Cisco Unified Border Element (SP Edition) Configuration Guide: Unified Model
Secure Media and SRTP Passthrough
Download this chapter
Secure Media and SRTP PassthroughSecure Media and SRTP Passthrough
Download the complete book
Cisco Unified Border Element (SP Edition) Configuration Guide: Unified ModelCisco Unified Border Element (SP Edition) Configuration Guide: Unified Model (PDF - 9 MB)
give_us_feedback

Table Of Contents

Secure Media and SRTP Passthrough

Contents

Prerequisites for Secure Media and SRTP Passthrough

Restrictions for Secure Media

Information About Secure Media

Information About SRTP Passthrough

Configuring Secure Media

Configuring SRTP Passthrough

Example of Configuring Secure Media

Example of Configuring SRTP Passthrough


Secure Media and SRTP Passthrough

Cisco Unified Border Element (SP Edition) supports two methods of encrypted data streams—Secure Real-Time Protocol (SRTP) Passthrough and Secure Media. The preferred method is to use SRTP Passthrough because it allows the end points themselves to signal their encryption capabilities. The secure media method assumes that all end points are going to use encrypted data streams regardless of the actual end point capabilities.

Regardless of the method used to configure the Cisco Unified Border Element (SP Edition) to accept encrypted media packets, the Cisco Unified Border Element (SP Edition) reserves additional bandwidth to ensure these packets pass through. Typically, the bandwidth of a media stream is determined by the codecs that the endpoints use. However, the use of the encryption in the media streams increases the packet size. As a rule of thumb, the bandwidth requirements are 10% more than the unencrypted codec. However, this increase is not reflected in the media flow statistics.

The Secure Media feature is enabled on the global level for all calls and is disabled by default. SRTP Passthrough can be configured on a granular basis using Call Admission Control (CAC) policy.

Cisco Unified Border Element (SP Edition) was formerly known as Integrated Session Border Controller and may be commonly referred to in this document as the session border controller (SBC).

For a complete description of commands used in this chapter, refer to the Cisco Unified Border Element (SP Edition) Command Reference: Unified Model at http://www.cisco.com/en/US/docs/ios/sbc/command/reference/sbcu_book.html.

For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or a Cisco IOS master commands list.

Feature History for Secure Media and SRTP Passthrough

Release
Modification

Cisco IOS XE Release 2.4

These features were introduced on the Cisco ASR 1000 Series Aggregation Services Routers for the unified model.


Contents

This module contains the following sections:

Prerequisites for Secure Media and SRTP Passthrough

Restrictions for Secure Media

Information About Secure Media

Information About SRTP Passthrough

Configuring Secure Media

Configuring SRTP Passthrough

Example of Configuring Secure Media

Example of Configuring SRTP Passthrough

Prerequisites for Secure Media and SRTP Passthrough

The following prerequisites are required to implement both features:

Before implementing the Secure Media and SRTP Passthrough features, Cisco Unified Border Element (SP Edition) must already be configured. See the procedures described in Chapter 2, "Configuring Cisco Unified Border Element (SP Edition)".

Restrictions for Secure Media

The following is a restriction for Secure Media:

With this feature enabled, RTCP related statistics displayed in the show sbc dbe media-flow-stats command are displayed as unknown.

Information About Secure Media

Typically, an endpoint will indicate that the media traffic is encrypted through the SIP signaling. The encryption keys are either exchanged through Session Description Protocol or using Datagram Transport Layer Security (DTLS) mechanism. The Cisco Unified Border Element (SP Edition) can interwork with end points that use encrypted media (Datagram Transport Layer Security (DTLS) or SRTP), but do not indicate this in the SIP signaling. A global configuration under the SBE submode indicates that the endpoints are using encrypted media, but they will not be using SIP signaling to communicate and negotiate as such. The consequence of this configuration being applied at a Global level is that even for flows that are not encrypted, additional bandwidth is reserved and RTP and RTCP checking and validations are disabled.

