Table Of Contents
Secure Media and SRTP Passthrough
Prerequisites for Secure Media and SRTP Passthrough
Information About Secure Media
Information About SRTP Passthrough
Information About SRTP to RTP Interworking and SRTP Passthrough
Downgraded Response to an SRTP Offer
SRTP Policy Passthrough Tables
Configuring Secure Media—Global Level
Configuring Unsignaled Secure Media at a Granular Level
Configuring CAC Policies for SRTP to RTP Interworking
SRTP Support for RTCP Multiplexed with RTP
Configuring the Detection of RTCP Multiplexed with RTP
SRTP Support for SSRC-Based Multiplexing
Configuring Global Secure Media Example
Configuring Unsignaled, Granular-Level Secure Media: Examples
Configuring SRTP Passthrough Example
CAC Policies for SRTP to RTP Interworking Configuration: Example
Secure Media and SRTP Passthrough
Cisco Unified Border Element (SP Edition) supports two methods of encrypted data streams—Secure Real-Time Protocol (SRTP) Passthrough and Secure Media. The preferred method is to use SRTP Passthrough because it allows the end points themselves to signal their encryption capabilities.
The Secure Media feature is enabled on the global level for all calls and is disabled by default. When Secure Media is turned on globally, the SBC assumes that all end points are going to use encrypted data streams regardless of the actual end point capabilities.
Starting with Cisco IOS XE Release 2.6, using the Unsignaled Secure Media feature you are able to configure secure media on a granular level for specific calls and adjacencies using Call Admission Control (CAC) table entry commands.
You can configure SRTP Passthrough on a granular basis using CAC policy.
Regardless of the method used to configure the Cisco Unified Border Element (SP Edition) to accept encrypted media packets, Cisco Unified Border Element (SP Edition) reserves additional bandwidth to ensure these packets pass through. Typically, the bandwidth of a media stream is determined by the codecs that the endpoints use. However, the use of the encryption in the media streams increases the packet size. As a rule of thumb, the bandwidth requirements are 10% more than the unencrypted codec. However, this increase is not reflected in the media flow statistics.
Cisco Unified Border Element (SP Edition) was formerly known as Integrated Session Border Controller and may be commonly referred to in this document as the session border controller (SBC).
For a complete description of the commands used in this chapter, refer to the Cisco Unified Border Element (SP Edition) Command Reference: Unified Model at:
http://www.cisco.com/en/US/docs/ios/sbc/command/reference/sbcu_book.html
For information about all Cisco IOS commands, use the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or a Cisco IOS master commands list.
Feature History for Secure Media and SRTP Passthrough
Contents
This chapter contains the following sections:
•Prerequisites for Secure Media and SRTP Passthrough
•Restrictions for Secure Media
•Information About Secure Media
•Information About SRTP Passthrough
•Information About SRTP to RTP Interworking and SRTP Passthrough
•Configuring Secure Media—Global Level
•Configuring Unsignaled Secure Media at a Granular Level
•Configuring CAC Policies for SRTP to RTP Interworking
•SRTP Support for RTCP Multiplexed with RTP
•SRTP Support for SSRC-Based Multiplexing
•Configuring Global Secure Media Example
•Configuring Unsignaled, Granular-Level Secure Media: Examples
•Configuring SRTP Passthrough Example
•CAC Policies for SRTP to RTP Interworking Configuration: Example
Prerequisites for Secure Media and SRTP Passthrough
The following prerequisites are required to implement both features:
Before implementing the Secure Media and SRTP Passthrough features, Cisco Unified Border Element (SP Edition) must already be configured.
Restrictions for Secure Media
The following is a restriction for Global and Unsignaled Secure Media:
•With this feature enabled, RTCP related statistics displayed in the show sbc dbe media-flow-stats command are displayed as unknown.
The following is a restriction for Unsignaled (granular-level) Secure Media:
•Both caller and callee sides of the call need to be configured with the caller secure-media and callee secure-media commands. If only one leg of the call is configured, then the call will fail.
Note In some scenarios, the branch command can be used as an alternative to the caller and callee commands. The branch command has been introduced in Release 3.5.0. See the "Configuring Directed Nonlimiting CAC Policies" section for information about this command.
Information About Secure Media
Typically, an endpoint will indicate that the media traffic is encrypted through the SIP signaling. The encryption keys are either exchanged through Session Description Protocol (SDP) or using the Datagram Transport Layer Security (DTLS) mechanism.
