Media Security Overview
Compare CallMeter encryption modes — RTCP-MUX, SDES-SRTP, SIP over TLS, DTLS-SRTP — and choose the right one for your test.
CallMeter supports multiple security mechanisms for SIP signaling and media streams. This section covers each option, when to use it, and how to configure it.
Signaling vs Media Encryption
SIP communication has two separate planes that can be encrypted independently:
| Plane | What It Protects | Encryption Method |
|---|---|---|
| Signaling | SIP messages (INVITE, REGISTER, etc.) | TLS on the SIP transport |
| Media | RTP audio and video streams | SRTP via SDES or DTLS key exchange |
You can enable either or both depending on your security requirements. TLS protects credentials and call setup metadata. SRTP protects the actual audio and video content.
Encryption Modes at a Glance
| Mode | Key Exchange | Keys Visible to Intermediaries | Certificate Required | Best For |
|---|---|---|---|---|
| No encryption | N/A | N/A | No | Internal lab testing, legacy systems |
| SDES-SRTP | SDP a=crypto lines (RFC 4568) | Yes — keys are in the SDP | No | SIP trunks, SBCs, legacy encrypted systems |
| DTLS-SRTP | DTLS handshake on media port (RFC 5764) | No — keys derived from handshake | Auto-generated | Modern systems, WebRTC gateways |
| Dual Offer | Both SDES + DTLS in same SDP | Depends on answerer's choice | Auto-generated | Maximum compatibility |
| SIP over TLS | TLS on signaling transport | N/A (signaling only) | Upload PEM or use system CA | Compliance, credential protection |
SDP Profile Mapping
The RTP profile in the SDP m= line changes based on encryption and feedback settings:
| Encryption | No Feedback | With Feedback (AVPF) |
|---|---|---|
| None | RTP/AVP | RTP/AVPF |
| SDES-SRTP | RTP/SAVP | RTP/SAVPF |
| DTLS-SRTP | UDP/TLS/RTP/SAVP | UDP/TLS/RTP/SAVPF |
Choosing the Right Mode
| Scenario | Recommended Configuration |
|---|---|
| Internal lab with no security requirements | No encryption |
| Testing a SIP trunk provider that requires SRTP | SDES-SRTP with Required policy |
| Enterprise PBX with compliance requirements | SIP over TLS + SDES-SRTP |
| WebRTC gateway interoperability testing | DTLS-SRTP |
| Unknown remote capabilities | Dual Offer (SDES + DTLS) |
| Testing encryption performance impact | Run identical tests with and without encryption, compare metrics |
RTCP-MUX is independent of encryption
RTCP-MUX (single-port RTP/RTCP multiplexing) is a transport optimization, not an encryption feature. It can be enabled with or without any encryption mode. However, DTLS-SRTP typically requires RTCP-MUX because the DTLS handshake runs on the same port as RTP.
Guides
Supported Formats
Detailed audio and video format specifications, codec compatibility, encoding guidelines, and file conversion instructions for CallMeter media files.
RTCP Multiplexing
Enable single-port RTP and RTCP multiplexing (RFC 5761) to reduce port usage, simplify NAT traversal, and prepare for DTLS-SRTP encryption.