Specifications
VoIP Security
341
phones on two controllers will require the establishment of three secure signalling channels,
that is, a secure connection at each controller and one between the controllers.
Figure 60: Media and Signaling Path Encryption
The signalling paths with security do not take different network routes compared to those without
security. The only difference is that the contents of the payload are encrypted. The only additions
for security are messages to establish the point-to-point secure connections and the negotiation
of the secure voice connection. Thus the signalling is secured; MiNET becomes Secure-MiNET
and MiTAI becomes Secure-MiTAI.
Once the signalling paths are established and a voice connection can be made, the two end
devices will negotiate the keys and method of voice encryption. Once agreed, the voice now
streams directly between the two devices. This is the same as the unencrypted case, only the
voice data is encrypted.
Voice streaming security (SRTP)
Mitel controllers and selected IP sets and applications support RFC 3711 standard Secure
RTP. This provides added confidentiality, message authentication and replay protection over
the standard RTP protocol. A call will be encrypted, and will use the most secure method if both
ends support encryption. Calls initiated on a controller, an IP Phone, or an end device that does
not support encryption are still supported, but will not be encrypted.
Media (voice) streaming between Mitel sets and controllers will use a version of SRTP with a
predefined algorithm (Mitel SRTP), so that negotiation of the secure connection is very quick.
Mitel products connecting to third-party equipment must negotiate the key exchange for the
security algorithm, and the process will be more processor intensive.
Signalling security
Two main methods are used to secure a signalling channel. These are:
• SSL (Secure Socket Layer) or TLS (Transport Layer Security), both open standards
• Secure MiNET (a Mitel proprietary standard)