In Cisco IOS XE Release 2.4 and Release 2.5, Cisco Unified Border Element (SP Edition) interworked with end points or SIP device that use encrypted media (DTLS or Secure-RTP [SRTP]), but the endpoints did not indicate this in the SIP signaling. In those earlier releases, the SBC supported a globally enabled Secure Media configuration where all calls on the SBC were treated as consisting of SRTP media. Even though the endpoint may not have signaled for SRTP media, media pinholes were created as if the traffic was SRTP. A global configuration under the SBE submode indicates that the endpoints are using encrypted SRTP media, but they will not be using SIP signaling to communicate and negotiate as such. The consequence of this configuration being applied at a global level is that even for flows that are not encrypted, additional bandwidth is reserved and RTP and RTCP checking and validations are disabled.
When interworking with a SIP device that does not have full support for signaling SRTP media streams, the SBC cannot know in advance that the media will be SRTP because it is not signaled as SRTP. Starting with Cisco IOS XE Release 2.6, the Unsignaled Secure Media feature allows the SBC to successfully interoperate with SIP devices that generate SRTP media but signal this as a regular RTP media stream.
You are able to configure the SBC to know which SIP devices it communicates with require support for unsignaled SRTP. Such SIP devices are assumed to always send SRTP media. Minimally you must granularly configure all devices on a given adjacency to require support for SRTP. In configuring secure media on a granular level, you use Call Admission Control (CAC) table entry commands. We highly recommend you use the granular level configuration because, instead of turning on secure media globally, you can specify the calls and adjacencies where you want to use secure media. Using the granular option of Unsignaled Secure Media, additional bandwidth is allocated and RTCP no check is performed only for those calls that match the CAC match criteria. Unsignaled Secure Media, like the global option, is disabled by default.
In Cisco IOS XE Release 2.6, when you configure the SBC to allow unsignaled SRTP media on a granular level for adjacencies, observe these recommended guidelines:
•If the adjacencies are trusted to allow secure calls—use either the security trusted-encrypted or security trusted-unencrypted command to configure both adjacencies where caller and callee side are located for SRTP passthrough first. Both sides need to be configured because it is a passthrough. This is the default where SRTP calls are allowed between trusted adjacencies.
•If an adjacency is not trusted, you can still configure granular-level Unsignaled Secure Media on that adjacency by configuring SRTP Passthrough in a CAC configuration on the untrusted adjacency. Use the srtp support command to allow an SRTP call on the adjacency where the CAC policy is applied.
•Configure both legs of the call to enable the granular-level Unsignaled Secure Media—use the caller secure-media command on the caller side, and the callee secure-media command on the callee side.
Note In some scenarios, the branch command can be used as an alternative to the caller and callee commands. The branch command has been introduced in Release 3.5.0. See the "Configuring Directed Nonlimiting CAC Policies" section for information about this command.
For information on the configuration steps, see the "Configuring Unsignaled Secure Media at a Granular Level" section.
Information About SRTP Passthrough
Cisco Unified Border Element (SP Edition) supports SIP calls between endpoints using Transport Layer Security (TLS) for SIP signaling encryption and Secure Real-Time Protocol (SRTP) to provide RTP media encryption. However, these two encryption mechanisms may not be deployed simultaneously, depending on the required call flow invoked on the associated configuration.
Before delving further into SRTP passthrough configuration, it would be useful to understand the two concepts—the trusted vs. untrusted and encrypted vs. unencrypted.
The "trusted" implies that an associated adjacency is trusted to allow secure calls. Calls to a standard SIP: URI will be accepted. Calls to a secure SIPS: URI will be accepted and routed over a trusted adjacency (encrypted or unencrypted). The "untrusted" indicates that an associated adjacency is not trusted to carry secure calls. The calls to standard SIP: URI will be accepted. Calls to a secure SIPS: URI will be rejected immediately.
The "encrypted" implies that an associated adjacency uses TLS for SIP signaling and the "unencrypted" implies that an associated adjacency does not use TLS for SIP signaling.
The trusted/untrusted are configured in conjunction with encrypted/unencrypted as outlined in the following four (4) combinations. This is invoked using the security command:
•untrusted-unencrypted: The adjacency is untrusted and unencrypted. The adjacency is not trusted to carry secure SIP calls (calls with SIPS URI) and it does not use TLS encryption for SIP signaling.
