Encrypting Voice packets in CCM

Answered Question
Apr 9th, 2008

We are running CCM 4.1(3). Someone from Network Team found out that it's possible to capture Voice packets using sniffer tools like Observer, Ethereal etc & they were able to recreate the Voice packets & snoop in on the conversation. Is it possible to encrypt the RTP streams?

I have this problem too.
0 votes
Correct Answer by mattcalderon about 8 years 8 months ago

Haha looks like rob beat me to the punch! Yes as Rob posted above it is possible for H323 configurations. Like I said I did not roll out it to mass production so I really cant speak for the load that the Pub may be under. Seeing that you are in a 1 ccm environment, and everything else that that box is doing (moh,conferencing,ect...) that may be something to watch for.

Correct Answer by rob.huffman about 8 years 8 months ago

Hi Abhijit,

Glad to hear things are going better for you! Here is the similar doc for H.323;

Media and Signaling Authentication and Encryption Feature for Cisco IOS H.323 Gateways

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htsecure.html

We did get the ES from Cisco so we are trying the upgrade again this Saturday :)

Hope this helps!

Rob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.6 (5 ratings)
Loading.
iptuser55 Wed, 04/09/2008 - 04:07

Don`t you just love "non" IPT people reading things and then suggesting it. You need to make sure you do not voice recording in case it causes problems

Paolo Bevilacqua Wed, 04/09/2008 - 04:18

Well nobody likes the idea that their conversation can be listened to.

Of course encryption costs money (CM upgrade, phones upgrade, time spent) so when faced with the cost estimate many people find that isn't much of an issue anymore, just like in all and any legacy PBX of the world.

Abhijit.Das Wed, 04/09/2008 - 04:40

Paolo,

Thanks for the new insight provided by you.

You have mentioned the cost factor ( which scares away almost all organizations!!!)

We are already running CCM 4.1(3) which supports encryption. All phones are running the latest loads.

Is there anything else invlolved apart from the time & effort invested?

Thanks,

Abhijit.

Abhijit.Das Thu, 04/10/2008 - 04:32

Paolo,

We use mostly 7940's & 7911's. Think that it should support encryption. Just curious, do we need to pay for Cisco USB e-tokens?

Regards,

Abhijit.

Abhijit.Das Wed, 04/09/2008 - 04:35

Wayne,

We don't do any voice recording here. Thanks for the response.

Have a nice day.

Abhijit.

mattcalderon Wed, 04/09/2008 - 05:44

I was only being honest. The exact reason as Paulo stated is that it cost the time and money which is why we did not roll it out to production. After stating the pros and cons of this implementation to your bosses, it just was not important that your conversations could be listened to anymore.

Abhijit.Das Wed, 04/09/2008 - 04:32

Matt,

Thanks a lot for the wonderful info. Really helps a lot.

Just a few queries here :

the doc is for MGCP gateways. Will such a similar thing work for H.323 gateways?

Will enabling such a feature place extra load on the Publisher resources? ( we have everything on the pub, it's a single-server show, hence this question is very important to us.)

Have a nice day.

Thanks,

Abhijit.

Correct Answer
mattcalderon Wed, 04/09/2008 - 05:49

Haha looks like rob beat me to the punch! Yes as Rob posted above it is possible for H323 configurations. Like I said I did not roll out it to mass production so I really cant speak for the load that the Pub may be under. Seeing that you are in a 1 ccm environment, and everything else that that box is doing (moh,conferencing,ect...) that may be something to watch for.

Abhijit.Das Wed, 04/09/2008 - 06:17

Matt,

Thanks a lot for the wonderful insight provided by you. I spoke with the higher-ups & I don't think they are very enthusiastic about it now.

Have a nice day.

Thanks & Regards,

Abhijit.

Abhijit.Das Wed, 04/09/2008 - 06:24

Rob,

Thanks a ton for the doc. Wish you all the best for Saturday. I am certain that you will come up trumps this time.

Take care,

Abhijit.

matthewpage Wed, 04/09/2008 - 08:14

I was under the impression that you had to buy the cisco etokens if you wanted to configure SRTP?? Is there any way around not using them if they are required for call manager 6.0 ?

steven_chan Sat, 04/26/2008 - 00:18

Hi all. I would like to try CTL in CCM. Is it ok if I use Aladdin eTokens PRO32k and not to purchase the eToken from Cisco?

I read from another post that a user has a problem that the eToken is not recognised. http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Unified%20Communications%20and%20Video&topic=IP%20Telephony&topicID=.ee6c829&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cbef52d

Aaron Harrison Sat, 04/26/2008 - 03:37

Hi All

A few comments; I've recently deployed this for one of my customers and found a few things:

1) You need at least two security tokens from Cisco (not sure if other ones will work or not, I've not tried).

2) Most phones support SRTP, with some exceptions.

3) If you want to run SRTP to a gateway, that gateway will require Advanced IP Services, or Advanced Enterprise services. This IOS is also required for secure SRST, secure conference, secure transcoding etc.

4) Confernecing, MTP based in software on callmanager do NOT support SRTP. You need hardware conference or transcde resources for this.

Regards

Aaron

steven_chan Fri, 05/02/2008 - 03:41

Hi, does anyone know whether the Aladdin eToken Pro32k can be used for CTL?

Thanks in advance

Actions

This Discussion