Guest

Cisco PGW 2200 Softswitch

Secure Real-time Transport Protocol Support

  • Viewing Options

  • PDF (226.8 KB)
  • Feedback
Cisco PGW 2200 Softswitch Secure Real-time Transport Protocol Support Feature Module

Table Of Contents

Cisco PGW 2200 Softswitch Secure Real-time Transport Protocol Support Feature Module

Feature Description

Feature Overview

Benefits

Prerequisites

Restrictions or Limitations

Related Features and Technology

Related Documents

Supported Standards, MIBs, and RFCs

Provisioning Tasks

Enabling SRTP on MGCP SigPaths

Enabling SRTP on SIP Trunk Groups

Enabling SRTP on TDM Trunk Groups

Provisioning Examples

Software Changes for This Feature

Properties

New Properties

Troubleshooting the Feature

Obtaining Documentation and Submitting a Service Request

Media Stream Type Determination

Glossary


Cisco PGW 2200 Softswitch Secure Real-time Transport Protocol Support Feature Module


Document Release History

Publication Date
Comments

June 2009

Initial release of document


Feature History

Release
Modification

9.8(1)

The Secure Real-time Transport Protocol Support feature is introduced on the Cisco PGW 2200 Softswitch.


This document describes the Secure Real-time Transport Protocol Support feature and includes the following sections:

Feature Description

Provisioning Tasks

Provisioning Examples

Software Changes for This Feature

Troubleshooting the Feature

Obtaining Documentation and Submitting a Service Request

Media Stream Type Determination

Glossary

Feature Description

Feature Overview

The Secure Real-time Transport Protocol Support feature enables the Cisco PGW 2200 Softswitch to handle MGCP-based TDM and SIP calls that have media authentication and encryption of the Secure Real-time Transport Protocol (SRTP). This feature adds security to media traffic in your network. The Cisco PGW 2200 Softswitch can fall back from SRTP to non-secure Real-time Transport Protocol (RTP).


Note MGCP-based TDM calls are calls that originate from or terminate on MGCP-based TDM trunks. SIP calls are calls that originate from or terminate on SIP trunks.


Figure 1 shows a typical deployment for this feature. In this deployment, the Cisco PGW 2200 Softswitch communicates with the Cisco Unified Communications Manager (CUCM) via SIP trunks. The Cisco PGW 2200 Softswitch connects the PSTN network via TDM trunks (PRI and ISUP interfaces). SRTP media streams terminate on endpoints or SRTP-capable media gateways (Cisco AS5400 series universal gateways and a Cisco 3845 series integrated service router).

Figure 1 Typical Deployment for This Feature

Benefits

This feature provides the following benefits:

Supports SRTP on SIP and TDM trunks—Users can place the Cisco PGW 2200 Softswitch into a solution where SRTP stream handling is a stated requirement. This can be particularly important when the Cisco PGW 2200 Softswitch is switching calls in an environment with a mixture of both fixed and mobile end devices.

Controls whether SRTP is supported at the trunk group level (SIP and TDM) or the signaling service level (MGCP)—Users can allow or prohibit SRTP calls that come in on certain SIP or TDM trunks. They can also allow or prohibit SRTP calls over a certain MGCP signaling service. This feature enables the Cisco PGW 2200 Softswitch to determine whether an arriving SRTP call can be handled or must be rejected. If it is rejected, a reason code is given.

Interoperates with the SRTP-capable CUCM and Cisco AS5400 series universal gateways—This feature enables the Cisco PGW 2200 Softswitch to cowork with other SRTP-capable devices, for example, the CUCM, and Cisco AS5400 series universal gateways.

Handles mixes of nonsecure and secure calls—The Cisco PGW 2200 Softswitch can handle nonsecure and secure calls at the same time.

Switches out of SRTP into RTP (and vice versa)—Users can transfer a call from a secure end device to a nonsecure one.

Prerequisites

The CUCM must be running software Release 7.1(2) or higher.

