Encrypting MGCP calls

V.Naveen Kumar · ‎03-23-2015

Hi all,

We are planning to encrypt MGCP calls in our CUCM 10.5.

My question is, if we encrypted MGCP calls by using commands like mgcp package-capability srtp-package.

how service provider will decrypt the calls ?? whether we will provide tokens or any certificates to them. how it really works.

Correct me if I am wrong.

George Thomas · ‎03-23-2015

Do you have a SIP trunk to the provider? If its a PRI, the encryption will be from CUCM to the MGCP gateway only. PRIs are not IP based and hence encryption doesnt apply there.

Please rate useful posts.

Jaime Valencia · ‎03-23-2015

And do not forget that command only encrypts media, not signaling between CUCM and the MGCP GW.

HTH

java

if this helps, please rate

Jonathan Schulenberg · ‎03-24-2015

In fact, that command only tells the router to advertise support for SRTP to CUCM. You still have to configure CUCM (e.g. mixed mode, CAPF, security profiles, etc) a call to actually use SRTP.

Speaking of SRTP: it's useless unless you encrypt the MGCP signaling itself using IPsec between the router and the CUCM nodes - a complicated config to say the least - because SRTP uses symmetric keys; if you can sniff the SRTP key then decrypting the call is trivial.

Unless you are in a really specific security situation which requires MGCP (e.g. MLPPP) you would be better off doing SIP with TLS encryption between CUCM and the router. SRTP remains the same but SIP TLS is easier to get done.

Dennis Mink · ‎03-24-2015

You will need to configure IPSEC between Call Manager and the gateway.

Please remember to rate useful posts, by clicking on the stars below.