Versions Compared

Version Old Version 16 New Version 17
Changes made by

John Shaheen

John Shaheen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

#TitleImportanceNotes
1SHALL support SDES (RFC4568) key exchange to establish SRTP (RFC3711) Media streamsMust Have

 

2SHALL support SDES-SRTP with or without SIP TLS session establishment. Must Have 
3SHALL support SDP 'crypto' attribute to exchange SDES-SRTP encryption keys.Must Have 
4SHALL support the following crypto suites:
  • AES_CM_128_HMAC_SHA1_80 (Default)
  • AES_CM_128_HMAC_SHA1_32
Must Have 
5SHALL support the key-method 'inline' for crypto SDP attribute:
“inline:” <key||salt> [“|”lifetime] [“|” MKI “:” length] 
 - key || salt – concatenated master key and salt, base64 encoded
 - Lifetime – masterkey lifetime (max number of SRTP or SRTCP packets using this master key)
 - MKI:length – MKI and length of the MKI field in SRTP packets		Must HaveBy default the lifetime should be forever or the largest possible value.
6SHALL support key timeouts and refresh as specified by RFC4568 and key exchange parametersMust Have 
7

Configuration Parameters. The configuration parameters for SRTP SHALL be contained within its own configuration file. The callctrl.cfg SHALL define a parameter to state if SRTP is enabled.

Must Have 
8When SRTP is enabled, the callctrl.cfg SHALL define a parameter for the location of the of the SRTP configuration file.Must HaveThe parameters in the SRTP configuration file only apply when SRTP is enabled.
9The parsing of the configuration parameters SHALL be present in the ecc.log file.Must Have 
10

Lifetime: this value determines the maximum number of SRTP/SRTCP packets that can be transmitted using the master key selected for the session.
The default value shall be set at 2147483648 (equavilent to 2^31)

OptionalWill be to be non-configurable for the initial release.
11

Accept: this is a boolean value that enable processing of SDPs with crypto-attributes. note that if an ingress message (i.e. INVITE) contains SDP without crypto-attributes, the system shall still process the request. When "Disabled", messages with crypto-attributes are rejected.
Default value shall be "Enabled"

OptionalNeed to check how this is used on HMPThis is to enable receiving SDP with crypto with SRTP enabled.
12

Number of Keys: this is an integer value that specifies the number of keys to use in the key rotation refresh.
Default value shall be 1
Range: 1-10

OptionalChecking on need to support multiple crypto keys. Was not required for MRB implementation. Will just be 1.
13

Window Size Hint: this is an integer value that sets the SRTP window size to protect against replay attacks.
Default value shall be 64
Range: 64- 2147483648 (equavilent to 2^31)

OptionalNot sure about the Window Hint, but Jon M think this is pretty standard.
14

Enforce: this is a boolean value that enable/disable mandatory enforcement of ingress calls to contain crypto-attributes. The system shall reject all calls that do NOT contain crypto-attributes in the SDP media lines.
Default value shall be "Disabled"

Optional 
15

Unencrypted SRTP: this is a boolean value that enable/disables receiving unencrypted SRTP packet payloads.
Default value shall be "Disabled"

Optional 
16

Unencrypted SRTCP: this is a boolean value that enable/disables receiving unencrypted SRTCP packet payloads.
Default value shall be "Disabled"

Optional 
17SRTP keys include a public and private key and have standard formats.  
18Use Case 1: SIP Invite with SDES - SR140 SHALL support receiving SDES in a receiving call.  SIP Invite has Offer SDP with EP 'crypto' attribute.  SR140 answers with crypto to establish the SRTP session.  
19Use Case 2: SIP Invite with SDES - SR140 SHALL support sending SDES in a transmitting call.  SIP Invite has SDP with EP 'crypto' attribute.    
20

SRTP supported on by a single license keywork (Security). This keyword enables SRTP functionality on a per system basis.

Add on part will need to be defined to add security to an existing SR140 deployment.  This part will be added to the back office for normal order processing and will allow the end user to activate a security LAC via the current methods.

The SR140 base feature license will not include Security support. Added support MUST require a seperate add-on LAC for security.

Must Have

Part #951-105-20

 

21COO Will need to be updated with changes to include the updated IPP (version 8.2.x) into the product. Will be required for both Windows and Linux.Must Have 
22

Documentation. The Brooktrout documentation SHALL be updated in the appopiate manuals.

Should include information on security license, SRTP configuration in callctrl.cfg and SRTP configuration file including configuration of keys. Nice to have a usage example in documentation or tech note.

  
23Export requirements SHALL be completed to support releasing a product with security featuresMust HaveWill be completed with SIP over TLS.
24   

...