Secure RTP

From FreeSWITCH Wiki
Jump to: navigation, search


SRTP Configuration (Dialplan.xml)

If SRTP is enabled, only payload packets of type RTP packets will be secured. Payload packets of a different type (non-RTP) will not be encrypted.

Incoming Calls

On incoming calls, the dialplan must check to see if the variable ${rtp_has_crypto} contains the data indicating that the calling device supports SRTP. In order to enable SRTP to be used, the dialplan must set the variable sip_secure_media=true.

This is accomplished in the following way:

(i) To bridge an inbound call to your FXS that is configured on channel 1, for an UA registered as, configure as below.

  <extension name="incoming-fxs">
     <condition field="destination_number" expression="^(202)$"/>
     <condition field="${rtp_has_crypto}" expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)$" break="never">
        <action application="set" data="sip_secure_media=true"/>
        <action application="bridge" data="openzap/1/1"/>

Outbound Calls

(ii) To bridge an outbound call,for an endpoint registered as configure as below.

  <extension name="Outgoing-fxs">
     <condition field="destination_number" expression="^(123)$"/>
     <condition field="${rtp_has_crypto}" expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)$" break="never">
        <action application="export" data="sip_secure_media=true"/>
        <action application="bridge" data="sofia/gateway/gateway_name/$"/>

Procedures to verify SRTP

1. During an established call, you can verify the SRTP data by sending some DTMF digits over the call. As per the RFC 4733, you can know the payload type for a DTMF digit. But when it is encrypted by SRTP, it will be different from the conventional payload type.

See also