Information About SRTP Passthrough

Cisco Unified Border Element (SP Edition) supports SIP calls between endpoints using Transport Layer Security (TLS) for SIP signaling encryption and Secure Real-Time Protocol (SRTP) to provide RTP media encryption. However, these two encryption mechanisms may not be deployed simultaneously, depending on the required call flow invoked on the associated configuration.

Before delving further into SRTP passthrough configuration, it would be useful to understand the two concepts—the trusted vs. untrusted and encrypted vs. unencrypted.

The "trusted" implies that an associated adjacency is trusted to allow secure calls. Calls to a standard SIP: URI will be accepted. Calls to a secure SIPS: URI will be accepted and routed over a trusted adjacency (encrypted or unencrypted). The "untrusted" indicates that an associated adjacency is not trusted to carry secure calls. The calls to standard SIP: URI will be accepted. Calls to a secure SIPS: URI will be rejected immediately.

The "encrypted" implies that an associated adjacency uses TLS for SIP signaling and the "unencrypted" implies that an associated adjacency does not use TLS for SIP signaling.

The trusted/untrusted are configured in conjunction with encrypted/unencrypted as outlined in the following four (4) combinations. This is invoked using the security command:

untrusted-unencrypted: The adjacency is untrusted and unencrypted. The adjacency is not trusted to carry secure SIP calls (calls with SIPS URI) and it does not use TLS encryption for SIP signaling.

untrusted-encrypted: The adjacency is untrusted and encrypted. The adjacency is not trusted to carry secure SIP calls (calls with SIPS URI) and it does use TLS encryption for SIP signaling.

trusted-unencrypted: The adjacency is trusted and unencrypted. The adjacency is trusted to carry secure SIP calls (calls with SIPS URI) and it does not use TLS encryption for SIP signaling.

trusted-encrypted: The adjacency is trusted and encrypted. The adjacency is trusted to carry secure SIP calls (calls with SIPS URI) and it does use TLS encryption for SIP signaling.

When Cisco Unified Border Element (SP Edition) comes up, the default is to allow SRTP calls to pass through on the trusted interfaces.

The following are conditions of the SRTP Passthrough feature:

SRTP Passthrough must be configured on both legs of the call. If the target adjacency does not support SRTP Passthrough, then the call is rejected by error message 415 (Unsupported Media Type).

"m= .. RTP/SAVP .." and a="crypto:..." fields coming in on an Invite from one adjacency are passed on in an Invite to the target adjacency.

"m= ...RTP/SAVP..." is a required field in the Invite to trigger SRTP Passthrough behavior in the SBC.

The following shows a sample SRTP Invite and Response call flow from endpoints, as described in RFC-4568.

Offerer sends: 

      v=0

      o=sam 2890844526 2890842807 IN IP4 10.47.16.5

      s=SRTP Discussion

      i=A discussion of Secure RTP

      u=http://www.example.com/seminars/srtp.pdf

      e=marge@example.com (Marge Simpson)

      c=IN IP4 168.2.17.12

      t=2873397496 2873404696

      m=audio 49170 RTP/SAVP 0

      a=crypto:1 AES_CM_128_HMAC_SHA1_80

       inline:WVNfX19zZW1jdGwgKCkgewkyMjA7fQp9CnVubGVz|2^20|1:4

       FEC_ORDER=FEC_SRTP

      a=crypto:2 F8_128_HMAC_SHA1_80

       inline:MTIzNDU2Nzg5QUJDREUwMTIzNDU2Nzg5QUJjZGVm|2^20|1:4;

       inline:QUJjZGVmMTIzNDU2Nzg5QUJDREUwMTIzNDU2Nzg5|2^20|2:4

       FEC_ORDER=FEC_SRTP

Answerer replies: 

      v=0

      o=jill 25690844 8070842634 IN IP4 10.47.16.5

      s=SRTP Discussion

      i=A discussion of Secure RTP

      u=http://www.example.com/seminars/srtp.pdf

      e=homer@example.com (Homer Simpson)

      c=IN IP4 168.2.17.11

      t=2873397526 2873405696

      m=audio 32640 RTP/SAVP 0

      a=crypto:1 AES_CM_128_HMAC_SHA1_80

       inline:PS1uQCVeeCFCanVmcjkpPywjNWhcYD0mXXtxaVBR|2^20|1:4

The following diagram illustrates an SRTP Passthrough Call Flow.

