<tag> <crypto-suite> <key-params> [<session-params>]

Table 2 summarizes the syntax for the cryptographic attribute.

Table 2 Cryptographic Attribute Syntax 

Attribute
Optional
Description

tag

No

The tag attribute is a unique decimal number used as an identifier for a particular cryptographic attribute to determine which of the several offered cryptographic attributes was chosen by the answerer.

crypto-suite

No

The crypto-suite attribute defines the encryption and authentication algorithm. Cisco IOS voice gateways and Cisco UBEs support default suite AES_CM_128_HMAC_SHA1_32 (AES-CM encryption with a 128-bit key and HMAC-SHA1 message authentication with a 32-bit tag).

key-params

No

"inline:" <key| |salt> ["|" lifetime] ["|" MKI ":" length]

key| | salt is base64 encoded contacted master key and salt.

session-params

Yes

The session-params attribute is specific to a given transport and is optional. The gateway does not generate any session-params in an outgoing INVITE message, nor will the SDP library parse them.


SDP Negotiation

To allow calls to succeed between endpoints that do not support SRTP, you can enable SIP support for SRTP by configuring the srtp command but you can also enable fall back to the RTP mechanism in cases where SRTP is not supported by one or both endpoints. To configure a Cisco IOS voice gateway or Cisco Unified Border Element to fall back to RTP when SRTP is not supported, configure the srtp fallback command either globally or for an individual dial peer.

When the srtp command is enabled, the offer SDP in the INVITE message has only one m line for the RTP/SAVP (RTP/Secure AVP) transport type. If a called endpoint does not support SRTP, the call fails with a 4xx error. However, if you configure the srtp fallback command, the gateway generates another INVITE message with an RTP-only offer instead of simply allowing the call to fail.


Note In Cisco IOS Release 12.4(20)T and later releases (and, for Cisco UBEs, in Cisco IOS Release 12.4(22)T and later releases), calls established with SRTP only (and not SIPS) will succeed even if the srtp fallback command is not configured.


When the gateway or Cisco Unified Border Element is the called endpoint, it will accept an offer with an m line value of SRTP-only, RTP-only, or both SRTP and RTP. For calls with two m lines (SRTP and RTP), the negotiation depends on the configuration of the inbound dial peer or global configuration. Only one m line negotiates—the port number in the other m line is set to 0.

Table 3 summarizes the behavior of the gateway during negotiation.

Table 3 Gateway Behavior During Negotiations 

Dial Peer Configuration
INVITE Message Received with SRTP
INVITE Message Received with SRTP and RTP
INVITE Message Received with RTP

SRTP only

SRTP call.

SRTP call, port number in m line of RTP set to 0.

488 (unacceptable media).

SRTP with fallback

SRTP call.

SRTP call, port number in m line of RTP set to 0.

RTP call, port number in m line of SRTP set to 0.

No SRTP

488 (unacceptable media).

RTP call, port number in m line of SRTP set to 0.

RTP call.


The following example shows an offer SDP with two m lines that use the cryptographic attribute for the RTP/SAVP media transport type:

v=0
o=CiscoSystemsSIP-GW-UserAgent 7826 3751 IN IP4 172.18.193.98
s=SIP Call
c=IN IP4 172.18.193.98
t=0 0
m=audio 1789 RTP/AVP 0
a=rtpmap:0 PCMU/8000
m=audio 51372 RTP/SAVP 0
a=rtpmap:0 PCMU/8000
a=crypto:1 AES_CM_128_HMAC_SHA1_32    
inline:d0RmdmcmVCspeEc3QGZiNWpVLFJhQX1cfHAwJSoj|2^20|1:32 

The following example shows the corresponding answer SDP with SRTP supported:

v=0
o=CiscoSystemsSIP-GW-UserAgent 7826 3751 IN IP4 172.18.193.98
s=SIP Call
c=IN IP4 172.18.193.98
t=0 0
m=audio 0 RTP/AVP 0
a=rtpmap:0 PCMU/8000
m=audio 49170 RTP/SAVP 0 
a=crypto:1 AES_CM_128_HMAC_SHA1_32   
inline:NzB4d1BINUAvLEw6UzF3WSJ+PSdFcGdUJShpX1Zj|2^20|1:32

Call Control and Signaling

SIP uses the SRTP library to receive cryptographic keys. If you configure SRTP for the call and cryptographic context is supported, SDP offers the cryptographic parameters. If the cryptographic parameters are negotiated successfully, the parameters are downloaded to the DSP, which encrypts and decrypts the packets. The sender encrypts the payload by using the AES algorithm and builds an authentication tag, which is encapsulated to the RTP packet. The receiver verifies the authentication tag and then decrypts the payload.

