HMU Support for RTP to SRTP Interworking
The Oracle® Enterprise Session Border Controller (E-SBC) supports RTP to SRTP Interworking by monitoring and correcting unexpected changes to session continuity information. You enable the hide-egress-media-update parameter on the applicable inbound media-sec-policy to enable this support on traffic that comes into this realm as RTP and egresses the outbound realm as SRTP, referred to as single-ended SRTP terminations.
RFC 3350 does not require RTP to maintain sequential packet sequence numbering. In contrast, STRP does not allow significant packet sequence number changes or resets to zero. To compensate for this, the E-SBC can watch for these changes and, if necessary, calculate and transmit the correct values to the SRTP end station.
When configured to support RTP to SRTP interworking, the HMU function latches previous sequence numbers, SSRCs, and timestamps from RTP packets and watches for changes to ensuing sequence numbers on an ongoing basis. Sequence number changes the HMU feature acts on include resets to zero and jumps downward. HMU hides these changes from the SRTP end station. The HMU logic performs calculations on the latched sequence number, and populates the egress packet with a new sequence number, which the SRTP end station can recognize as valid.
SRTP considers downward sequence number changes greater than 127 as indicating the packet is a replay packet that should be discarded. This HMU function monitors for sequence number decreases greater than 127 and resets to zero. If the E-SBC detects one of these changes, it invokes the HMU logic, which sets the prescribed values in the SRTP traffic before egress.
To configure this function, you enable the hide-egress-media-update parameter on the inbound traffic for the RTP realm's media-sec-policy. The configuration applies the HMU logic only to inbound RTP traffic.
media-sec-policy
name hmu-rtp-side
pass-through disabled
options
inbound
profile
mode rtp
protocol none
hide-egress-media-update enabled
outbound
profile
mode rtp
protocol noneApply the name of this policy to the RTP realm's media-sec-policy parameter to complete the configuration.
Note:
Configuration on the ingress realm differs from standard HMU configuration, which you configure on the egress realm. Similarly, bi-directional HMU is not relevant within the context of RTP to SRTP interworking.For example, consider configuring for single-ended SRTP sessions between a core (unencrypted) realm and a peer (encrypted) realm. To do this, you configure the core realm media security policy (inbound and outbound) to RTP mode. In addition, you configure the peer realm media security policy (inbound and outbound) to SRTP mode. After the E-SBC establishes the session flows through signaling, it applies the media security policy to ingress RTP packets from the inbound realm and transmits them via the outbound realm as SRTP. It is significant to note that enabling the hide-egress-media-update is the only reason to apply a media security policy to RTP traffic.
This call flow depicts the E-SBC using HMU to support this RTP to SRTP interworking. The call sets up normally with RTP and SRTP interworking properly. The RE-INVITE from UE #1 triggers the HMU logic, which manages the RTP packet sequence numbers and prevents the SRTP leg from dropping media packets, or eventually, the call.