Cisco AS5400 series universal gateways must be running Cisco IOS software Release 12.4(22)YB2 or higher.

The Cisco PGW 2200 Softswitch must be running software Release 9.8(1). Prerequisites for this release can be found in the Release Notes for the Cisco PGW 2200 Softswitch Release 9.8(1) at

http://www.cisco.com/en/US/docs/voice_ip_comm/pgw/9/release/note/rn981.html

Restrictions or Limitations

The Secure Real-time Transport Protocol Support feature has the limitation that the Cisco PGW 2200 Softswitch does not regenerate the key for media gateways during the call.

Related Features and Technology

The following features are related to this feature:

MGCP Phase 1 feature (for Cisco AS5400 series universal gateways)

SIP Trunk SRTP feature (for CUCM)

Security for MGCP Gateways (for CUCM)

Related Documents

This document contains information that is strictly related to this feature. The documents that contain additional information related to the Cisco PGW 2200 Softswitch are at

http://www.cisco.com/en/US/products/hw/vcallcon/ps2027/tsd_products_support_series_home.html

The documents that contain additional information related to the CUCM are at

http://www.cisco.com/en/US/products/sw/voicesw/ps556/tsd_products_support_series_home.html

For information on SRTP configurations on Cisco AS5400 series universal gateways or Cisco 3845 series integrated services routers, see the Media and Signaling Authentication and Encryption Feature on Cisco IOS MGCP Gateways at

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gtsecure.html

Supported Standards, MIBs, and RFCs

This section describes the new or modified standards, MIBs, and RFCs that are supported by this feature.

Standards

No new or modified standards are supported by this feature.

MIBs

No new or modified MIBs are supported by this feature.

For more information on the MIBs used in the Cisco PGW 2200 Softswitch software, see the Cisco PGW 2200 Softswitch MIBs at

http://www.cisco.com/iam/PGW_MIBS/index.html

RFCs

RFC 3711—The Secure Real-time Transport Protocol (SRTP)

RFC 4568—Session Description Protocol (SDP) Security Descriptions for Media Streams

Internet-Drafts

Media Gateway Control Protocol Package for Secure Real-time Transport Protocol

Provisioning Tasks

This section describes the provisioning tasks for this feature.

SRTP-capable media gateways deliver SRTP media streams for the MGCP-based TDM and SIP calls. In the provisioning of this feature, you must first tell the Cisco PGW 2200 Softswitch that the media gateways support SRTP. Then you specify that SIP and TDM trunk groups support SRTP.

Enabling SRTP on MGCP SigPaths

Enabling SRTP on SIP Trunk Groups

Enabling SRTP on TDM Trunk Groups

For provisioning samples, see the "Provisioning Examples" section.

Enabling SRTP on MGCP SigPaths

To tell the Cisco PGW 2200 Softswitch that a media gateway supports SRTP, set the sRtpSupported property to 1 on the MGCP sigPath.

mml> prov-ed:sigsvcprop:name="as5400-path",srtpsupported="1"

Enabling SRTP on SIP Trunk Groups

To specify that a SIP trunk group supports SRTP, set the sRtpAllowed property to 1 in a SIP profile. Then attach the SIP profile to a SIP trunk group.

mml> prov-ed:profile:name="sipprf",srtpallowed="1"
mml> prov-add:trnkgrpprof:name="2000",profile="sipprf"

Enabling SRTP on TDM Trunk Groups

To specify that a TDM trunk group supports SRTP, set the sRtpAllowed property to 1 on a TDM trunk group.

mml> prov-ed:trnkgrpprop:name="8888",srtpallowed="1"

Provisioning Examples

This section provides a provisioning example for this feature. Additional provisioning examples for the Cisco PGW 2200 Softswitch can be found in the Cisco PGW 2200 Softswitch Release 9.8 Provisioning Guide.

