Encrypting Voice packets in CCM

Answered Question
Apr 9th, 2008
User Badges:

We are running CCM 4.1(3). Someone from Network Team found out that it's possible to capture Voice packets using sniffer tools like Observer, Ethereal etc & they were able to recreate the Voice packets & snoop in on the conversation. Is it possible to encrypt the RTP streams?

Correct Answer by mattcalderon about 9 years 3 weeks ago

Haha looks like rob beat me to the punch! Yes as Rob posted above it is possible for H323 configurations. Like I said I did not roll out it to mass production so I really cant speak for the load that the Pub may be under. Seeing that you are in a 1 ccm environment, and everything else that that box is doing (moh,conferencing,ect...) that may be something to watch for.

Correct Answer by Rob Huffman about 9 years 3 weeks ago

Hi Abhijit,


Glad to hear things are going better for you! Here is the similar doc for H.323;


Media and Signaling Authentication and Encryption Feature for Cisco IOS H.323 Gateways


http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htsecure.html


We did get the ES from Cisco so we are trying the upgrade again this Saturday :)


Hope this helps!

Rob

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.6 (5 ratings)
Loading.
iptuser55 Wed, 04/09/2008 - 04:07
User Badges:
  • Silver, 250 points or more

Don`t you just love "non" IPT people reading things and then suggesting it. You need to make sure you do not voice recording in case it causes problems

paolo bevilacqua Wed, 04/09/2008 - 04:18
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Well nobody likes the idea that their conversation can be listened to.

Of course encryption costs money (CM upgrade, phones upgrade, time spent) so when faced with the cost estimate many people find that isn't much of an issue anymore, just like in all and any legacy PBX of the world.

Abhijit.Das Wed, 04/09/2008 - 04:40
User Badges:

Paolo,

Thanks for the new insight provided by you.

You have mentioned the cost factor ( which scares away almost all organizations!!!)

We are already running CCM 4.1(3) which supports encryption. All phones are running the latest loads.

Is there anything else invlolved apart from the time & effort invested?


Thanks,

Abhijit.

paolo bevilacqua Wed, 04/09/2008 - 06:32
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Which phones are you using ? Not all supports encryption.

Abhijit.Das Thu, 04/10/2008 - 04:32
User Badges:

Paolo,

We use mostly 7940's & 7911's. Think that it should support encryption. Just curious, do we need to pay for Cisco USB e-tokens?


Regards,

Abhijit.

Abhijit.Das Wed, 04/09/2008 - 04:35
User Badges:

Wayne,

We don't do any voice recording here. Thanks for the response.

Have a nice day.


Abhijit.

mattcalderon Wed, 04/09/2008 - 05:44
User Badges:
  • Silver, 250 points or more

I was only being honest. The exact reason as Paulo stated is that it cost the time and money which is why we did not roll it out to production. After stating the pros and cons of this implementation to your bosses, it just was not important that your conversations could be listened to anymore.

Abhijit.Das Wed, 04/09/2008 - 04:32
User Badges:

Matt,

Thanks a lot for the wonderful info. Really helps a lot.

Just a few queries here :


the doc is for MGCP gateways. Will such a similar thing work for H.323 gateways?


Will enabling such a feature place extra load on the Publisher resources? ( we have everything on the pub, it's a single-server show, hence this question is very important to us.)

Have a nice day.


Thanks,

Abhijit.

Correct Answer
Rob Huffman Wed, 04/09/2008 - 04:53
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 IP Telephony, Unified Communications

Hi Abhijit,


Glad to hear things are going better for you! Here is the similar doc for H.323;


Media and Signaling Authentication and Encryption Feature for Cisco IOS H.323 Gateways


http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htsecure.html


We did get the ES from Cisco so we are trying the upgrade again this Saturday :)


Hope this helps!

Rob

Correct Answer
mattcalderon Wed, 04/09/2008 - 05:49
User Badges:
  • Silver, 250 points or more

Haha looks like rob beat me to the punch! Yes as Rob posted above it is possible for H323 configurations. Like I said I did not roll out it to mass production so I really cant speak for the load that the Pub may be under. Seeing that you are in a 1 ccm environment, and everything else that that box is doing (moh,conferencing,ect...) that may be something to watch for.

Abhijit.Das Wed, 04/09/2008 - 06:17
User Badges:

Matt,

Thanks a lot for the wonderful insight provided by you. I spoke with the higher-ups & I don't think they are very enthusiastic about it now.

Have a nice day.


Thanks & Regards,

Abhijit.

Abhijit.Das Wed, 04/09/2008 - 06:24
User Badges:

Rob,

Thanks a ton for the doc. Wish you all the best for Saturday. I am certain that you will come up trumps this time.


Take care,

Abhijit.

matthewpage Wed, 04/09/2008 - 08:14
User Badges:
  • Bronze, 100 points or more

I was under the impression that you had to buy the cisco etokens if you wanted to configure SRTP?? Is there any way around not using them if they are required for call manager 6.0 ?

steven_chan Sat, 04/26/2008 - 00:18
User Badges:

Hi all. I would like to try CTL in CCM. Is it ok if I use Aladdin eTokens PRO32k and not to purchase the eToken from Cisco?

I read from another post that a user has a problem that the eToken is not recognised. http://forums.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Unified%20Communications%20and%20Video&topic=IP%20Telephony&topicID=.ee6c829&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40.2cbef52d

Aaron Harrison Sat, 04/26/2008 - 03:37
User Badges:
  • Super Bronze, 10000 points or more
  • Community Spotlight Award,

    Member's Choice, May 2015

Hi All


A few comments; I've recently deployed this for one of my customers and found a few things:


1) You need at least two security tokens from Cisco (not sure if other ones will work or not, I've not tried).


2) Most phones support SRTP, with some exceptions.


3) If you want to run SRTP to a gateway, that gateway will require Advanced IP Services, or Advanced Enterprise services. This IOS is also required for secure SRST, secure conference, secure transcoding etc.


4) Confernecing, MTP based in software on callmanager do NOT support SRTP. You need hardware conference or transcde resources for this.


Regards


Aaron

steven_chan Fri, 05/02/2008 - 03:41
User Badges:

Hi, does anyone know whether the Aladdin eToken Pro32k can be used for CTL?


Thanks in advance

Actions

This Discussion