•untrusted-encrypted: The adjacency is untrusted and encrypted. The adjacency is not trusted to carry secure SIP calls (calls with SIPS URI) and it does use TLS encryption for SIP signaling.
•trusted-unencrypted: The adjacency is trusted and unencrypted. The adjacency is trusted to carry secure SIP calls (calls with SIPS URI) and it does not use TLS encryption for SIP signaling.
•trusted-encrypted: The adjacency is trusted and encrypted. The adjacency is trusted to carry secure SIP calls (calls with SIPS URI) and it does use TLS encryption for SIP signaling.
When Cisco Unified Border Element (SP Edition) comes up, the default is to allow SRTP calls to pass through on the trusted interfaces.
The following are conditions of the SRTP Passthrough feature:
•SRTP Passthrough must be configured on both legs of the call. If the target adjacency does not support SRTP Passthrough, then the call is rejected by error message 415 (Unsupported Media Type).
•"m= .. RTP/SAVP .." and a="crypto:..." fields coming in on an Invite from one adjacency are passed on in an Invite to the target adjacency.
•"m= ...RTP/SAVP..." is a required field in the Invite to trigger SRTP Passthrough behavior in the SBC.
The following shows a sample SRTP Invite and Response call flow from endpoints, as described in RFC-4568.
Offerer sends:
v=0o=sam 2890844526 2890842807 IN IP4 10.47.16.5s=SRTP Discussioni=A discussion of Secure RTPu=http://www.example.com/seminars/srtp.pdfe=marge@example.com (Marge Simpson)c=IN IP4 168.2.17.12t=2873397496 2873404696m=audio 49170 RTP/SAVP 0a=crypto:1 AES_CM_128_HMAC_SHA1_80inline:WVNfX19zZW1jdGwgKCkgewkyMjA7fQp9CnVubGVz|2^20|1:4FEC_ORDER=FEC_SRTPa=crypto:2 F8_128_HMAC_SHA1_80inline:MTIzNDU2Nzg5QUJDREUwMTIzNDU2Nzg5QUJjZGVm|2^20|1:4;inline:QUJjZGVmMTIzNDU2Nzg5QUJDREUwMTIzNDU2Nzg5|2^20|2:4FEC_ORDER=FEC_SRTPAnswerer replies:
v=0o=jill 25690844 8070842634 IN IP4 10.47.16.5s=SRTP Discussioni=A discussion of Secure RTPu=http://www.example.com/seminars/srtp.pdfe=homer@example.com (Homer Simpson)c=IN IP4 168.2.17.11t=2873397526 2873405696m=audio 32640 RTP/SAVP 0a=crypto:1 AES_CM_128_HMAC_SHA1_80inline:PS1uQCVeeCFCanVmcjkpPywjNWhcYD0mXXtxaVBR|2^20|1:4Figure 1 diagram illustrates an SRTP Passthrough Call Flow.
Figure 1 SRTP Passthrough Call Flow
The SRTP Passthrough feature defines a new Call Admission Control (CAC) entry variable, called "srtp transport," in the admission control table. If you configure the "srtp transport" variable, then CAC policy has the option to set the policy for the adjacency to either "allowed," "disallowed," or "trust only."
Calls using SRTP Passthrough are allowed on the adjacencies specified by the policy. Where there are conflicting policies, "disallowed" overrides "allowed" which overrides "trusted-only." If you configure the CAC policy, but you do not define the "srtp transport" variable, then the CAC policy takes the default value of "trusted-only" and restricts the SRTP calls between trusted endpoints.
See the srtp support command which sets the adjacency CAC policy for more information. The no form of the command sets the "srtp support" variable to "trusted-only." The show sbc sbe cac-policy-set table entry command is modified to display a "SRTP Transport" field and whether the policy for the adjacency is to allow, disallow, or trust only for SRTP Transport.
You can set the CAC policy to allow SRTP passthrough and allow configuration of certain security policing, such as the following:
•Preventing secure calls on a given adjacency
•Ensuring that all media sent over a given adjacency is secure
•Ensuring that secure streams are signaled over secure SIP adjacencies.
Information About SRTP to RTP Interworking and SRTP Passthrough
Secure Real-time Transport Protocol (SRTP) to Real-time Transport Protocol (RTP) interworking is supported on Session Border Controller (SBC) services on Cisco ASR 1000 Series Aggregation Services Routers.
System Administrators may configure SRTP to RTP interworking to enable their networks to communicate with other networks and add additional security to a network. SRTP to RTP interworking allows networks that use SRTP to accept calls from networks that use RTP.
