McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 40

↗ View in doc context
page
40
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::27

If the devices support SRTP, the system uses a SRTP connection. If at least one device does not support SRTP, the system uses an RTP connection. SRTP-to-RTP fallback may occur for transfers from a secure device to a non-secure device, transcoding, music on hold, and so on. For most security-supported devices, authentication and signaling encryption serve as the minimum requirements for media encryption; that is, if the devices do not support signaling encryption and authentication, media encryption cannot occur. CiscoIOS gateways and trunks support media encryption without authentication. For CiscoIOS gateways and trunks, you must configure IPSec when you enable the SRTP capability (media encryption). Before you configure SRTP or signaling encryption for gateways and trunks, Ciscostrongly recommends that you configure IPSec because CiscoIOS MGCP gateways, H.323 gateways, and H.323/H.245/H.225 trunks rely on IPSec configuration to ensure that security-related information does not get sent in the clear. Unified Communications Manager does not verify that you configured IPSec correctly. If you do not configure IPSec correctly, security-related information may get exposed. SIP trunks rely on TLS to ensure that security-related information does not get sent in the clear. Warning The following example demonstrates media encryption for SCCP and MGCP calls. 1. Device A and Device B, which support media encryption and authentication, register with Unified Communications Manager. 2. When Device A places a call to Device B, Unified Communications Manager requests two sets of media session master values from the key manager function. 3. Both devices receive the two sets: one set for the media stream, Device A—Device B, and the other set for the media stream, Device B—Device A. 4. Using the first set of master values, Device A derives the keys that encrypt and authenticate the media stream, Device A—Device B. 5. Using the second set of master values, Device A derives the keys that authenticate and decrypt the media stream, Device B—Device A. 6. Device B uses these sets in the inverse operational sequence. 7. After the devices receive the keys, the devices perform the required key derivation, and SRTP packet processing occurs. Phones that are running SIP and H.323 trunks/gateways generate their own cryptographic parameters and send them to Unified Communications Manager. Note For media encryption with conference calls, refer to topics related to secure conference resources. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 22 An Introduction to Unified CM Security Media Encryption