Figure 14-1

SRTP Passthrough Call Flow

The SRTP Passthrough feature defines a new Call Admission Control (CAC) entry variable, called "srtp transport," in the admission control table. If you configure the "srtp transport" variable, then CAC policy has the option to set the policy for the adjacency to either "allowed," "disallowed," or "trust only."

Calls using SRTP Passthrough are allowed on the adjacencies specified by the policy. Where there are conflicting policies, "disallowed" overrides "allowed" which overrides "trusted-only." If you configure the CAC policy, but you do not define the "srtp transport" variable, then the CAC policy takes the default value of "trusted-only" and restricts the SRTP calls between trusted endpoints.

See the transport srtp command which sets the adjacency CAC policy for more information. The no form of the command sets the "transport srtp" variable to "trusted-only." The show sbc sbe cac-policy-set table entry command is modified to display a "SRTP Transport" field and whether the policy for the adjacency is to allow, disallow, or trust only for SRTP Transport.

You can set the CAC policy to allow SRTP passthrough and allow configuration of certain security policing, such as the following:

preventing secure calls on a given adjacency

ensuring that all media sent over a given adjacency is secure

ensuring that secure streams are signaled over secure SIP adjacencies.

Configuring Secure Media

SUMMARY STEPS

1. configure

2. sbc sbc-name

3. sbe

4. secure-media

5. end

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

Router# configure

Enables global configuration mode.

Step 2 

sbc sbc-name

Example:

Router(config)# sbc mysbc

Creates the SBC service on Cisco Unified Border Element (SP Edition) and enters into SBC configuration mode.

Step 3 

sbe

Example:

Router(config-sbc)# sbe

Enters the mode of the signaling border element (SBE) function of the SBC.

Step 4 

secure-media

Example:

Router(config-sbc-sbe)# secure-media

Configures the SBC to treat every media flow as an encrypted media flow. This allows media packets, such as DTLS and SRTP packets, to pass through the SBC.

Step 5 

end

Example:

Router(config-sbc-sbe)# end

Exits SBE mode and returns to Privileged EXEC mode.

Configuring SRTP Passthrough

These steps show how to configure the CAC policy set to allow SRTP Passthrough.

SUMMARY STEPS

1. configure

2. sbc sbc-name

3. sbe

4. cac-policy-set policy-set-id

5. first-cac-scope scope-name

6. first-cac-table table-name

7. cac-table table-name

8. table-type limit list of limit tables

9. entry entry-id

10. match-value key

11. transport srtp [allowed | disallowed | trusted-only]

12. action [cac-complete | next-table | goto-table-name ]

13. exit

14. exit

15. complete

16. exit

17. active-cac-policy-set policy-set-id

18. end

19. show sbc sbc-name sbe cac-policy-set id table name entry entry

DETAILED STEPS

 
Command or Action
Purpose

Step 1 

configure

Example:

Router# configure

Enables global configuration mode.

Step 2 

sbc sbc-name

Example:

Router(config)# sbc mysbc

Creates the SBC service on Cisco Unified Border Element (SP Edition) and enters into SBC configuration mode.

Step 3 

sbe

Example:

Router(config-sbc)# sbe

Enters the mode of the signaling border element (SBE) function of the SBC.

Step 4 

cac-policy-set policy-set-id

Example:

Router(config-sbc-sbe)# cac-policy-set 1

Enters the mode of CAC policy set configuration within an SBE entity, creating a new policy set if necessary.

policy-set-id—Integer chosen by the user to identify the policy set. The range is 1 - 2147483647.

Step 5 

first-cac-scope scope-name

Example:

Router(config-sbc-sbe-cacpolicy)# first-cac-scope call

Configures scope at which limits should be initially defined when performing the admission control stage of the policy. Each CAC policy has a scope that is applied to it. This CAC policy applies on a per call basis.

scope-name has one of the following values:

adj-group—Limits for events from members of the same adjacency group.

call—Limits are per single call.

category—Limits per category.

dst-account—Limits for events sent to the same account.

dst-adj-group—Limits for events sent to the same adjacency group.

dst-adjacency—Limits for events sent to the same adjacency.

dst-number—Limits for events that have the same adjacency number.

global—Limits are global (May not be combined with any other option).

src-account—Limits for events from the same account.

src-adj-group—Limits for events from the same adjacency group.

arc-adjacency—Limits for events from the same adjacency.

src-number—Limits for events that have the same source number.

Step 6 

first-cac-table table-name

Example:

Router(config-sbc-sbe-cacpolicy)# first-cac-table testSecure

Configures the name of the first policy table to process. A CAC policy may have many tables configured. To start the application of the CAC policy, the first table that is used needs to be defined.

table-name—The admission control table that should be processed first.

Step 7 

cac-table table-name

Example:

Router(config-sbc-sbe-cacpolicy)# cac-table testSecure

Enters the mode for configuration of an admission control table (creating one if necessary) within the context of an SBE policy set.

table-name—Name of the admission control table.

Step 8 

table-type limit list of limit tables

Example:

Router(config-sbc-sbe-cacpolicy-cactable)# table-type limit all

Configures a new CAC Limit table type where you enter the criteria that is used to match the entries.

list of limit tables has one of the following string values:

account—Compare the name of the account.

adj-group—Compare the name of the adjacency group.

adjacency—Compare the name of the adjacency.

all—No comparison type. All events match this type.

call-priority—Compare with call priority.

category—Compare the number analysis assigned category.

dst-account—Compare the name of the destination account.

dst-adj-group—Compare the name of the destination adjacency group.

dst-adjacency—Compare the name of the destination adjacency.

dst-prefix—Compare the beginning of the dialed digit string.

event-type—Compare with CAC policy event types.

src-account—Compare the name of the source account.

src-adj-group—Compare the name of the source adjacency group.

src-adjacency—Compare the name of the source adjacency.

src-prefix—Compare the beginning of the calling number string.

Step 9 

entry entry-id

Example:

Router(config-sbc-sbe-cacpolicy-cactable)# entry 1

Enters the mode to modify an entry in an admission control table.

entry-id—Specifies the table entry.

Step 10 

match-value key

Example:

Router(config-sbc-sbe-cacpolicy-cactable-entry) # match-value call-update

Configures the match-value of an entry in a CAC Limit table type.

Step 11 

transport srtp [allowed | disallowed | trusted-only]

Example:

Router(config-sbc-sbe-cacpolicy-cactable-entry) # transport srtp allowed

Configures the transport srtp variable in the CAC table to allow or disallow SRTP Passthrough of secure media on the adjacency where the policy is applied.

allowed—allows SRTP Transport when an event matches this CAC policy.

disallowed—do not allow SRTP Transport when an event matches this CAC policy.

trusted-only—allows SRTP Transport on a trusted adjacency (default) when an event matches this CAC policy.

Calls using SRTP Passthrough are allowed on the adjacencies specified by the policy. Where there are conflicting policies, "disallowed" overrides "allowed" which overrides "trusted-only."

Step 12 

action [cac-complete | next-table goto-table-name]

Example:

Router(config-sbc-sbe-cacpolicy-cactable-entry) # action cac-complete

Configures the action to perform after this entry in an admission control table. Each entry requires a match criteria and an action. The action is to accept the transport.

action is one of the following:

cac-complete—When an event matches, this CAC policy is complete.

next-table—Specifies the name of the next cac table.

goto-table-name—Specifies the table name identifying the next CAC table to process (or cac-complete, if processing should stop).