The SRTP to RTP interworking feature provides SBC with the ability to encrypt and decrypt data streams to and from both types of networks, SRTP networks and RTP networks.
SRTP to RTP interworking can be deployed on both User to Network Interfaces (UNI) and Network to Network Interfaces (NNI).
Features Supported
The following SRTP to RTP interworking features are supported by SBC:
•SBC-generated SRTP encryption and decryption keys.
•Configurable policies, for SRTP pass-through, termination, and re-origination when both caller and callee CAC policies support SRTP.
•SRTP to RTP interworking in distributed DBE mode via H.248.
•PD logs with information for verifying SBC call handling for different SRTP preference and policy settings. (Encryption keys are not displayed in PD logs.)
•Stateful Switchover (SSO) for SRTP streams.
CAC policies can support the following types of SRTP to RTP interworking:
•RTP-only
•SRTP-only
•SRTP-optional
•SRTP-prefer
When a CAC policy uses SRTP-only:
•All media streams associated to that CAC policy use SRTP. The SRTP stream is end-to-end if the peer adjacency supports SRTP. If the peer adjacency does not support SRTP, or if the policy configuration is set to terminate and re-originate, SBC performs the necessary SRTP encryption and decryption.
•SBC rejects incoming RTP calls and sends the appropriate response code.
When a CAC policy uses RTP-only:
•All media streams associated to that CAC policy use RTP. The RTP stream is end-to-end if the peer adjacency does not require SRTP. If the peer adjacency requires SRTP, SBC perform RTP to SRTP interworking.
•SBC rejects incoming SRTP calls and sends the appropriate response code.
When a CAC policy uses SRTP-optional:
•SRTP-optional is by negotiation on inbound calls.
•SBC accepts both incoming RTP and incoming SRTP calls.
•No RTP to SRTP interworking is needed for incoming RTP calls unless the callee CAC policy uses SRTP-only.
•No SRTP encryption is needed for incoming SRTP calls unless the callee CAC policy uses RTP-only, or the policy configuration prohibits pass-through mode
When a CAC policy uses SRTP-prefer:
•SBC accepts either RTP or SRTP offers from endpoints.
•SBC offers SRTP to endpoints whether the inbound offer is RTP or SRTP.
The following SRTP and RTP statistics are collected and available in show commands at the global level and the adjacency level:
•Number of calls rejected due to RTP requested
•Number of calls rejected due to SRTP requested
•Number of calls using SRTP pass-through
•Number of calls performing RTP to SRTP interworking
•Number of calls using RTP
•Number of calls using SRTP
SIP SRTP Offer Retry Feature
When the SIP SRTP Offer Retry feature is configured, using the srtp {branch | callee | caller} retry rtp command, and a 415 or 488 reject error code is generated in response to a prior SRTP (RTP/SAVP) offer, SBC reissues the offer, using RTP (RTP/AVP). This allows SBC to attempt to configure SRTP on a call leg and downgrade it to RTP if SRTP is not supported.
Note 415 and 488 error codes are general purpose errors. After the SRTP Offer Retry feature is configured, the SBC interprets that the 415 and 488 error codes are caused by an initial RTP/SAVP offer.
Downgraded Response to an SRTP Offer
The srtp {branch | callee | caller} response downgrade command allows SBC to send an RTP/AVP answer in response to an RTP/SAVP offer and downgrade media security. For instance, if SRTP interworking is not configured in the CAC policy, and the caller offers RTP/SAVP, but the callee answers with RTP/AVP, this command allows the SBC to downgrade the answer to RTP/AVP instead of rejecting the call.
If downgrade is not set, SBC provides strict adherence to the offer/answer protocol and rejects RTP/SAVP offers that are not supported.
This is a non-standard procedure, and is not widely supported. SBC always supports receiving an SRTP downgrade answer, but only sends a downgrade answer when this downgrade flag is set.
Both of the following cases, for SRTP fallback to RTP, are subject to the overall per-side SRTP policy and RTP-SRTP interworking policy:
•If the policy does not allow RTP at all, SBC does not attempt fallback.
•If the policy does not allow RTP-SRTP interworking, SBC allows a fallback on the answer side, but only if SBC can downgrade the offer side as well.
