Secure RTP

From FreeSWITCH Wiki
Jump to: navigation, search

Contents

SRTP Configuration (Dialplan.xml)

If SRTP is enabled, only payload packets of type RTP packets will be secured. Payload packets of a different type (non-RTP) will not be encrypted.

Incoming Calls

On incoming calls, the dialplan must check to see if the variable ${rtp_has_crypto} contains the data indicating that the calling device supports SRTP. In order to enable SRTP to be used, the dialplan must set the variable sip_secure_media=true.

This is accomplished in the following way:

(i) To bridge an inbound call to your FXS that is configured on channel 1, for an UA registered as 202@proxy.com, configure as below.

  <extension name="incoming-fxs">
     <condition field="destination_number" expression="^(202)$"/>
     <condition field="${rtp_has_crypto}" expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)$" break="never">
        <action application="set" data="sip_secure_media=true"/>
        <action application="bridge" data="openzap/1/1"/>
     </condition>
  </extension>

Outbound Calls

(ii) To bridge an outbound call,for an endpoint registered as 123@proxy.com configure as below.

  <extension name="Outgoing-fxs">
     <condition field="destination_number" expression="^(123)$"/>
     <condition field="${rtp_has_crypto}" expression="^(AES_CM_128_HMAC_SHA1_32|AES_CM_128_HMAC_SHA1_80)$" break="never">
        <action application="export" data="sip_secure_media=true"/>
        <action application="bridge" data="sofia/gateway/gateway_name/$1@proxy.com"/>
     </condition>
  </extension

Procedures to verify SRTP

1. During an established call, you can verify the SRTP data by sending some DTMF digits over the call. As per the RFC 4733, you can know the payload type for a DTMF digit. But when it is encrypted by SRTP, it will be different from the conventional payload type.

See also