1. Configuration Guide
  2. Security
  3. Secure Real-Time Transport Protocol
  4. RFC 5939 Support

RFC 5939 Support

You can configure the ESBC to support RFC 5939-based SDP capability negotiation. This support overrides the supported RFC 3264-based mechanism for generating mixed RTP/SRTP offers to better support secure and non-secure flows in the same realm. Within the RFC 3264 model, both the offer and answer contain actual configurations, but separate capabilities and potential configurations are not supported. The RFC 5939 implementation on the ESBC is backward compatible and uses the RFC 3264-based model by default.

RFC 5939 addresses both attribute and transport capability negotiation by offering potential configurations. For transport, this contrasts with the RFC 3264 method, which presents separate RTP and SRTP offers and allows the end-station to set one to port number 0. One of the primary uses of RFC 5939 by the ESBC is generating and supporting mixed RTP/SRTP offers.

When configured, the ESBC generates RFC 5939-compliant offers when it receives initial INVITE, UPDATE or Re-INVITE messages. These offers contain multiple potential configurations for a media profile. Each potential configuration has a set of capabilities associated with it. The receiver chooses one of the potential configurations and sends it back in answer as the configuration for that media profile. On receiving the answer from the outbound peer, the ESBC generates an RFC 5939-compliant answer using the highest priority configuration received in the incoming offer from the inbound peer. If the answer to an RFC 5939-compliant offer is not RFC 5939 compliant, the ESBC reverts to the RFC 3264 method.

To enable RFC 5939 compliant offer generation, set the egress-offer-format parameter in the applicable sdes-profile to rfc5939-compliant. In addition, you must set either the applicable inbound or outbound media-security-policy, mode parameter to any.

The ESBC does not support RFC3264 mixed mode offers and RFC5939 compliant offer in the same realm. Create a separate realm to support RFC5939 and assign a dedicated media-security-policy that has an associated sdes-profile with the egress-offer-format set to rfc5939-compliant, to that realm.