Default and Recommended SRTP Settings

Table 4 lists the default and recommended SRTP settings.

Table 4 Default and Recommended SRTP Settings 

Parameter
Default
Recommended Value

Key derivation rate

0

0—Rekeying is supported

Master key length

128 bits

128 bits

Master salt key length

112 bits

112 bits

MKI indicator

0

0

MKI length

0

0

PRF

AES_CM

128

Session authentication key length

128

128

Session encryption key length

128 bits

128 bits

Session salt key length

112

112

SRTP authentication

HMAC-SHA1

HMAC-SHA1

SRTCP authentication

HMAC-SHA1

HMAC-SHA1

SRTP cipher

AES_CM

AES_CM

SRTCP cipher

AES_CM

NULL

SRTP HMAC tag length

80

32 (voice)—Supported

80 (other)—Not supported

SRTCP HMAC tag length

80

80

SRTP packets maximum lifetime

2^48 packets

2^48 packets

SRTCP packets maximum lifetime

2^31 packets

2^31 packets

SRTP replay-window size

64

64—Not supported

SRTCP replay-window size

64

64—Not supported


Before an SRTP session can be established on a Cisco IOS voice gateway or Cisco UBE, the following cryptographic information must be exchanged in SDP between the two endpoints:

Crypto suite—crypto algorithm {AES_CM_128_HMAC_SHA1_32} and the supported codec list {g711, G729, G729a}. There could be one or more crypto suites. Cisco IOS Release 12.4(15)T supports only one crypto suite.

Crypto context—16-byte master key and a 14-byte master salt.

Generating Master Keys

The SRTP library provides an application program interface (API), srtp_generate_master_key, to generate a random master key. For encryption and authentication purposes, the key length is 128 bits (master key and session keys). Additionally, RFC 3711 introduces "salting keys"—master salts and sessions salts—and strongly recommends the use of a master salt in the key derivation of session keys. The salting keys (salts) are used to fight against pre-computation and time-memory tradeoff attacks.

The master salt (also known as the n-bit SRTP key) prevents off-line key-collision attacks on the key derivation and, when used, must be random (but can be public). The master salt is derived from the master key and is used in the key derivation of session keys. Session salts, in turn, are used in encryption to counter various attacks against additive stream ciphers. All salting keys (master salt and session salts) are 112 bits.

SRTP Offer and Answer Exchange

If you configure the gateway for SRTP (globally or on an individual dial peer) and end-to-end TLS, an outgoing INVITE message has cryptographic parameters in the SDP.

If you use the srtp fallback command and the called endpoint does not support SRTP (offer is rejected with a 4xx class error response), the gateway or Cisco Unified Border Element sends an RTP offer SDP in a new INVITE request. If you do not configure the srtp fallback command, the call fails.


Note In Cisco IOS Release 12.4(20)T and later releases (and, for Cisco UBEs, in Cisco IOS Release 12.4(22)T and later releases), calls established with SRTP only (and not SIPS) will succeed even if the srtp fallback command is not configured.


When a gateway or Cisco Unified Border Element receives an SRTP offer, negotiation is based on the inbound dial peer if specified and, if not, the global configuration. If multiple cryptographic attributes are offered, the gateway selects an SRTP offer it supports (AES_CM_128_HMAC_SHA1_32). The cryptographic attribute will include the following:

The tag and same crypto suite from the accepted cryptographic attribute in the offer.

A unique key the gateway generates from the SRTP library API.

Any negotiated session parameters and its own set of declarative parameters, if any.