How SBC Processes SRTP
STRP policies behave differently depending on how the following commands are set:
•srtp branch forbid | mandate | allow | prefer
•srtp caller forbid | mandate | allow | prefer
•srtp callee forbid | mandate | allow | prefer
•srtp media interworking forbid | allow
•srtp interworking forbid | allow
The settings for these commands are defined as follows:
•forbid—SRTP is not supported on the caller side or the callee side of the call.
•mandate—SRTP is mandatory on the caller side or the callee side of the call.
•allow—SRTP is optional on the caller side or the callee side of the call.
•prefer—SRTP is preferred on this adjacency. Both RTP and SRTP are accepted inbound, but only SRTP is offered outbound. When the prefer option is set on the offer side of a call, it functions the same as allow. When the prefer option is set on the answer side of the call, and there is a choice between offering RTP or SRTP, SRTP is offered.
SRTP Policy Passthrough Tables
The following tables show the behavior of SBC based on the configuration of SRTP policies for each side of a call.
Table 1 shows how SBC selects the SRTP passthrough type for a stream offered as RTP when an SRTP policy is present.
Table 2 shows how SBC selects the SRTP passthrough type for a stream offered as SRTP.
Table 3 shows how SBC selects the SRTP passthrough type when it receives a SIP 415 or SIP 488 rejection code in response to its SRTP offer, and Retry SRTP as RTP is set.
Table 4 shows how SBC selects the SRTP passthrough type when it receives an RTP downgrade answer to an SRTP offer.
Restrictions
The following restrictions apply to SRTP to RTP interworking and SRTP passthrough:
•Packet cable event messages continue to bill SRTP/RTP interworking calls and SRTP passthrough calls, and the billing does not indicate whether SRTP was used on one or both call legs.
•In late to early interworking and SRTP to RTP interworking, SBC does not support SRTP in a generated SDP offer. The call is forced to be an RTP-RTP call. If this violates the configured call policy, the event is logged and the call fails at setup.
•If a call has multiple streams (multiple m= lines in the SDP), each stream may have a different passthrough type. If any specific stream cannot be satisfied, the call is rejected. Calls with multiple streams and different passthrough types can occur when:
–An offer is received containing a mix of RTP and SRTP streams.
–An answer is downgraded from SRTP streams to a subset of RTP streams.
–Some streams require interworking, others do not.
•SRTP capability is not signaled in H.248 and hence cannot be discovered automatically by SBC. This capability must be manually configured on SBC.
•SBC MG selection does not select an MG on the basis of which crypto-suites it supports.
•SBC does not allow the user to configure distinct SRTP session parameters on a per-call basis.
•SBC SRTP features do not work in conjunction with unsignaled SRTP.
•SBC will fail an SRTP call if it receives a SIP forking answer.
•SIP late-early interworking does not support SRTP.
•H.323-SIP interworking does not support SRTP.
•SBC cannot terminate RFC5027 security preconditions signaling in RTP-SRTP calls.
•SBC does not support local call transfer of SRTP calls.
•SBC currently only supports the AES_CM_128_HMAC_SHA1_32 crypto suite.
•SBC does not refresh any master keys that it generates.
•SBC does not renegotiate master key rotation when the packet usage count is reached (as specified in RFC3711).
•If the transcoder does not support SRTP (such as MGX), SBC does not allow an SRTP-SRTP call. SBC cannot perform SRTP-RTP interworking on the two media gates on either side of the transcoder.
•RTP-SRTP and SRTP-RTP calls can be transcoded by a third-party transcoder. In such cases, the media through the transcoder RTP, and the interworking is performed by SBC on the side closest to the SRTP endpoint.
To configure SRTP to RTP interworking, see the "Configuring CAC Policies for SRTP to RTP Interworking" section and the "CAC Policies for SRTP to RTP Interworking Configuration: Example" section
You can display policy failure statistics for a specified source adjacency, using this existing command that has been updated for SRTP:
show sbc sbe call-stats src-adjacency
You can display all the calls on the SBEs, using this existing command that has been updated for SRTP:
show sbc sbe calls srtp-iw
Configuring Secure Media—Global Level
Note The Unsignaled Secure Media feature was introduced in Cisco IOS XE Release 2.6 to allow configuration of secure media at a granular level using CAC table entry commands. With the introduction of this feature, the Configuring Secure Media-Global Level feature has been deprecated. If you are upgrading from a release earlier than Release 2.6, see the procedure described in the "Configuring Unsignaled Secure Media at a Granular Level" section.
Perform the following steps to configure secure media globally.
