Skip to end of metadata
Go to start of metadata

Download PDF Document

2018-08-16

For all Mediatrix units

v. 43.0.1125


1 Transport Layer Security (TLS)

The Transport Layer Security protocol provides data privacy and integrity for computer network communications.

In other words, it provides Unit Signaling Security and Communications Security. TLS is a widely used security protocol that allows for:

  • Server and Client authentication
  • Data confidentiality
  • Data integrity

TLS is used for:

  • DGW Web Access
  • HTTP-based Configuration/Firmware File Transfer
  • 802.1X
  • SIP communications
  • TR-069 (CWMP)

When a certificate is authenticated, a secure TLS connection is established with a peer. Then SIP Transport Types, Hypertext Transfer Protocol Secure (HTTPS), and TR-069 (CWMP) can be used over the TLS connection. TLS connections also prevents man-in-the-middle attacks.

Important

The Mediatrix unit does not support a mix of both TLS and non-TLS links. Once TLS is enabled, it is enabled for all configured SIP gateways.

Although some parameters are available through the Web GUI, many parameters are not accessible through the Web GUI:

    • Cipher Suite
    • TLS version
    • Certificate validation and trust level

For more details on advanced parameters, refer to Transport Layer Security (TLS) Parameters.


1.1 X-509 Certificates

The Mediatrix unit uses digital X-509 certificates which are based on the international X.509 Public Key Infrastructure (PKI) standard. These certificates are a collection of data used to verify the identity of individuals, computers, and other entities on a network.

X.509 certificates provide guaranties on confidentiality, authentication, integrity, and non-repudiation. The Public Key Infrastructure (PKI) is a set of rules, specific to an environment, that manages, distributes, stores, and revokes the certificates. Therefore, the PKI guaranties that the signed certificates can be trusted.

Certificates are used to secure the following TLS based connections:

  • SIP
  • Configuration Web pages
  • File transfers (scripts, firmwares, etc.) with HTTPS
  • Configuration using TR-069
  • Wired Ethernet Authentication with EAP-TLS (802.1x)
Certificates contain:
  • the certificate's name
  • the issuer and issued to names
  • the validity period (the certificate is not valid before or after this period)
  • the use of certificates (Client or server)
  • whether or not the certificate is delivered by a Certification Authority (CA)


1.2 Hypertext Transfer Protocol Secure (HTTPS)

HTTPS is a transfer protocol widely used to secure communications over Internet telephony networks.

HTTPS allows for communications over Hypertext Transfer Protocol (HTTP) within a connection encrypted by Transport Layer Security (TLS) (TLS). HTTPS is mainly used to secure the content of a Web site and securely transfer files.

A communication using HTTPS reasonably guaranties that the targeted peer is the proper one, not an impostor, and that media cannot be read or tampered by any third-party.


1.3 TR-069 (CWMP)

The TR-069 also known as CWMP, is a Broadband Forum technical specification. This protocol can be used for monitoring and updating the Mediatrix unit configurations and firmware.

The first time the Mediatrix unit is connected to the network, it will attempt to contact the Auto Configuration Server (ACS), which is the entry point for the administrator. The Mediatrix unit will obtain the URL of the ACS using either the DHCP server with option 43 or by retrieving the information directly from the Customer Profile. Therefore, upon start-up, the Mediatrix unit will contact the ACS, which in return will send the required configuration files and initiate, if necessary, a firmware update. This automated sequence is what is referred to as zero-touch, as the Mediatrix unit is automatically configured by the ACS according to the instructions given by the administrator (without manual intervention).

The administrator can determine a schedule for the Mediatrix unit to periodically contact the ACS. These contacts will allow the Mediatrix unit to:

  • Validate if new configurations are available
  • Verify if a new firmware update is available
  • Send notifications for monitoring purposes

Monitoring is achieved by regularly sending notifications to the ACS. These periodic contacts are called Periodic Informs which can be :

  • Passive: the information is sent according to the schedule.
  • Active: the information is sent immediately when the event occurs, regardless of the schedule, if a parameter value changes, because the administrator may want to be informed immediately.
Because the Periodic Informs are initiated by the Mediatrix unit, they have no problem passing through residential or enterprise NAT and firewalls.

Furthermore, the administrator can initiate a connexion to the Mediatrix unit to perform immediate maintenance or monitoring. This will only be possible if the NAT firewall has been configured to permit communications initiated by the ACS.

The TR-069 protocol can be activated on units that are already deployed with a licence key. However, it can be enabled/disabled for a specific configuration via the Management interface.