________________________________________
; Add a SIP Profile with SRTP Support Enabled
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
prov-add:profile:name="sipprf",type="sipprofile",srtpallowed="1"

________________________________________
; Attach the SIP Profile to a SIP Trunk Group
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
prov-add:trnkgrpprof:name="2000",profile="sipprf"

________________________________________
; Enable SRTP Support on the TDM Trunk Group
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
prov-ed:trnkgrpprop:name="8888",srtpallowed="1"

________________________________________
; Add a Media Gateway 
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
prov-add:extnode:name="AS5400-1",desc="External Node AS5400-1",type="AS5400", 
isdnsigtype="N/A",group=0
prov-add:mgcppath:name="as5400-path",desc="Mgcppath signaling service to AS5400-1", 
extnode="AS5400-1"
prov-add:iplnk:name="as5400-path-1",desc="Iplnk-1 for as5400-path",port=2427,pri=1, 
peerAddr="10.10.1.1",peerPort=2427,ipAddr="IP_Addr1",svc="as5400-path"

________________________________________
; Enable SRTP Support on the Media Gateway
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
prov-ed:sigsvcprop:name="as5400-path",srtpsupported="1"

Software Changes for This Feature

This section describes property changes for this feature.

Properties

This section describes new and modified properties introduced for this feature. For information on other properties for the Cisco PGW 2200 Softswitch, see the Cisco PGW 2200 Softswitch Release 9.8 Provisioning Guide.

New Properties

Table 1 describes the new properties for this feature.

Table 1 New Properties for This Feature 

Property
Description

sRtpAllowed

This property controls whether the trunk group supports SRTP or not. This property is provisioned as either a trunk group property or a SIP profile property.

Valid values: boolean (0 = does not support, 1 = supports).

Default value: 0.

Dynamically reconfigurable: yes.

sRtpSupported

This property indicates whether a media gateway supports SRTP or not. This property is provisioned on an MGCP sigPath.

Valid values: boolean (0 = does not support, 1 = supports).

Default value: 0.

Dynamically reconfigurable: yes.


Troubleshooting the Feature

The section describes the three troubleshooting situations for this feature:

SIP-to-TDM calls with delayed media don't have SRTP media streams. There are no SRTP cryptographic parameters in LCO parameters of the MGCP CRCX message.

 
Action
Description

Step 1 

Check the sRtpAllowed property on the SIP profile of the incoming SIP trunk group.

You use the sRtpAllowed property to determine whether the SIP trunk group supports SRTP or not. Make sure the sRtpAllowed property is set to 1.

For provisioning examples, see the "Provisioning Examples" section.

Step 2 

Check the sRtpSupported property on the outgoing MGCP sigPath.

You use the sRtpSupported property to determine whether a media gateway supports SRTP or not. Make sure the sRtpSupported property is set to 1.

For provisioning examples, see the "Provisioning Examples" section.

Step 3 

Check the SRTP configuration on the media gateways.

Make sure you have enabled SRTP on your media gateways.

For information on SRTP configurations on media gateways, see the "Related Documents" section.

TDM-to-SIP calls with early media don't have SRTP media streams. There are no cryptographic parameters in the outgoing SIP INVITE message.

 
Action
Description

Step 1 

Check the sRtpAllowed property on the SIP profile of the outgoing SIP trunk group.

You use the sRtpAllowed property to determine whether the trunk group supports SRTP or not. Make sure the sRtpAllowed property is set to 1.

For provisioning examples, see the "Provisioning Examples" section.

Step 2 

Check the sRtpSupported property on the incoming MGCP sigPath.

You use the sRtpSupported property to determine whether a media gateway supports SRTP or not. Make sure the sRtpSupported property is set to 1.

For provisioning examples, see the "Provisioning Examples" section.

Step 3 

Check the SRTP configuration on the media gateways.

Make sure you have enabled SRTP on your media gateways.

For information on SRTP configurations on media gateways, see the "Related Documents" section.