SUMMARY STEPS
1. configure
2. sbc sbc-name
3. sbe
4. secure-media
5. end
DETAILED STEPS
Configuring Unsignaled Secure Media at a Granular Level
Use the following steps to configure both adjacencies and both call legs using CAC policy set to enable Unsignaled Secure Media at a granular level.
Note The caller and callee commands have been used in this procedure. In some scenarios, the branch command can be used as an alternative to the caller and callee command pair. The branch command has been introduced in Release 3.5.0. See the "Configuring Directed Nonlimiting CAC Policies" section for information about this command.
SUMMARY STEPS
1. configure
2. sbc sbc-name
3. sbe
4. adjacency {sip | h323} adjacency-name
5. security [untrusted | trusted-encrypted | untrusted-encrypted | trusted-unencrypted]
6. exit
7. adjacency {sip | h323} adjacency-name
8. security [untrusted | trusted-encrypted | untrusted-encrypted | trusted-unencrypted]
9. exit
10. cac-policy-set policy-set-id
11. first-cac-table table-name
12. cac-table table-name
13. table-type limit list of limit tables
14. entry entry-id
15. match-value key
16. srtp support [allow | disallow | trusted-only]
17. caller secure-media
18. callee secure-media
19. action {cac-complete | next-table goto-table-name}
20. exit
21. complete
22. exit
23. active-cac-policy-set policy-set-id
24. end
25. show sbc sbc-name sbe cac-policy-set [id [table name [entry id]] | active [table name [entry id ]]] [detail]
DETAILED STEPS
Configuring SRTP Passthrough
These steps show how to configure the CAC policy set to allow SRTP Passthrough.
SUMMARY STEPS
1. configure
2. sbc sbc-name
3. sbe
4. cac-policy-set policy-set-id
5. first-cac-scope scope-name
6. first-cac-table table-name
7. cac-table table-name
8. table-type limit list of limit tables
9. entry entry-id
10. match-value key
11. srtp support [allow | disallow | trusted-only]
12. action [cac-complete | next-table | goto-table-name ]
13. exit
14. exit
15. complete
16. exit
17. active-cac-policy-set policy-set-id
18. end
19. show sbc sbc-name sbe cac-policy-set id table name entry entry
DETAILED STEPS
Configuring CAC Policies for SRTP to RTP Interworking
Use the following procedure to configure the CAC policies for the caller side and the callee side of a call for SRTP to RTP interworking.
SUMMARY STEPS
1. config t
2. sbc sbc-name
3. sbe
4. cac-policy-set policy-set-id
5. first-cac-table table-name
CAC Table for Caller Side of the Call
6. cac-table table-name
7. table-type limit list of limit tables
(repeat steps 8 through 14 as many times as needed)
8. entry entry-id
9. match-value key
10. srtp support allow
11. action next-table goto-table-name
12. srtp caller forbid | mandate | allow | prefer
13. srtp interworking forbid | allow
14. srtp media interworking forbid | allow
CAC Table for Callee Side of the Call
15. cac-table table-name
16. table-type limit list of limit tables
(repeat steps 17 through 23 as many times as needed)
17. entry entry-id
18. match-value key
19. srtp support allow
20. action cac-complete
21. srtp callee forbid | mandate | allow
22. srtp interworking forbid | allow
23. srtp media interworking forbid | allow
(issue complete command after all entries are configured)
24. complete
25. end
26. show sbc name sbe cac-policy-set id detail
DETAILED STEPS
SRTP Support for RTCP Multiplexed with RTP
In earlier releases, the SBC could process incoming RTP and RTCP streams that were sent over separate UDP channels. From Release 3.4S, the SBC can also process RTCP streams multiplexed with RTP streams and sent over a single UDP channel. The SBC distinguishes between RTCP and RTP streams by examining the payload format of each stream. This also applies to SRTCP streams multiplexed with SRTP streams.
Note RFC 5761 describes the multiplexing of RTCP streams with RTP streams. The same principle applies to SRTCP and SRTP.
This feature is an enhancement to the support for interworking of RTP-based and SRTP-based endpoints that are linked through the SBC. The Cisco TelePresence System is an example of an RTP-based endpoint, and Cisco Umi TelePresence is an example of an SRTP-based endpoint. With the introduction of this feature, the SBC processes RTCP streams multiplexed with RTP streams coming from the Cisco TelePresence System. In a similar manner, the SBC identifies and correctly processes SRTCP streams multiplexed with SRTP streams coming from Cisco Umi TelePresence.
