1. ACLI Reference Guide
  2. ACLI Configuration Elements N-Z
  3. sdes-profile

sdes-profile

The sdes-profile configuration element lets you configure the parameter values offered or accepted during SDES negotiation.

Parameters

name
Sets the name of this object.
crypto-list
Sets the the encryption and authentication algorithms accepted or offered by this sdes-profile
  • Default: AES_CM_128_HMAC_SHA1_80
  • Values:
    • AES_CM_128_HMAC_SHA1_80
    • AES_CM_128_HMAC_SHA1_32
    • AES_256_CM_HMAC_SHA1_80
    • AEAD_AES_256_GCM
srtp-auth
UNUSED
  • Default: enabled
  • Values: enabled | disabled
srtp-encrypt

This parameter enables or disables the encryption of RTP packets. With encryption enabled, the default condition, the SBC offers RTP encryption, and rejects an answer that contains an UNENCRYPTED_SRTP session parameter in the crypto attribute.

With encryption disabled, the SBC does not offer RTP encryption and includes an UNENCRYPTED_SRTP session parameter in the SDP crypto attribute; it accepts an answer that contains an UNENCRYPTED_SRTP session parameter.
  • Default: enabled
  • Values: enabled | disabled
srtcp-encrypt

This parameter enables or disables the encryption of RTCP packets. With encryption enabled, the default condition, the SBC offers RTCP encryption, and rejects an answer that contains an UNENCRYPTED_SRTCP session parameter in the crypto attribute.

With encryption disabled, the SBC does not offer RTCP encryption and includes an UNENCRYPTED_SRTCP session parameter in the SDP crypto attribute; it accepts an answer that contains an UNENCRYPTED_SRTCP session parameter.
  • Default: enabled
  • Values: enabled | disabled
mki
This parameter enables or disables the inclusion of the MKI:length field in the SDP crypto attribute.
  • Default: disabled
  • Values:
    • enabled – an MKI field is sent within the crypto attribute (16 bytes maximum)
    • disabled – no MKI field is sent
egress-offer-format
Sets any manipulation on SDP offer.
  • Default: same-as-ingress
  • Values:
    • same-as-ingress - the SBC leaves the profile of the media lines unchanged.
    • simultaneous-best-effort - the SBC Adds an RTP/SAVP media line for any media profile that has only the RTP/AVP media profile, and Adds an RTP/AVP media line for any media profile that has only the RTP/SAVP media profile
    • rfc5939-compliant - the SBC attempts to initiate and RFC 5939 compliant SDP exchange, but falls back to RFC 3562 if the presented signaling does not establish end-to-end support.
srtp-rekey-on-reinvite

This parameter enables or disables the re-keying upon the receipt of a SIP reINIVTE that contains SDP for the STRP Re-keying feature.

  • Default: enabled
  • Values: enabled | disabled
use-ingress-session-params
Enter the list of values for which the SBC will accept and (where applicable) mirror the UA’s proposed cryptographic session parameters. If you want to enter multiple values, you can put them in the same command line entry separated by commas. For example srtcp-encrypt,srtp-auth,srtp-encrypt. You can also enter the values within double quotes. For example "srtcp-encrypt,srtp-auth,srtp-encrypt" or within parenthesis (srtcp-encrypt,srtp-auth,srtp-encrypt). You cannot use spaces as separators.
  • srtp-auth—Decides whether or not authentication is performed in SRTP
  • srtp-encrypt—Decides whether or not encryption is performed in SRTP
  • srtcp-encrypt—Decides whether or not encryption is performed in SRTCP 
ORACLE(sdes-profile)# use-ingress-session-params (srtcp-encrypt,srtp-auth,srtp-encrypt)

Path

sdes-profile is a configuration element under the security > media-security path. The full path from the topmost ACLI prompt is: configure terminal, and then security, and then media-security, and then sdes-profile.