TDM-to-TDM calls don't have SRTP media streams. There are no SRTP cryptographic parameters in LCO parameters of the MGCP CRCX message.

 
Action
Description

Step 1 

Check the sRtpAllowed property on both incoming and outgoing TDM trunk groups.

You use the sRtpAllowed property to indicate whether the trunk group supports SRTP or not. Make sure the sRtpAllowed property is set to 1.

For provisioning examples, see the "Provisioning Examples" section.

Step 2 

Check the sRtpSupported property on both incoming and outgoing MGCP sigPaths.

You use the sRtpSupported property to indicate whether a media gateway supports SRTP or not. Make sure the sRtpSupported property is set to 1.

For provisioning examples, see the "Provisioning Examples" section.

Step 3 

Check the SRTP configuration on the media gateways.

Make sure you have enabled SRTP on your media gateways.

For information on SRTP configurations on media gateways, see the "Related Documents" section.

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:

http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html

Subscribe to the What's New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS Version 2.0.

Media Stream Type Determination

This section contains additional information that you might find useful to understand the media stream type determination on the Cisco PGW 2200 Softswitch. The Cisco PGW 2200 Softswitch determines whether media gateways use RTP or SRTP to transport the media streams for SIP-to-TDM and TDM-to-SIP calls.

Different combinations of input message parameters and the Cisco PGW 2200 Softswitch properties on the left of the heavy vertical line cause the Cisco PGW 2200 Softswitch to make corresponding determinations on the right. The heavy vertical line in the tables indicates where the Cisco PGW 2200 Softswitch makes a determination.

Table 2 describes the media stream type determination for SIP-to-TDM calls with delayed media. Table 3 describes the media stream type determination for SIP-to-TDM calls with early media. Table 4 describes the media stream type determination for TDM-to-SIP calls.

For example, the first row in Table 2 shows that if all of the three following requirements are met, the Cisco PGW 2200 Softswitch tells media gateways to use SRTP to transport media streams for SIP-to-TDM calls with delayed media.

The X-cisco-srtp-fallback tag is present in the SIP message.

The sRtpAllowed property is set to 1 in the SIP profile of the incoming SIP trunk groups.

The sRtpSupported property is set to 1 on the outgoing MGCP sigPath.

Table 2 Media Stream Type Determination for SIP-to-TDM Calls with Delayed Media

X-cisco-srtp-fallback Tag Presence in the SIP Message
sRtpAllowed (SIP Profile of the Incoming SIP Trunk Groups)
sRtpSupported (Outgoing MGCP SigPath)
Media Stream Type

Yes

1

1

SRTP

Other cases

RTP


Table 3 Media Stream Type Determination for SIP-to-TDM Calls with Early Media 

Cryptographic Parameters Presence in the SDP
X-cisco-srtp-fallback Tag Presence in the SIP Message
sRtpAllowed (SIP Profile of the Incoming SIP Trunk Groups)
sRtpSupported (Outgoing MGCP SigPath)
Media Stream Type

Yes

Yes

1

1

SRTP

Yes

Yes

0

Any

Call rejected with 488 error

Yes

Yes

Any

0

Call rejected with 488 error

No

Yes

Any

Any

RTP

Any

No

Any

Any

RTP


Table 4 Media Stream Type Determination for TDM-to-SIP Calls

sRtpSupported (Incoming MGCP SigPath)
sRtpAllowed (SIP Profile of the Outgoing SIP Trunk Groups)
Media Stream Type

1

1

SRTP

1

0

RTP

0

1

RTP

0

0

RTP


Glossary

Table 5 Expansions 

Acronym
Expansion

CRCX

create connection

CUCM

Cisco Unified Communications Manager (formerly known as Cisco Unified CallManager)

LCO

local connection options

MDCX

modify connection

MGCP

Media Gateway Control Protocol

PGW

PSTN gateway

RTP

Real-time Transport Protocol

SIP

Session Initiation Protocol

SRTP

Secure Real-time Transport Protocol