SDES Profile Configuration

An SDES profile specifies the parameter values offered or accepted during SDES negotiation.

To configure SDES profile parameters:

  1. From superuser mode, use the following command sequence to access sdes-profile configuration mode. 
    ORACLE# configure terminal
ORACLE(configure)# security
ORACLE(security)# media-security
ORACLE(media-security)# sdes-profile
ORACLE(sdes-profile)#
  2. Use the required name parameter to provide a unique identifier for this sdes-profile instance.

    name enables the creation of multiple sdes-profile instances.

  3. Use the crypto-suite parameter to select the algorithms accepted or offered by this sdes-profile.

    Note:

    SRTP authentication is not currently supported.

    Allowable values are:

    AES_CM_128_HMAC_SHA1_80 (the default value)

    supports AES/128 bit key for encryption and HMAC/SHA-1 80-bit digest for authentication

    AES_CM_128_HMAC_SHA1_32

    supports AES/128 bit key for encryption and HMAC/SHA-1 32-bit digest for authentication

  4. Because SRTP authentication is not currently supported, ignore the srtp-auth parameter.
  5. Use the srtp-encrypt parameter to enable or disable the encryption of RTP packets.

    With encryption enabled, the default condition, the Oracle® Enterprise Session Border Controller offers RTP encryption, and rejects an answer that contains an UNENCRYPTED_SRTP session parameter in the crypto attribute.

    With encryption disabled, the Oracle® Enterprise Session Border Controller does not offer RTP encryption and includes an UNENCRYPTED_SRTP session parameter in the SDP crypto attribute; it accepts an answer that contains an UNENCRYPTED_SRTP session parameter.

  6. Use the srtcp-encrypt parameter to enable or disable the encryption of RTCP packets.

    With encryption enabled, the default condition, the Oracle® Enterprise Session Border Controller offers RTCP encryption, and rejects an answer that contains an UNENCRYPTED_SRTCP session parameter in the crypto attribute.

    With encryption disabled, the Oracle® Enterprise Session Border Controller does not offer RTCP encryption and includes an UNENCRYPTED_SRTCP session parameter in the SDP crypto attribute; it accepts an answer that contains an UNENCRYPTED_SRTCP session parameter.

  7. Use the key and salt parameters to generate the synchronous key used to encrypt and decrypt SRTP/SRTCP traffic originated by the Net-Net ESD. These concatentated values are passed to the remote SRTP peer as described in Protocol Overview. Upon reception, the remote peer imputs the key and salt values to the negotiated encryption algorithm (AES in the current implmentation), thus deriving the key required to decrypt SRTP/SRTCP traffic received from the Oracle® Enterprise Session Border Controller.

    The key parameter provides the basic keying material, while the salt (a bit string) provides the randomsess/entropy required by the encryption algorithm.

  8. Use the mki parameter to enable or disable the inclusion of the MKI:length field in the SDP crypto attribute.

    The master key identifier (MKI) is an optional field within the SDP crypto attribute that differentiates one key from another. MKI is expressed as a pair of decimal numbers in the form: |mki:mki_length| where mki is the MKI integer value and mki_length is the length of the MKI field in bytes.

    The MKI field is necessary only if the SDES offer contains multiple keys within the crypto attribute.

    Allowable values are enabled and disabled (the default).

    enabled – an MKI field is sent within the crypto attribute (16 bytes maximum)

    disabled – no MKI field is sent

  9. Use the egress-offer-format to specify the egress offer format for this profile to use when you set the outbound mode in the associated media security policy to any (refer to Media Security Policy Configuration. You can select one of two values:

    If the media security policy requires the use of either RTP or SRTP, this paramater can be safely ignored. If the media security policy is permissive (the mode parameter is set to any), select one of the two supported values.

    • same-as-ingress (default), the Oracle® Enterprise Session Border Controller leaves the profile of the media lines unchanged

    • simultaneous-best-effort, the Oracle® Enterprise Session Border Controller inspects the incoming offer SDP and:

      • Adds an RTP/SAVP media line for any media profile that has only the RTP/AVP media profile
      • Adds an RTP/AVP media line for any media profile that has only the RTP/SAVP media profile
  10. Use done, exit, and verify-config to complete configuration of this SDES profile instance.
  11. Repeat Steps 1 through 8 to configure additional SDES profiles.
Previous
Previous 		Next
Next
Go To Table Of Contents
Contents