The Transport Layer Security protocol provides data privacy and integrity for computer network communications.
TLS is used for:
When a certificate
, a secure TLS
connection is established with a peer. Then SIP Transport Types
, Hypertext Transfer Protocol Secure (HTTPS)
, and TR-069 or CPE WAN Management Protocol (CWMP)
can be used over the TLS connection.
TLS connections also prevents man-in-the-middle attacks. Important The Mediatrix unit does not support a mix of both TLS and non-TLS links. Once TLS is enabled, it is enabled for all configured SIP gateways.
The Mediatrix unit does not support a mix of both TLS and non-TLS links. Once TLS is enabled, it is enabled for all configured SIP gateways.
Although some parameters are available through the Web GUI, many parameters are not accessible through the Web GUI:
For more details on advanced parameters, refer to Transport Layer Security (TLS) Parameters .
The Mediatrix unit uses digital X-509 certificates which are based on the international X.509 Public Key Infrastructure (PKI) standard. These certificates are a collection of data used to verify the identity of individuals, computers, and other entities on a network.
X.509 certificates provide guaranties on confidentiality, authentication, integrity, and non-repudiation. The Public Key Infrastructure (PKI) is a set of rules, specific to an environment, that manages, distributes, stores, and revokes the certificates. Therefore, the PKI guaranties that the signed certificates can be trusted.
Certificates are used to secure the following TLS based connections:
HTTPS is a transfer protocol widely used to secure communications over Internet telephony networks.
HTTPS allows for communications over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) (TLS). HTTPS is mainly used to secure the content of a Web site and securely transfer files.
A communication using HTTPS reasonably guaranties that the targeted peer is the proper one, not an impostor, and that media cannot be read or tampered by any third-party.
The Technical Report 069 (TR-069), also known as CWMP, is a Broadband Forum technical specification. This protocol can be used to monitor and update the Mediatrix unit configurations and firmware. In other words, when using TR-069, the Mediatrix unit can get in contact with an Auto Configuration Server (ACS) to initiate a configuration script transfer/execution and a firmware upgrade.
The first time the Mediatrix unit is connected to the network, it will attempt to contact the Auto Configuration Server (ACS), which is the entry point for the administrator. The Mediatrix unit will obtain the URL of the ACS using either the DHCP server with option 43 or by retrieving the information directly from the Customer's Profile. Therefore, upon start-up, the Mediatrix unit will contact the ACS, which in return will send the required configuration files and initiate, if necessary, a firmware update. This automated sequence is what is referred to as zero-touch, as the Mediatrix unit is automatically configured by the ACS according to the instructions given by the administrator without manual intervention on the unit.
The administrator can determine a schedule for the Mediatrix unit to periodically contact the ACS. These contacts will allow the Mediatrix unit to:
Monitoring is achieved by regularly sending notifications to the ACS, through the mean of "Inform" requests, which can be:
Furthermore, the administrator can initiate a connection to the Mediatrix unit to perform immediate maintenance or monitoring. This will only be possible if the NAT firewall has been configured to allow communications initiated by the ACS.
The TR-069 protocol can be activated on units that are already deployed with a licence key (For more details on licences refer to How to activate a licence on a Mediatrix unit published on the Media5 documentation portal). However, it can be enabled/disabled for a specific configuration via the Management interface.
TR-069 methods supported by the Mediatrix unit include:
You can globally set the transport type for SIP all the endpoints of the Mediatrix unit to either UDP (User Datagram Protocol), TCP (Transmission Control Protocol), or TLS (Transport Layer Security).
Please note that RFC 3261 states the implementations must be able to handle messages up to the maximum datagram packet size. For UDP, this size is 65,535 bytes, including IP and UDP headers. However, the maximum datagram packet size the Mediatrix unit supports for a SIP request or response is 5120 bytes excluding the IP and UDP headers. This should be enough, as a packet is rarely bigger than 2500 bytes.
Transport Layer Security (TLS) Persistent Connections are associated with the SIP servers (outbound proxy, registrar, and home domain proxy).
TLS connections are currently only supported with SIP Trunk gateways. The TLS Persistent
Connections statuses are available under SIP
of the DGW Web interface. Note The Status
table is not displayed if the persistent connections are not activated.
The Status table is not displayed if the persistent connections are not activated.
Signaling is the protocol that activates a device located in the network and establishes calls between peers.
To provide security to signaling, the Mediatrix unit will connect to the network via SIP over TLS. The network is then authenticated by a certificate that guaranties that the Mediatrix unit is connected to a "safe" network.
The network will then authenticate the device with the username and password to make sure the device is part of the network's subscriber list. This authentication is done with the digest authentication. The result of these authentications and verifications provides private and reliable communications between the network and the device. Calls will be established without leaving any possibility to a third party to identify the called or callee number, or to be able to interfere with the communication in any way.
An important aspect of communications security, is that data sent and received from one endpoint to another remains secured, reliable, and private at all times.
When configured for complete security, signaling is performed with TLS with the use of a certificate and the unit transports the audio and video through Secure RTP (SRTP). The Mediatrix unit will make sure that the certificate specifically encrypted for the session and issued by the end user is valid, e.g.:
This step is mandatory for the unit to have the proper date/time, otherwise the TLS communication cannot be validated.
The Mediatrix unit does not support a mix of both TLS and non-TLS links. Once TLS is enabled, it is enabled for all configured SIP gateways
Syslog message: USER.INFO: SipEp:
1400-SIP Endpoint: 303-TLS connection with remote host 10.5.128.14:5063 is now
ready to be used for SIP gateway default.
USER.INFO: SipEp: 1400-SIP Endpoint: 310-Server 10.5.128.14:5063 is now
reachable for SIP gateway default.
If preceded by a minus sign (-), the time zone is east of the prime meridian, otherwise it is west, which can be indicated by the preceding plus sign (+). For example, New York time is GMT 5.
Any DGW parameter referring to a time value will use the local time described by this time zone reference. The Hoc.SystemTime will return the unit local time in accordance with the configured time zone.
The field specifies the binding between an IP address, a port, a protocol, and a RSA decryption key. Enter the IP address of the server, the SIP port, and the path to the file containing the server private key. Several such bindings may be specified by separating them with a semi-colon ";".
TLS sessions using Diffie-Hellman based ciphers (DHE, ECDH, ECDHE) cannot be decrypted by Wireshark.
Only the setting for SIP over TLS transport is available over the Web GUI. For others, like file transfer or TR-069, settings are available with the script. And the levels of support are different. SIP over TLS security level has one more level (Trusted Certificate level) which other services do not have.
Although the services can be configured in great part in the Web browser, some aspects of the configuration can only be completed with the MIB parameters by :
If you are not familiar with the meaning of the fields and buttons, click Show Help , located at the upper right corner of the Web page. When activated, the fields and buttons that offer online help will change to green and if you hover over them, the description will be displayed.
Mediatrix units are supplied with an exhaustive set of documentation.
Mediatrix user documentation is available on the Documentation Portal .
Several types of documents were created to clearly present the information you are looking for. Our documentation includes:
Copyright © 2019 Media5 Corporation.
This document contains information that is proprietary to Media5 Corporation.
Media5 Corporation reserves all rights to this document as well as to the Intellectual Property of the document and the technology and know-how that it includes and represents.
This publication cannot be reproduced, neither in whole nor in part, in any form whatsoever, without written prior approval by Media5 Corporation.
Media5 Corporation reserves the right to revise this publication and make changes at any time and without the obligation to notify any person and/or entity of such revisions and/or changes.