The Internet Engineering Task Force (IETF) and RFCs 4301-4303 mandate authentication and encryption for IPv6 using IP Security
(IPsec). However, to avoid interworking issues with legacy IPv4 Unified Communications endpoints, Cisco Unified Communications
Manager (Unified CM) IPv4 and IPv6 deployments continue to use Transport Layer Security (TLS) and Secure Real-Time Transport
Protocol (SRTP) for authentication and encryption between IP phones and between IP phones and SIP gateways and trunks.
IPsec can also be used for IPv4-based H.323 and Media Gateway Control Protocol (MGCP) gateway connections.
Cisco Unified CM provides the following secure transport protocols:
-
Transport Layer Security (TLS)
TSL provides secure and reliable data transfer between two systems or devices by using secure ports and certificate exchange.
TLS secures and controls connections between Unified CM-controlled systems, devices, and processes to prevent access to the
voice domain. Unified CM uses TLS to secure Skinny Client Control Protocol (SCCP) calls to phones that are running SCCP, and
to secure SIP calls to phones or trunks that are running SIP.
-
IP Security (IPsec)
IPsec provides secure and reliable data transfer between Unified CM and gateways. IPv4-based IPsec implements signaling authentication
and encryption to Cisco IOS MGCP and H.323 gateways.
You can add Secure Real-Time Transport Protocol (SRTP) to TLS and IPsec transport services for the next level of security
on devices that support SRTP. SRTP authenticates and encrypts the media stream to ensure that voice conversations originating
or terminating on Cisco Unified IP Phones and either TDM or analog voice gateway ports, are protected from eavesdroppers who
might have gained access to the voice domain. SRTP adds protection against replay attacks.
For more information on Unified CM security, refer to the Cisco Unified Communications Manager Security Guide, available at: Link.