If this cryptographic suite is not in the list of offered attributes, or if none of the attributes are valid, the SRTP negotiation fails. If the INVITE message contains an alternative RTP offer, the gateway (or Cisco UBE) negotiates and the call falls back to (nonsecure) RTP mode. If there is no alternative offer and the SRTP negotiation fails, the INVITE message is rejected with a 488 error (Not Acceptable Media).

Rekeying Rules

There is no rekeying on an SRTP stream. A REINVITE/UPDATE message is used in an established SIP call to update media-related information (codec, destination address, and port number) or other features, such as call-hold. A new key need only be generated if the offer SDP has a new connection address or port. Because the source connection address and port do not change, the gateway or Cisco UBE will not generate a new master key after a key has been established for an SRTP session.

Call-Feature Interactions

This section describes call-feature interactions when SIP Support for SRTP features are configured.

Call Hold

If a gateway receives a call hold REINVITE message after an initial call setup is secured, the gateway places the existing SRTP stream on hold, and its answer in the 200 OK message depends on the offer SDP. If there is a cryptographic attribute in the offer, the gateway responds with a cryptographic attribute in its answer.

Signaling Forking

A proxy can fork an INVITE message that contains an SRTP offer, which can result in multiple SRTP streams until a 200 OK message is received. Because the gateway always honors the last answer, the gateway deletes previous SRTP streams and creates a new stream to the latest endpoint. Other endpoints might also stream to the gateway, but because the DSP knows only the last streams's cryptographic suite and key, authentication on these packets fails, and the packets are dropped.

Call Redirection

A gateway redirects a call when an INVITE message, sent to a proxy or redirect server, results in a 3xx response with a list of redirected contact addresses. The gateway handles a 3xx response based on the schema in the contact of a 3xx message. If the message is SIP, and you configure the call for SRTP with fallback, the gateway offers an SRTP-only redirected INVITE message. If you configure for SRTP only, the offer is SRTP only.

If the schema is SIP, and you use the srtp fallback command to configure the call for RTP with fallback, the INVITE message has an RTP offer. If you do not configure the srtp fallback command, the call fails.


Note In Cisco IOS Release 12.4(20)T and later releases (and, for Cisco UBEs, in Cisco IOS Release 12.4(22)T and later releases), calls established with SRTP only (and not SIPS) will succeed even if the srtp fallback command is not configured.


Call Transfer

The SIP Support for SRTP feature interaction with call transfer depends on your outbound dial peer or global configuration. During a call transfer, the gateway sends an INVITE message to establish the connection to the transfer target. The gateway includes an SRTP offer in the INVITE message if the outbound dial peer or global configuration includes the SRTP offer.

T.38 Fax

The T.38 transport supported is User Datagram Protocol (UDP). A T.38 call is initiated as a voice call, which can be RTP or SRTP, and when it switches to T.38 fax mode, the fax call is not secure. When the fax is switched back to voice, the call returns to its initial voice state.

Conferencing Calls

For conferencing calls, the incoming INVITE message does not match any inbound dial peer and the message body is sent to the application in a container. The conferencing application performs the necessary negotiation and replies through PROGRESS or CONNECT events.

How to Configure SIP Support for SRTP

Before configuring SIP support for SRTP on a gateway or Cisco Unified Border Element, it is strongly recommended you first configure SIPS either globally or on an individual dial peer basis. The configuration on a dial peer overrides the global configuration.

This section contains the following configurations:

Configuring SIPS Globally (optional)

Configuring SIPS on a Dial Peer (optional)

Configuring SRTP and SRTP Fallback Globally (required)

Configuring SRTP and SRTP Fallback on a Dial Peer (optional)

Configuring SIPS Globally

To configure secure SIP (SIPS) globally on a Cisco IOS voice gateway or Cisco Unified Border Element, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. voice service {pots | voatm | vofr | voip}

4. sip

5. url sips

6. exit

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

voice service {pots | voatm | vofr | voip}

Example:

Router(config)# voice service voip

Enters voice service configuration mode.

Step 4 

sip

Example:

Router(conf-voi-serv)# sip

Enters SIP configuration mode.

Step 5 

url sips

Example:

Router(conf-serv-sip)# url sips

Specifies generation of URLs in SIPS format for VoIP calls for all dial peers on the voice gateway or Cisco UBE.

