IPv6-IPv4 Internetworking

The Oracle Communications Session Border Controller supports the following internetworking environments:

SIP-TLS IPv6 endpoints with SIP-TLS IPv4 endpoints

SIP-TLS IPv6 endpoints with SIP-TLS IPv6 endpoints

SIP-TLS IPv6 endpoints with non-SIP-TLS (unencrypted) IPv4 endpoints

SIP-TLS IPv6 endpoints with non-SIP-TLS (unencrypted) IPv6 endpoints

SIP-TLS IPv4 endpoints with non-SIP-TLS (unencrypted) IPv6 endpoints

Note:

Previously delivered TLS functionality, for example, support for certificate extensions, and support for certificate chain processing, is not affected by IPv6-IPv4 internetworking.

TLS SRTP Decryption

The Oracle Communications Session Border Controller enables the unencrypted replication of incoming and outgoing TLS/SRTP packets and delivery of such unencrypted packets to a CRS.

Decrypted packets are forwarded to the CSR as shown below.

Original encrypted packet:

+-----------------------+-------------+-----------+------------+ 
| Encrypted Payload     |    SSL      |   TCP     |   IP       | 
|                       |    Header   |   Header  |   Header   | 
+-----------------------+-------------+-----------+------------+ 

Replicated unencrypted packet:

+-----------------------+-------------+--------------+-----------+ 
|   Decrypted Payload   |   UDP       | IP           |  IP       | 
|                       |   Header    | Header       |  Header   | 
|                       |   (original | (original    |           | 
|                       |   src/dest  | src/dest     |           | 
|                       |   ports)    | IP addresses |           | 
+-----------------------+-------------+--------------+-----------+ 

TLS SRTP Decryption Configuration

The decrypt-tls attribute enables decryption of TLS/SRTP packets. decrypt-tls is disabled by default, meaning that TLS/SRTP forwarded to a CRS are encrypted.

Use the following procedure to enable delivery of unencrypted TLS/SRTP packets to a CRS.

1. Navigate to the new call-recording-server configuration element.

   ORACLE# configure terminal  
   ORACLE(configure)# session-router# 
   ORACLE(session-router)# call-recording-server 
   ORACLE(call-recording-server)# 

2. Enable TLS/SRTP decryption by setting the decrypt-tls attribute to enabled.

        ... 
        ... 
        ... 
   ORACLE(call-recording-server)# decrypt-tls enabled 
   ORACLE(call-recording-server)# 
        ... 
        ... 
        ... 
   ORACLE(call-recording-server)# 

3. Use done, exit, and verify-config to complete required configuration.

SRTP IPv4 IPv6 Internetworking

Internetworking IPv4 and IPv6 media while using SDES as the key exchange protocol is supported.

SRTP is defined in RFC 3711, The Secure Real-time Transport Protocol (SRTP). It provides confidentiality, message authentication, and replay protection for RTP media and control traffic. SDES is defined in RFC 4568, Session Description Protocol (SDP) Security Descriptions for Media Streams. This RFC describes a new SDP cryptographic attribute that provides a secure method to provide security for unicast media streams.

Supported Topologies

The following internetworking topologies are supported and illustrated below

SRTP IPv4 endpoints with SRTP IPv4 endpoints

SRTP IPv4 endpoints with RTP (unencrypted) IPv6 endpoints

SRTP IPv6 endpoints with SRTP IPv6 endpoints

SRTP IPv6 endpoints with RTP (unencrypted) IPv4 endpoints

SRTP IPv6 endpoints with RTP (unencrypted) IPv6 endpoints

SRTP/SDES IPv4 to SRTP/SDES IPv6 Internetworking

SRTP/SDES IPv4 to RTP IPv6 Internetworking

SRTP/SDES IPv6 to SRTP/SDES IPv6 Internetworking

SRTP/SDES IPv6 to RTP IPv4 Internetworking

SRTP/SDES IPv6 to RTP IPv6 Internetworking

Configuration

IPv6 support must be globally enabled to support SRTP internetworking as described above. If IPv6 is currently enabled, no additional configuration is required.