The Secure Real-time Transport Protocol (SRTP) defines a profile of RTP (Real-time Transport Protocol), intended to provide encryption, message authentication and integrity, and replay protection to the RTP data in both unicast and multicast applications.
VEGA supports Secure Real-time Transport Protocol (SRTP) to secure the RTP in between the VEGA and the remote end.
NOTE: VEGA should and must have SRTP license in order to support SRTP functionality
The format of an SRTP packet is illustrated as given below:
The OPTIONAL MKI and the RECOMMENDED authentication tag are the only fields defined by SRTP that are not in RTP.
VEGA allows user to configure list of SRTP parameters in order to have secure RTP established between VEGA and its peer.
off, supported, require, require_rfc4568
off: SRTP not used (initiated or accepted)
supported: uses "RTP/AVP" in "m=" line and adds the "a=crypto:" line. It interop’s with non-SRTP UAs (i.e. only best effort to use SRTP)
require: uses "RTP/AVP" in "m=" line and adds the "a=crypto:" line Requires that remote endpoint has the "a=crypto:" line
require_rfc4568: as, require‟ but uses "RTP/SAVP" in "m=" line
Default authentication bits
32 or 80
The crypto-suite field is an identifier that describes the encryption and authentication algorithms (e.g., AES_CM_128_HMAC_SHA1_80) for the transport
32: Request 32-bit authentication in any initiated INVITE
80: Request 80-bit authentication in any initiated INVITE
Minimum authentication bit
32 or 80
32: Min authentication level accepted (where encryption is used) is 32-bit authentication
80: Min authentication level accepted (where encryption is used) is 80-bit authentication
Crypto Life Time
disable, low, medium, high
Crypto life time is lifetime of the master key as measured in maximum number of SRTP or SRTCP packets using that master key
disable: No crypto life time included
low: Crypto lifetime of 2^16 lifetime is included.
med: Crypto lifetime of 2^31 lifetime is included.
high: Crypto lifetime of 2^48 lifetime is included.
Crypto MKI length
The MKI identifies the master key from which the session key(s) were derived that authenticate and/or encrypt the particular packet.
disable: No MKI length included in crypto field
1:1: Means MKI value of 1 and MKI length of 1 is included in crypto field
SRTP configuration is present within “SIP Profile Configuration” option as present within “SIP Profile” under “SIP Tab” of “Expert Config Section”
(i.e. Expert Config Section-> SIP-> SIP Profile and edit SIP Profile Configuration) as shown below:
- You can easily troubleshoot SRTP message flow by filtering wireshark pcap trace by filter "sip".
- Here below is the screen capture of one sip call pcap trace with SRTP messages: