1. ACLI Reference Guide
  2. ACLI Configuration Elements N-Z
  3. sdes-profile

sdes-profile

The sdes-profile configuration element lets you configure the parameter values offered or accepted during SDES negotiation.

Parameters

name
Sets the name of this object.
crypto-list
Sets the the encryption and authentication algorithms accepted or offered by this sdes-profile
  • Default: AES_CM_128_HMAC_SHA1_80
  • Values:
    • AES_CM_128_HMAC_SHA1_80
    • AES_CM_128_HMAC_SHA1_32
    • AES_256_CM_HMAC_SHA1_80
    • AEAD_AES_256_GCM
srtp-auth
UNUSED
  • Default: enabled
  • Values: enabled | disabled
srtp-encrypt

This parameter enables or disables the encryption of RTP packets. With encryption enabled, the default condition, the SBC offers RTP encryption, and rejects an answer that contains an UNENCRYPTED_SRTP session parameter in the crypto attribute.

With encryption disabled, the SBC does not offer RTP encryption and includes an UNENCRYPTED_SRTP session parameter in the SDP crypto attribute; it accepts an answer that contains an UNENCRYPTED_SRTP session parameter.
  • Default: enabled
  • Values: enabled | disabled
srtcp-encrypt

This parameter enables or disables the encryption of RTCP packets. With encryption enabled, the default condition, the SBC offers RTCP encryption, and rejects an answer that contains an UNENCRYPTED_SRTCP session parameter in the crypto attribute.

With encryption disabled, the SBC does not offer RTCP encryption and includes an UNENCRYPTED_SRTCP session parameter in the SDP crypto attribute; it accepts an answer that contains an UNENCRYPTED_SRTCP session parameter.
  • Default: enabled
  • Values: enabled | disabled
mki
This parameter enables or disables the inclusion of the MKI:length field in the SDP crypto attribute.
  • Default: enabled
  • Values:
    • enabled – an MKI field is sent within the crypto attribute (16 bytes maximum)
    • disabled – no MKI field is sent
egress-offer-format
Sets any manipulation on SDP offer.
  • Default: same-as-ingress
  • Values:
    • same-as-ingress - the SBC leaves the profile of the media lines unchanged.
    • simultaneous-best-effort - the SBC Adds an RTP/SAVP media line for any media profile that has only the RTP/AVP media profile, and Adds an RTP/AVP media line for any media profile that has only the RTP/SAVP media profile
    • rfc5939-compliant - the SBC attempts to initiate and RFC 5939 compliant SDP exchange, but falls back to RFC 3562 if the presented signaling does not establish end-to-end support.
srtp-rekey-on-reinvite

This parameter enables or disables the re-keying upon the receipt of a SIP reINIVTE that contains SDP for the STRP Re-keying feature.

  • Default: enabled
  • Values: enabled | disabled
use-ingress-session-params
Enter the list of values for which the SBC will accept and (where applicable) mirror the UA’s proposed cryptographic session parameters:
  • srtp-auth—Decides whether or not authentication is performed in SRTP
  • srtp-encrypt—Decides whether or not encryption is performed in SRTP
  • srtcp-encrypt—Decides whether or not encryption is performed in SRTCP 
ORACLE(sdes-profile)# use-ingress-session-params “srtp-auth srtp-encrypt
srtcp-encrypt"

Path

sdes-profile is a configuration element under the security > media-security path. The full path from the topmost ACLI prompt is: configure terminal, and then security, and then media-security, and then sdes-profile.