By default, the detection of RTCP streams multiplexed with RTP streams is disabled in the SBC. You can enable this feature by performing the procedure described in the following section.
Configuring the Detection of RTCP Multiplexed with RTP
This task explains how to configure the detection of RTCP streams multiplexed with RTP streams.
Note The same procedure can be used to configure the detection of SRTCP streams multiplexed with SRTP streams.
SUMMARY STEPS
1. configure terminal
2. sbc sbc-name
3. sbe
4. rtcp-mux
DETAILED STEPS
SRTP Support for SSRC-Based Multiplexing
An SBC endpoint such as the Cisco TelePresence System multiplexes RTP streams of the same type (audio or video) on a single UDP channel. It uses the 32-bit synchronization source (SSRC) field of RTP streams to differentiate between discrete RTP streams originating from a single source.
When an SRTP-based or RTP-based endpoint sends multiplexed streams over a single UDP channel, the channel contains multiple streams and each stream has its own SSRC field. In earlier releases, the SBC could support only a single SSRC field in a UDP channel. Therefore, the SBC could not support interworking of endpoints that sent multiplexed SRTP and RTP. From Release 3.4S, the SBC can process multiple SSRC fields in multiplexed SRTP or RTP streams. In combination with SRTP support for RTCP multiplexed with RTP, this feature enhances interworking of RTP-based and SRTP-based endpoints.
Configuring Global Secure Media Example
This section provides a sample configuration for the Secure Media Passthrough feature.
Router# configure
Router(config)# sbc mysbc
Router(config-sbc)# sbe
Router(config-sbc-sbe)# secure-media
Router(config-sbc-sbe)# end
Configuring Unsignaled, Granular-Level Secure Media: Examples
The following configuration example shows how the client and server SIP adjacencies are configured as "security trusted-unencrypted" and how the CAC table entry 1 is configured for secure media on both the caller and callee sides.
Note The caller and callee commands have been used in this procedure. In some scenarios, the branch command can be used as an alternative to the caller and callee command pair. The branch command has been introduced in Release 3.5.0. See the "Configuring Directed Nonlimiting CAC Policies" section for information about this command.
...cac-policy-set 2first-cac-table 1cac-table 1table-type limit allentry 1match-value call-updatecaller secure-mediacallee secure-mediaaction cac-completeexitcompleteexitactive-cac-policy-set 2adjacency sip clientnat force-offsecurity trusted-unencryptedsignaling-address ipv4 10.10.100.110signaling-port 9060remote-address ipv4 10.10.100.10 255.255.255.255signaling-peer 10.10.100.10signaling-peer-port 9060attachadjacency sip servernat force-offsecurity trusted-unencryptedsignaling-address ipv4 10.10.100.110signaling-port 9070remote-address ipv4 10.10.100.10 255.255.255.255signaling-peer 10.10.100.10signaling-peer-port 9070attachThe following example shows how to configure granular-level unsignaled secure media where an adjacency is untrusted by using the srtp support allow command on the untrusted adjacency in a CAC policy table:
...cac-policy-set 2first-cac-table 1cac-table 1table-type limit allentry 1match-value call-updatesrtp support allowcaller secure-mediacallee secure-mediaaction cac-completeexitcompleteexitactive-cac-policy-set 2The following example lists detailed information pertaining to CAC policy set 2, and shows how secure media is configured on the caller and callee sides:
Router# show sbc asr sbe cac-policy-set 2 detailSBC Service "asr"CAC Policy Set 2Active policy set: YesDescription:Averaging period: 60 secFirst CAC table: 1First CAC scope: globalFirst CAC prefix length: 4294967256Table name: 1Description:Table type: policy-set Total call failures: 0Entry 1CAC scope:CAC scope prefix length: 0Action: CAC complete Number of calls rejected: 0Max calls per scope: Unlimited Max call rate per scope: UnlimitedMax in-call rate: Unlimited Max out-call rate: UnlimitedMax reg. per scope: Unlimited Max reg. rate per scope: UnlimitedMax channels per scope: Unlimited Max updates per scope: UnlimitedEarly media: Allowed Early media direction: BothEarly media timeout: None Transcoder per scope: AllowedCallee Bandwidth-Field: None Caller Bandwidth-Field: NoneMedia bypass: AllowedRenegotiate Strategy: DeltaMax bandwidth per scope: UnlimitedSRTP Transport: Trusted-Only (by default)Caller hold setting: StandardCallee hold setting: StandardCaller privacy setting: Never hideCallee privacy setting: Never hideCaller voice QoS profile: DefaultCallee voice QoS profile: DefaultCaller video QoS profile: DefaultCallee video QoS profile: DefaultCaller sig QoS profile: DefaultCallee sig QoS profile: DefaultCaller inbound SDP policy: NoneCallee inbound SDP policy: NoneCaller outbound SDP policy: NoneCallee outbound SDP policy: NoneCaller media disabled:Strip All AnswerCallee media disabled:Strip All OfferCaller unsignaled secure media: AllowedCallee unsignaled secure media: AllowedCaller tel-event payload type: DefaultCallee tel-event payload type: DefaultMedia flag:Ignore bandwidth-fields (b=), Telephone Event InterworkingRestrict codecs to list: DefaultRestrict caller codecs to list: DefaultRestrict callee codecs to list: DefaultMaximum Call Duration: UnlimitedThe following example shows an excerpt of detailed information for the callee side SIP adjacency `server' showing that security trusted-unencrypted is configured:
Router# show sbc asr sbe adjacencies server detailSBC Service "asr"Adjacency server (SIP)Status: Attached[snip]Security: Trusted-Unencrypted[snip]Configuring SRTP Passthrough Example
The following shows a configuration where the "srtp transport" variable is set in the CAC policy set 1 table for an adjacency to allow SRTP Passthrough:
sbc SBE-NODE2-SBE1sbecac-policy-set 1first-cac-scope globalfirst-cac-table STANDARD-LIST-BY-ACCOUNTcac-table STANDARD-LIST-BY-ACCOUNTtable-type limit dst-accountentry 1media-bypass-forbidmatch-value SIP-CUSTOMER-1max-num-calls 100max-call-rate 20max-bandwidth 1000000 bpscallee-privacy neversrtp support allowaction cac-completeexitentry 2match-value SIP-CUSTOMER-2max-num-calls 100max-call-rate 20max-bandwidth 1000000 bpstranscode-denymax-regs 500action cac-completeexitexitcompleteactive-call-policy-set 1The following example displays entries in table CAC1 for CAC policy set 100 and shows that the SRTP Transport variable has been set to allow SRTP Passthrough on whichever adjacency the policy is applied:
Router# show sbc SBC1 sbe cac-policy-set 100 table CAC1 entry 1000SBC Service "SBC1"Policy set 100 table CAC1 entry 1000Match value src-adjacencyAction CAC policy completeMax calls UnlimitedMax call rate 100Max registrations UnlimitedMax reg. rate UnlimitedMax bandwidth UnlimitedMax channels UnlimitedTranscoder AllowedCaller privacy setting Never hideCallee privacy setting Never hideEarly media AllowedEarly media direction BothEarly media timeout 0Restrict codecs to list defaultMedia bypass AllowedNumber of calls rejected by this entry 0SRTP Transport AllowedCAC Policies for SRTP to RTP Interworking Configuration: Example
The following example shows specific details of how to configure the CAC policies for the caller side and the callee side of a call for SRTP to RTP interworking. Multiple entries with specific settings are given. Figure 2 shows the adjacencies that are used by the match-value command in this example.
Figure 2 Adjacencies A, B, C, and D for Example
config tsbc SBC1sbecac-policy-set 44first-cac-table 44cac-table 44table-type limit src-adjacencyentry 1match-value Asrtp support allowaction next-table 45srtp caller forbidsrtp interworking allowsrtp media interworking allowentry 2match-value Bsrtp support allowaction next-table 45srtp caller forbidsrtp interworking allowsrtp media interworking allowentry 3match-value Csrtp support allowaction next-table 45srtp caller mandatesrtp interworking allowsrtp media interworking allowentry 4match-value Dsrtp support allowaction next-table 45srtp caller mandatesrtp interworking allowsrtp media interworking allowcac-table 45table-type limit dst-adjacencyentry 1match-value Asrtp support allowaction cac-completesrtp callee forbidsrtp interworking allowsrtp media interworking allowentry 2match-value Bsrtp support allowaction cac-completesrtp callee forbidsrtp interworking allowsrtp media interworking allowentry 3match-value Csrtp support allowaction cac-completesrtp callee mandatesrtp interworking allowsrtp media interworking allowentry 4match-value Dsrtp support allowaction cac-completesrtp callee mandatesrtp interworking allowsrtp media interworking allowcompleteendshow sbc sbc1 sbe cac-policy-set 44 detail