TR-069 methods supported by the Mediatrix unit include:

  • SetParameterValues
  • GetParameterValues
  • AddObject
  • DeleteObject
  • Download
  • Reboot
  • Upload
  • FactoryReset

Some of the homologated ACSs with Mediatrix units are:

  • Tilgin
  • Dimark
  • Motive
  • Friendly
  • Axiros
  • Motorola


1.4 SIP over TLS


1.4.1 SIP Transport Types

You can globally set the transport type for all the endpoints of the Mediatrix unit to either UDP (User Datagram Protocol), TCP (Transmission Control Protocol), or TLS (Transport Layer Security). The Mediatrix unit will include its supported transports in its registrations. Please note that RFC 3261 states the implementations must be able to handle messages up to the maximum datagram packet size. For UDP, this size is 65,535 bytes, including IP and UDP headers. However, the maximum datagram packet size the Mediatrix unit supports for a SIP request or response is 5120 bytes excluding the IP and UDP headers. This should be enough, as a packet is rarely bigger than 2500 bytes.


1.4.2 TLS Persistent Connections

Transport Layer Security (TLS) Persistent Connections are associated with the SIP servers (outbound proxy, registrar, and home domain proxy).

TLS connections are currently only supported with SIP Trunk gateways. The TLS Persistent Connections statuses are available under SIP/Servers of the DGW Web interface.

Note

The Status table is not displayed if the persistent connections are not activated.


1.4.3 Unit Signaling Security

Signaling is the protocol that activates a device located in the network and establishes calls between peers.

To provide security to signaling, the Mediatrix unit will connect to the network via SIP over TLS. The network is then authenticated by a certificate that guaranties that the Mediatrix unit is connected to a "safe" network.

The network will then authenticate the device with the username and password to make sure the device is part of the network's subscriber list. This authentication is done with the digest authentication. The result of these authentications and verifications provides private and reliable communications between the network and the device. Calls will be established without leaving any possibility to a third party to identify the called or callee number, or to be able to interfere with the communication in any way.


1.4.4 Communications Security

An important aspect of communications security, is that data sent and received from one endpoint to another remains secured, reliable, and private at all times.

When configured for complete security, signaling is performed with TLS with the use of a certificate and the unit transports the audio and video through Secure RTP (SRTP). The Mediatrix unit will make sure that the certificate specifically encrypted for the session and issued by the end user is valid, e.g.:

  • the date and hour are not expired
  • the certificate was issued by a recognised authority and configured within the unit
  • the certificate was issued for the proper IP address or specific FQDN
The following diagram combines several use cases of communications security.


2 Basic Tasks


2.1 Preparing the Unit for TLS

Context

These steps should be performed first when using Transport Layer Security as they are mandatory for all TLS based applications (TR-069, SIP over TLS, 802.1X, HTTPS file transfer, etc.)

Steps

  1. Make sure to configure your HTTPS server.

    Note

    If the file server is located behind a firewall, make sure the TCP port 443 is open.

  2. Make sure the unit is able to retrieve current Time/Date information from a NTP server, either from a NTP server learnt from DHCP or static NTP servers.
  3. Make sure the time zone of your unit is adjusted properly. Refer to Selecting the Unit's Time Zone

    Note

    This step is mandatory for the unit to have the proper date/time, otherwise the TLS communication cannot be validated

  4. Upload all the trusted CA certificates required for server validation. Refer to Using Trusted CA and SIP Server Certificates

2.1.1 Enabling Secure Signaling (TLS)

Context

If you are not familiar with the meaning of the fields and buttons, click Show Help, located at the upper right corner of the Web page. When activated, the fields and buttons that offer online help will change to green and if you hover over them, the description will be displayed..

Steps

  1. Go to SIP/Transport tab.
  2. In the Protocol Configuration table, from the TLS dropbox, select Enable.

    Important

    The Mediatrix unit does not support a mix of both TLS and non-TLS links. Once TLS is enabled, it is enabled for all configured SIP gateways

  3. Click Apply.
  4. Follow the link located at the top of the Web page to start the appropriate service.

Result

The Ready LED will turn to a steady green. The SipEp Notification messages #303 and #310 are sent once the TLS connection is established. For example:

Syslog message: USER.INFO: SipEp: 1400-SIP Endpoint: 303-TLS connection with remote host 10.5.128.14:5063 is now ready to be used for SIP gateway default.

Syslog message: USER.INFO: SipEp: 1400-SIP Endpoint: 310-Server 10.5.128.14:5063 is now reachable for SIP gateway default.