Step 6 

exit

Example:

Router(conf-serv-sip)# exit

Exits the current mode.

DETAILED STEPS

Configuring SIPS on a Dial Peer

To configure secure SIP (SIPS) on an individual dial peer, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. dial-peer voice tag {pots | vofr | voip}

4. voice-class sip url sips

5. exit

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

dial-peer voice tag {pots | vofr | voip}

Example:

Router(config)# dial-peer voice 111 voip

Enters dial peer voice configuration mode.

Step 4 

voice-class sip url sips

Example:

Router(config-dial-peer)# voice-class sip url sips

Specifies configuration of URLs in SIPS format for VoIP calls for a specific dial peer.

Step 5 

exit

Example:

Router(config-dial-peer)# exit

Exits the current mode.

DETAILED STEPS

Configuring SRTP and SRTP Fallback Globally

To configure SRTP and SRTP fallback behavior globally on a Cisco IOS voice gateway or Cisco Unified Border Element, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. voice service {pots | voatm | vofr | voip}

4. srtp

5. srtp fallback

6. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

voice service {pots | voatm | vofr | voip}

Example:

Router(config)# voice service voip

Enters voice service configuration mode.

Step 4 

srtp

Example:

Router(conf-voi-serv)# srtp

Configures secure RTP calls.

Step 5 

srtp fallback

Example:

Router(conf-voi-serv)# srtp fallback

Configures a fallback to RTP calls in case secure RTP calls fail due to lack of support from an endpoint.

Step 6 

exit

Example:

Router(conf-voi-serv)# exit

Exits the current mode.

Configuring SRTP and SRTP Fallback on a Dial Peer

To configure SRTP and SRTP fallback behavior on an individual dial peer that overrides the global SRTP configuration, perform the following steps.

SUMMARY STEPS

1. enable

2. configure terminal

3. dial-peer voice tag {pots | vofr | voip}

4. srtp

5. srtp fallback

6. exit

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

enable

Example:

Router> enable

Enables privileged EXEC mode.

Enter your password if prompted.

Step 2 

configure terminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3 

dial-peer voice tag {pots | vofr | voip}

Example:

Router(config)# dial-peer voice 111 voip

Enters dial peer voice configuration mode.

Step 4 

srtp

Example:

Router(config-dial-peer)# srtp

Configures secure RTP calls.

Step 5 

srtp fallback

Example:

Router(config-dial-peer)# srtp fallback

Configures a fallback to RTP calls in case secure RTP calls fail due to lack of support from an endpoint.

Step 6 

exit

Example:

Router(config-dial-peer)# exit

Exits the current mode.

Configuration Examples for Configuring SIP Support for SRTP

The following example shows how to configure SIPS globally on a Cisco IOS voice gateway or Cisco Unified Border Element:

Router> enable 
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# voice service voip 
Router(conf-voi-serv)# sip
Router(conf-serv-sip)# url sips
Router(conf-serv-sip)# exit

The following example shows how to configure SIPS on dial peer 111:

Router> enable 
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# dial-peer voice 111 voip 
Router(config-dial-peer)# voice-class sip url sips
Router(config-dial-peer)# exit

The following example shows how to configure for SRTP with fallback to RTP globally on a Cisco IOS voice gateway or Cisco Unified Border Element:

Router> enable 
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# voice service voip 
Router(conf-voi-serv)# srtp
Router(conf-voi-serv)# srtp fallback
Router(conf-voi-serv)# exit

The following example shows how to configure for SRTP with fallback to RTP on dial peer 111:

Router> enable 
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# dial-peer voice 111 voip 
Router(config-dial-peer)# srtp
Router(config-dial-peer)# srtp fallback
Router(config-dial-peer)# exit

Additional References

The following sections provide references related to configuring the SIP Support for SRTP features.

Related Documents

Related Topic
Document Title

Cisco IOS dial peer overview

Dial Peer Overview

Cisco IOS dial technologies command information

Cisco IOS Dial Technologies Command Reference

Cisco IOS SIP features, listed by release

SIP Features Roadmap

Cisco IOS SIP overview and related documents

Overview of SIP

Cisco IOS software configuration guides

Cisco IOS Dial Technologies Configuration Guide

Cisco IOS SIP Configuration Guide

Note To locate the configuration guide specific to your Cisco IOS software release, choose the Cisco IOS and NX-OS Software category on the Product Support page and navigate according to your release (http://www.cisco.com/web/psa/products/index.html).

