User's Manual
Avaya Branch Gateway Manager 10.0 Page 782
15-601011 Issue 29r (Friday, November 02, 2012)B5800 Branch Gateway
9.31.2 Secure VoIP (SRTP)
Secure Real-Time Transport Protocol (SRTP) refers to the application of additional encryption and or authentication to
VoIP calls (SIP and H.323). SRTP can be applied between telephones, between ends of an IP trunk or in various other
combinations. This option is supported from Release 6.x though fields for configuring this feature were visible in earlier
releases.
The following security methods can be part of SRTP:
· Encryption
Encryption can be applied to both the voice part of the call (the RTP stream) and or to the control signal
associated with the call (the RTCP stream). The defaults is to apply encryption to the RTP stream only. Devices can
support multiple encryption methods and will negotiate which method to use from those they both support during
call setup. The Avaya Branch Gateway system supports the following encryption methods:
· SRTP AES CM 128 SHA1 80: Advanced Encryption Standard (AES) using 128-bit keys in counter mode (CM)
with SHA-1 (Secure Hash Algorithm) key hashing.
· SRTP AES CM 128 SHA1 32: Advanced Encryption Standard (AES) using 128-bit keys in counter mode (CM)
with SHA-1 (Secure Hash Algorithm) key hashing.
· Authentication
Authentication can be applied to both the voice part of calls (the RTP stream) and or to the control signal
associated with the call (the RTCP stream). The defaults for SRTP are to apply encryption to the RTP stream and
authentication to the RTCP stream. Authentication is applied after encryption so that packets can be authenticated
at the remote end without having to be decrypted first.
· The method used for the initial exchange of authentication keys during call setup depends on whether the call
is using SIP or H.323. The Avaya Branch Gateway system uses SDESC for SIP calls and H235.8 for H.323
calls.
· Due to the historical nature of the SIP and H.323 protocols, some parts of call setup are always sent in clear
text. For that reason, SRTP is only supported when using an addition method such as TLS or a VPN tunnel to
establish a secure data path before call setup.
· Replay Attack Protection
A replay attack is when someone intercepts packets and then attempts to use them to for a denial-of-service or to
gain unauthorized access. Replay protection records the sequence of packets already received. is received again it
is ignored. If a see if it has been received previously. If packets arrive outside a specified sequence range, the
security device rejects them. All packets in a stream (RTP and RTCP) have a sequential index number, however
packets may not be received in sequential order. SRTP protects against replay attacks by using a moving replay
window containing the index numbers of the last 64 authenticated packets received or expected. Any packet
received that has an index older than the current window is ignored. Only packets with an index ahead of the
window or inside the window but not already received are accepted. Separate replay protection is used for the RTP
and the RTCP streams.
· Rekeying
Rekeying is the sending of new authentication keys at intervals during an secure call. This option is not supported
by the Avaya Branch Gateway system which just sends authentication keys at the start of the call.
SRTP sessions can use direct media between the devices or can be relayed via the Avaya Branch Gateway system. In
some scenarios the Avaya Branch Gateway system can be one end of the SRTP part of a call that then continues to a
non-SRTP destination.
· If both the call originator and target require SRTP
A direct media is made if supported, using SRTP. If direct media is not supported, the call is relayed via the Avaya
Branch Gateway system. In either case SRTP parameters are negotiated end to end with the Avaya Branch
Gateway system translating and forwarding them from one end to other end if necessary.
· If only the originator or target requires SRTP
A non-direct media call is setup with with SRTP negotiated between the Avaya Branch Gateway system and the
party which requires SRTP.
· Emergency Calls
Emergency calls from an extension are not blocked even if SRTP is required but cannot be established.
Calls using SRTP do not uses any special indication on the user's telephone. Normal call functions (conference, transfer,
etc) remain available to the user. The only special indication applied is two short beeps played twice when a replay attack
alarm first occurs during a call. SRTP alarms and details of when SRTP is being used are shown by the System Status
Application and System Monitor applications.