Re: CTL and ITL - Why do we need two different Trust Lists

tschafferx · ‎07-25-2018

Hello Cisco community,

the ITL file has the following functions: Authenticated-, encrypted -TFTP-Files, TVS. The CTL has the following functions: Authenticated-, encrypted -TFTP-Files, ecrypted call signaling and call media.

The question I ask myself is why does the SBD (ITL) not also encrypt voice signaling and media. Since the tokenless approach of the CTL file are there any differences between how secure each trust list actually is, compared to each other (ITL vs CTL). In other words, why wouldn't I use the ITL file for call encryption.

Thank you in advance.

Jaime Valencia · ‎07-25-2018

Because ITL is not used for that purpose, and is enabled by default

SBD Overview

This section provides a quick overview of exactly what SBD provides. For full technical details of each function, see the SBD Detail and Troubleshooting Information section.

SBD provides these three functions for supported IP phones:

Default authentication of TFTP downloaded files (configuration, locale, ringlist) that use a signing key
Optional encryption of TFTP configuration files that use a signing key
Certificate verification for phone-initiated HTTPS connections that use a remote certificate trust store on CUCM (TVS)

https://www.cisco.com/c/en/us/support/docs/voice-unified-communications/unified-communications-manager-callmanager/116232-technote-sbd-00.html

Signaling and media use CTL, which you generate when you enable mixed mode, which is not enabled by default.

HTH

java

if this helps, please rate