Step 13 

exit

Example:

Router(config-sbc-sbe-cacpolicy-cactable-entry) # exit

Exits CAC table entry submode and enters into cacpolicy cactable mode

Step 14 

exit

Example:

Router(config-sbc-sbe-cacpolicy-cactable)# exit

Exits cacpolicy cactable submode and enters into cacpolicy mode.

Step 15 

complete

Example:

Router(config-sbc-sbe-cacpolicy)# complete

Completes the CAC policy after all the entries within the CAC tables have been configured.

Step 16 

exit

Example:

Router(config-sbc-sbe-cacpolicy)# exit

Exits the cacpolicy submode and enters into SBE mode.

Step 17 

active-cac-policy-set policy-set-id

Example:

Router(config-sbc-sbe)# active-cac-policy-set 1

Sets the newly created CAC policy to be active. When the policy is active, it can no longer be modified.

policy-set-id—Identifies the policy set that is made active. Range is 1 to 2147483647.

Step 18 

end

Example:

Router(config-sbc-sbe)# end

Exits the SBE mode and returns to Privileged EXEC mode.

Step 19 

show sbc sbc-name sbe cac-policy-set id table name entry entry

Example:

Router# show sbc mysbc sbe cac-policy-set 1 table testSecure entry 1

Displays detailed output, including a "SRTP Transport" field and whether the policy for the adjacency is to allow, disallow, or trust only for SRTP Transport.

Example of Configuring Secure Media

This section provides a sample configuration for the Secure Media Passthrough feature.

To configure Secure Media Passthrough, use the following commands: 

Router# configure

Router(config)# sbc mysbc

Router(config-sbc)# sbe

Router(config-sbc-sbe)# secure-media

Router(config-sbc-sbe)# end

Example of Configuring SRTP Passthrough

The following shows a configuration where the "srtp transport" variable is set in the CAC policy set 1 table for an adjacency to allow SRTP Passthrough: 

sbc SBE-NODE2-SBE1

   sbe

      cac-policy-set 1

         first-cac-scope global 

         first-cac-table STANDARD-LIST-BY-ACCOUNT 

         cac-table STANDARD-LIST-BY-ACCOUNT table-type limit dst-account 

            entry 1

               media-bypass-forbid

	             match-value SIP-CUSTOMER-1 

               max-num-calls 100

               max-call-rate 20 

               max-bandwidth 1000000 bps

               callee-privacy never

               srtp transport allowed

               action cac-complete

               exit

            entry 2

               match-value SIP-CUSTOMER-2 

               max-num-calls 100

               max-call-rate 20 

               max-bandwidth 1000000 bps

               transcode deny

               max-regs 500

               action cac-complete

               exit			

               exit

               complete

      active-call-policy-set 1

The following example displays entries in table CAC1 for CAC policy set 100 and shows that the SRTP Transport variable has been set to allow SRTP Passthrough on whichever adjacency the policy is applied: 

Router# show sbc SBC1 sbe cac-policy-set 100 table CAC1 entry 1000

SBC Service "SBC1"

Policy set 100 table CAC1 entry 1000

  Match value               src-adjacency

  Action                    CAC policy complete

  Max calls                 Unlimited

  Max call rate             100

  Max registrations         Unlimited

  Max reg. rate             Unlimited

  Max bandwidth             Unlimited

  Max channels              Unlimited

  Transcoder                Allowed

  Caller privacy setting    Never hide

  Callee privacy setting    Never hide

  Early media               Allowed

  Early media direction     Both

  Early media timeout       0

  Restrict codecs to list   default

  Media bypass              Allowed

  Number of calls rejected by this entry    0

  SRTP Transport            Allowed