This chapter provides information on configuring inbound and outbound encryption on Session Initiation Protocol (SIP) media sessions anchored by the Media Engine (ME).
Media anchoring forces the SIP media session to traverse the ME system. The auto setting enables conditional anchoring where the ME uses its auto-anchoring algorithms to determine anchoring necessity based on a variety of criteria, including whether you have configured smart anchoring via the autonomous-ip object and whether the calling devices are behind a firewall.
For secure inbound and outbound media sessions, you need to configure ME in-encryption and out-encryption settings. Inbound encryption handles the portion of the call from the initiator to the ME using a specified encryption method. Similarly, outbound encryption handles the portion of the call from the ME to the call recipient using a specified encryption method.
Set the inbound encryption mode to one of the following settings:
none: The ME disables the encryption put forth by the incoming endpoint. (That is, it responds ”no” to the encryption portion of the authentication handshake.) If the outbound endpoint requires encryption, then the call is dropped.
allow: The ME passes the call through, leaving the encryption setting unchanged.
require: The call must come in with encryption specified or the ME drops it.
Set the inbound encryption type to one of the following settings:
RFC-3711: Use encryption as defined in RFC 3711, The Secure Real-time Transport Protocol (SRTP). This is the same encryption as used in the ME setting.
Set the out-encryption mode to one of the following settings:
none: The ME disables the encryption put forth by the outbound endpoint. (That is, it responds ”no” to the encryption portion of the authentication handshake.) If the inbound endpoint requires encryption, then the call is dropped.
offer: The ME changes or establishes the encryption type to the value specified in the type property, below.
follow: If the inbound endpoint offered encryption, the ME offers that type to the outbound endpoint.
require: The call must come in with encryption specified or the ME drops it.
Set the out-encryption type to one of the following settings:
RFC-3711: Use encryption as defined in RFC 3711, The Secure Real-time Transport Protocol (SRTP). This is the same encryption as used in the ME setting.
Note:
Because the ME does not always know on the outbound leg the encryption method expected by the recipient (because that recipient isn't in the registry), you must manually set the type of encryption to offer.The require-tls property specifies the requirements of the signaling protocol for a call's outbound leg. That is, it defines whether the ME offers SRTP over a non-secure (TCP or UDP) signaling connection. The action of this property depends on the setting of the mode property. When this property is set to:
true: The ME only offers encryption when talking to a TLS client. If TLS and SRTP are required (mode is set to require), the ME fails calls going to TCP/UDP clients. If the mode property is set to offer or follow, the ME forwards the call without SRTP.
false: The ME offers SDP messages according to the mode setting without regard for the signaling transport. This allows keys to be exchanged in an insecure message.
Most phones follow RFC 4568, SDP Security Descriptions for Media Streams, https://tools.ietf.org/html/rfc4568
, and thus require that this property be set to true.