Contribute in GitHub:

Securing voice over IP

When a call is placed, the media (in the case of Voice Gateway, voice) travels as Real-time Transport Protocol (RTP) packets between destinations. These packets are unprotected: If they are intercepted by a packet capture, the conversation might be eavesdropped. Secure Real-time Transport Protocol (SRTP) protects voice over IP (VOIP) calls from eavesdropping by providing encryption to the payloads of RTP packets, authentication to the entire RTP packet, and replay protection to protect against replay packets.

An SRTP session requires an exchange of keys and encryption/decryption suites. In Voice Gateway, the key exchange is through SIP and SDP. Therefore, you must first enable SIP over TLS.

Enabling SIP over TLS

To enable SIP over TLS:

Configure your Key and truststores for TLS on Voice Gateway by following the steps in Configuring SSL and TLS encryption.
Set the TLS port for Voice Gateway by setting the SIP_PORT_TLS variable to the port you want to use for TLS, and expose that port. If you are on docker, add a port mapping to your yaml file:
```
ports:
  - "5061:5061" # SIPS PORT
```
Verify the configuration by placing a call and requesting TLS. You can do the verification in a SIP phone by calling sips:{tenant}@{sipHost}:{sipPort} or by specifying the transport sip:{tenant}@{sipHost}:{sipPort};transport=tls. For SIPS to work, the SIP phone must be configured to use TLS with the appropriate certificates.

Enabling SRTP

To enable SRTP in your tenant:

Single Tenant: Set the ENABLE_SRTP_INBOUND variable to true which will allow the tenant to accept calls requesting protection. If the call doesn’t request protection, then the media is unprotected. However, if the call requests protection and a common encryption suite is found, the media is protected. For outgoing calls, set the MEDIA_ENCRYPTION_TYPE to srtp for starting outbound calls with encryption enabled. If you want to force media protection on every incoming and outgoing call, then you would set FORCE_MEDIA_ENCRYPTION to true, which rejects all calls without protection.

Multi-Tenant: In the mediaEncryption object set the enableSrtpInbound property to true which will allow the tenant to accept calls requesting protection. If the call doesn’t request protection, then the media is unprotected. However, if the call requests protection and a common encryption suite is found, the media is protected. For outgoing calls set the encryptionType property in the mediaEncryption object to a value of srtp for starting outbound calls with encryption enabled. If you want to force media protection on every call, set the forceMediaEncryption property in the mediaEncryption object to true which will reject all calls without protection. For more information, see Properties of the mediaEncryption object.

You can now make a secure call to and from your configured tenant.

Current limitations

If SIPS is not used for the call that is requesting SRTP protection, then the call is rejected as invalid. Because the key exchange happens through SDP, if SIPS is not used, the call is not guaranteed to be secure.
Only RTP packets are protected currently. RTCP packets are not protected. If RTCP is enabled and the session is protected, RTCP is automatically disabled for the session to ensure call protection.