Network Bulls
www.networkbulls.com
Best Institute for CCNA CCNP CCSP CCIP CCIE Training in India
M-44, Old Dlf, Sector-14 Gurgaon, Haryana, India
Call: +91-9654672192
SIP digest authentication is not considered to be very secure. It also lacks confidentiality
because it hashes only a username, password, and some message components, such as the
SIP uniform resource identifier (URI).
For increased security, SIP trunks also support encryption.
SIP trunk encryption protects SIP signaling messages by using TLS with packet authentication
(HMAC) and encryption (AES). SIP trunk encryption uses mutual certificate-based
TLS device authentication. Therefore, CUCM must trust the issuer of the certificate for the
peer. The certificate can be self-signed or signed by a certification authority (CA). The subject
that will be used in the certificate has to be configured when SIP trunk encryption is
enabled so that CUCM knows what certificate should be used on the trunk.
SIP Trunk Encryption 401
SIP trunk encryption protects SIP signaling messages by using TLS only. It does not
support SRTP for the media channels.
SIP Trunk Encryption Configuration Procedure
SIP trunk encryption involves SIP trunk security profile configuration, SIP trunk
configuration, and certificate management. The configuration steps are as follows:
Step 1 Set the Device Security Mode to Encrypted in a SIP trunk security
profile.
Step 2 Set the X.509v3 certificate subject in the SIP trunk security profile.
Step 3 Apply the SIP trunk security profile to the trunk.
Step 4 Add the certificate of the issuer of the peer's certificate to CUCM.
SIP Trunk Encryption Configuration
Figure 15-7 shows Steps 1 to 3 of the configuration procedure.
In Step 1, set the Device Security Mode to Encrypted. In Step 2, enter the subject of the
certificate that the peer will use. In Step 3, apply the SIP trunk security profile to the SIP
trunk. Step 4 is performed in the third party or another Cisco SIP peer and is not shown in
the figure.