McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 45

↗ View in doc context
page
45
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::33

Interactions and Restrictions • Unified Communications Manager requirements apply to SIP line and SIP trunk, and basic SIP to SIP calls only. • The device types that are based on non-SIP protocols will continue to support the existing behavior with the TLS versions with the supported ciphers. Skinny Call Control Protocol (SCCP) also supports TLS 1.2 with the earlier supported ciphers. • SIP to non-SIP calls will continue to use AES 128 and SHA-1 based ciphers. AES 80-Bit Authentication Support Unified Communications Manager supports Advanced Encryption Standard (AES) with a 128-bit encryption key and an 80-bit authentication tag used as the encryption cipher on Music On Hold (MOH), Interactive Voice Response (IVR), and Annunciator. By default, the phones that support the 80-bit authentication tag play the MOH, IVR, and Annunciator using the AES_CM_128_HMAC_SHA1_80 crypto ciphers. When a phone securely connects with IP Voice Media Streaming (IPVMS), precedence is given to the AES_CM_128_HMAC_SHA1_80 crypto cipher. If the phone does not support 80-bit authentication, it reverts to the AES_CM_128_HMAC_SHA1_32 cipher. If a phone does not support 80-bit or 32-bit authentication tag, the negotiation occurs over Real-Time Transport Protocol (RTP). The SCCP phone supports only 32-bit authentication tag. Hence, negotiation between the phone and IPVMS happens only over the AES_CM_128_HMAC_SHA1_32 cipher. Note If Phone A supports AES_CM_128_HMAC_SHA1_80 and Phone B supports the AES_CM_128_HMAC_SHA1_32 crypto cipher, and when User A (Phone A) dials User B (Phone B) and the call is placed on hold by User B, then Phone A connects to MOH. The negotiation between Phone A and MOH occurs through AES_CM_128_HMAC_SHA1_80 cipher because Phone A supports only the 80-bit authentication tag. If User B (Phone B) dials User A (Phone A) and the call is placed on hold by User A, the negotiation between Phone B and MOH occurs through the AES_CM_128_HMAC_SHA1_32 cipher because Phone B supports only the 32-bit authentication tag. If a phone supports 80-bit authentication tag, the negotiation between a phone and an IVR or Annunciator occurs through AES_CM_128_HMAC_SHA1_80. The following table shows the supported crypto ciphers on the phones and their negotiation cipher. Table 5: Phones Capabilities vs. Negotiated Cipher Negotiated Cipher Phones Capabilities AES_CM_128_HMAC_SHA1_80 AES_CM_128_HMAC_SHA1_32 and AES_CM_128_HMAC_SHA1_80 AES_CM_128_HMAC_SHA1_32 AES_CM_128_HMAC_SHA1_32 AES_CM_128_HMAC_SHA1_80 AES_CM_128_HMAC_SHA1_80 Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 27 An Introduction to Unified CM Security Interactions and Restrictions