Cisco IOS voice command information

Cisco IOS Voice Command Reference

Cisco IOS voice configuration information

Cisco IOS Voice Configuration Library

Cisco Unified Border Element configuration information

Cisco Unified Border Element Configuration Guide

Cisco Unified CME command information

Cisco Unified Communications Manager Express Command Reference

Cisco Unified CME configuration information

Cisco Unified CME Support Documentation Home Page


RFCs

RFC
 

draft-ietf-mmusic-sdescriptions-08.txt

Session Description Protocol Security Descriptions for Media Streams

RFC 3263

Session Initiation Protocol (SIP): Locating SIP Servers

RFC 3711

The Secure Real-time Transport Protocol (SRTP)


MIBs

MIB
MIBs Link

None

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://www.cisco.com/go/mibs


Technical Assistance

Description
Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http://www.cisco.com/techsupport


Feature Information for Configuring SIP Support for SRTP

Table 5 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or Cisco IOS Releases 12.2(1) or 12.0(3)S or a later release appear in the table.

For information on a feature in this technology that is not documented here, see the Cisco IOS SIP Features Roadmap module at http://www.cisco.com/en/US/docs/ios/voice/sip/configuration/guide/sip_cg-roadmap.html.

Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.

Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.


Note Table 5 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release. Unless noted otherwise, subsequent releases of that Cisco IOS software release also support that feature.


Table 5 Feature Information for Configuring SIP Support for SRTP 

Feature Name
Releases
Feature Information

SIP Support for SRTP

12.4(15)T

This feature introduces SIP support for supplementary services features, such as call hold, call transfer, call waiting, and call conference (3WC) using hook flash (HF) for FXS phones on Cisco IOS voice gateways.

The following commands were introduced or modified:
srtp, srtp fallback.

SIP SRTP Fallback to Nonsecure RTP

12.4(15)XY
12.4(20)T

This feature extends the existing SRTP to RTP fallback on Cisco IOS voice gateways to support a delayed offer and adds support for SRTP over SIP.

The following commands were introduced or modified:
srtp negotiate, voice-class sip srtp negotiate.

Interworking of Secure RTP calls for SIP and H323

12.4(20)T

This feature provides an option for a Secure RTP (SRTP) call to be connected from H323 to SIP and from SIP to SIP. Additionally, this feature extends SRTP fallback support from the Cisco IOS voice gateway to the Cisco Unified Border Element.

This feature uses no new or modified commands.

SIP SRTP Fallback to Nonsecure RTP for Cisco Unified Border Elements

12.4(22)T

This feature adds support for both SRTP to RTP fallback with a delayed offer and SRTP over SIP to the Cisco Unified Border Element.

This feature uses no new or modified commands.

Cisco Unified Border Element Support for SRTP-RTP Internetworking

12.4(22)YB

This feature provides the ability to support interworking between SRTP on one IP leg and RTP on another IP leg of a Cisco Unified Border Element.

The following command was introduced or modified: tls.


Glossary

AVP—Audio/Video Profile.

CAC—Call Admission Control.

CME—Communications Manager Express.

CVP—Customer Voice Portal.

GW—gateway.

ISDN—Integrated Services Digital Network.

MIME—Multipurpose Internet Mail Extensions.

m line—The media-level section of an SDP session begins and ends with an "m" line that confines the information about the media stream.

MOH—music on hold.

OGW—originating gateway (ingress gateway).

PBX—Private Branch Exchange.

PINX—private integrated services network exchange.

PISN—private integrated services network.

QoS—quality of service.

QSIG—Q Signaling protocol.

RSVP—Resource Reservation Protocol.

RTP—Real-time Transport Protocol.

SDP—Session Description Protocol.

SIP—Session Initiation Protocol.

SRTP—Secure Real-time Transport Protocol.

TDM—time-division multiplexing.

TGW—terminating gateway (egress gateway).

UA—user agent.

UDP—User Datagram Protocol.

URI—uniform resource identifier.