2.1.2 Selecting the Unit's Time Zone

Before You Start

If you are not familiar with the meaning of the fields and buttons, click Show Help, located at the upper right corner of the Web page. When activated, the fields and buttons that offer online help will change to green and if you hover over them, the description will be displayed.

Steps

  1. Go to Network/Host.
  2. In the Time Configuration table, in the Static Time Zone field set the time zone.
  3. Click Apply.

2.2 Enabling TLS Debugging on Wireshark

Before You Start

To configure Wireshark for TLS packet capture, the private key associated with the server certificate are needed to decrypt TLS packets.

Steps

  1. Go to Edit/Preferences.
  2. Click + next to Protocols.
  3. Select SSL.
  4. Fill the RSA keys list field.

    Note

    The field specifies the binding between an IP address, a port, a protocol, and a RSA decryption key. Enter the IP address of the server, the SIP port, and the path to the file containing the server private key. Several such bindings may be specified by separating them with a semi-colon ";".

  5. Start the Wireshark capture.

    Note

    TLS sessions using Diffie-Hellman based ciphers (DHE, ECDH, ECDHE) cannot be decrypted by Wireshark.

  6. Restart the SipEp service on the Mediatrix unit or restart the unit.
  7. Once the unit is restarted and the "Ready" LED is lit on the Mediatrix unit, stop the packet capture.
  8. Using the "ssl" filter in the capture should show the SIP packets between the two endpoints.

Result


2.3 Selecting the SIP TLS Server Certificate Security Level

Before You Start

If you are not familiar with the meaning of the fields and buttons, click Show Help, located at the upper right corner of the Web page. When activated, the fields and buttons that offer online help will change to green and if you hover over them, the description will be displayed.

Context

The security level used to validate the TLS server certificate has no effect on the TLS client authentication when the unit is acting as a TLS server. Refer to the Transport Layer Security (TLS) Parameters parameter.

Only the setting for SIP over TLS transport is available over the Web GUI. For others, like file transfer or TR-069, settings are available with the script. And the levels of support are different. SIP over TLS security level has one more level (Trusted Certificate level) which other services do not have.

Steps

  1. Go to SIP/Interop.
  2. In the TLS Interop table, select the security level used to validate certificates.

3 Advanced Parameters


3.1 Transport Layer Security (TLS) Parameters

Although the services can be configured in great part in the Web browser, some aspects of the configuration can only be completed with the MIB parameters by :

  • using a MIB browser
  • using the CLI
  • creating a configuration script containing the configuration parameters

For more details on the following parameters, refer to the Reference Guide published the Media5 documentation portal. The Reference Guide contains all the parameters used in the DGW software with their description, default values, and interactions.

For certificate transfert

  • To set the HTTPS transfer cipher suite for certificate transfer: Cert.TransferHttpsCipherSuite
  • To set the HTTPS transfer Tls Version for certificate transfer:: Cert.TransferHttpsTlsVersion
  • To set the level of security to use when validating the server's certificate when connecting to the ACS using HTTPS: Cwmp.TransportCertificateValidation

For file transfer

  • To set the HTTPS transfer cipher suite for file transfer: File.TransferHttpsCipherSuite
  • To set the HTTPS transfer Tls Version configuration for file transfer: File.TransferHttpsTlsVersion

For DGW Web access

  • To set the Https Cipher Suite for secure DGW Web access: Web.HttpsCipherSuite.
  • To set the Http Mode used for DGW Web access: Web.HttpMode
  • To select the Secure Server Port used to access the DGW Web interface: Web.SecureServerPort
  • To set the HTTPS Cipher Suite for secure DGW Web access: Web.HttpsCipherSuite
  • To set the Tls Version used for secure DGW Web access: Web.TlsVersion

For SIP TLS transport

  • To set the TLS transport cipher suite used for secure SIP transport: SipEp.TransportTlsCipherSuite
  • To set Transport Tls Version used for secure SIP transport: SipEp.TransportTlsVersion
  • To set TLS client authentication: SipEp.InteropTlsClientAuthenticationEnable

For TR-069 (CWMP) establishment

  • To set the HTTPS transport cipher suite configuration for TR-069 (CWMP): Cwmp.TransportHttpsCipherSuite in the Reference Guide
  • To set the HTTPS Transport Tls Version configuration for TR-069 (CWMP): Cwmp.TransportHTTPSTlsVersion in the Reference Guide
  • To set the level of security to use when validating the server's certificate when connecting to the ACS using HTTPS: Cwmp.TransportCertificateValidation