Secure RTP is a security profile that adds confidentiality, message authentication and replay protection to the RTP protocol.
In order to maintain voice security, key and salt values remain encrypted and hidden from view.
A call will be encrypted if both endpoints support encryption. Calls initiated on an MiVoice Business system or a legacy IP set which does not support encryption (pre-3300 ICP Release 6.0) are supported, but will not be encrypted.
Mitel's MiNET voice encryption solution (128-bit Advanced Encryption Standard) is not supported for SIP nor for 69xx IP Phones, which require RFC standards based security. To provide SIP Media Security, SRTP, as defined by RFC 4568, is implemented with MiVoice Business Release 7.0.
NOTE: Using secure media signaling is optional but strongly recommended. To use the SRTP (RFC 4568) encryption, set system options Voice Encryption Enabled and Voice/Video SRTP Encryption Enabled to Yes. If Voice Encryption is enabled, but Voice/Video SRTP Encryption is disabled, Mitel's encryption solution will be used. To disable any type of media security, set the Voice Encryption Enabled option to No.
SRTP, as defined by RFC 4568, is used to provide secure media streaming between: SIP devices and the MiVoice Business system, SIP Phones and MiNET 53xx series and 69xx series IP Phones, and between MiVoice Conference Unit and MiVoice Video Units and MiVoice Video Units. See the IP Sets Engineering Guidelines on the Mitel Document Center website for the list of devices (sets and applications) that support or do not support encryption.
SRTP requires consistent end-to-end encrypted media negotiations; therefore, every component that negotiates SRTP with a SIP endpoint must comply with RFC 4568.
NOTE: The following SRTP parameters are not supported (if passed from a SIP endpoint, the call will be rejected): crypto-suite F8_128_HMAC_SHA1_80, Rekeying, and MKI (Master Key Identifier). Hash-based Message Authentication Code (HMAC) and initial SRTP derivation algorithm to generate session keys are supported.
For interoperability and backward compatibility, the following non-SIP products support both SRTP and Mitel's encryption solution (SRTP negotiations take precedence):
MiNET 53xx series phones
MiAudio SDK
MiVoice Border Gateway
SIP devices that are not SRTP-capable accept only unencrypted messages. For SRTP-capable devices, MiVoice Business system supports two types of media negotiations:
Strict Security - SRTP only; if the far endpoint is unable to negotiate standard SRTP, the call will fail to connect
SRTP (SAVP - Secure Audio Video Profile) or non-secure (AVP); if the far endpoint does not support SRTP, non-secure option will be used
NOTE: Many devices can be configured to support both SRTP and unencrypted RTP; both are supported on the 5603/5613/5604/5614/5607 devices when SRTP is enabled on the base station. Other devices, including the 5624/5634, must be explicitly configured to use one or the other. Support for both SRTP and unencrypted RTP is useful as it allows for better interoperability with new and legacy equipment.
If your system includes SIP Phones that offer SRTP only, it is recommended that the entire network is SRTP compliant. To enable SRTP on SIP devices or trunks, you need to set the AVP Only Device or AVP Only Peer (for trunks) option in the SIP Device Capabilities form or SIP Peer Profile form to "No". By default these options are set to "Yes" to allow sending and receiving unencrypted (AVP) streaming.
NOTE: Pre-MiVoice Business Release 7.0 systems (with SIP-endpoints) connected to an SRTP-enabled system through IP or SIP trunks must be upgraded to MCD 6.2 or higher to allow proper stream negotiations.