The PeerEdge Orchestrator supports UDP, TCP, and TLS v1.2 as transport protocols for SIP signaling. The PeerEdge Orchestrator supports RTP and SRTP protocols for media sessions. Both RTP and SRTP use UDP as the transport protocol.
Transport protocols provide essential services to voice applications, including:
Multiplexing Assign port numbers to each application, which enables the IP network to carry thousands of application messages between hosts simultaneously.
Reliable message delivery The receiver verifies the transmission of each packet using a checksum to ensure contents are not corrupted. The receiver acknowledges the verified packet or requests retransmission of the corrupted packet. If the transmitter doesn’t receive an acknowledgment, it assumes the packet is lost and retransmits it. The transport layer also ensures packets arrive in sequence by inserting a sequence number.
Flow control The receiver uses a transmission window value to provide feedback to the sender about buffer space to avoid buffer overruns and underruns.
Congestion management When multiple losses occur, the transport layer implements a back-off algorithm that allows congestion to clear before resuming transmission.
Recommendations
If any portion of the end-to-end network transport is considered unsecure (i.e. direct Internet), then 46 Labs recommends using TLS.
If the end-to-end network transport is already secure (i.e. SD-WAN, MPLS, IPsec tunnels), then 46 Labs recommends using UDP. If any customer networking devices in the SIP signaling path between the customer SBCs/PBXs and the PeerEdge Orchestrator do not properly handle UDP message fragmentation and assembly, then 46 Labs recommends TCP.
The PeerEdge Orchestrator supports the following cipher suites, signature hashing algorithms and crypto media suites.
TLS supported cipher suites
| Cipher Name | Cipher |
| TLS_AES_128_GCM_SHA256 | 0x1301 |
| TLS_AES_256_GCM_SHA384 | 0x1302 |
| TLS_CHACHA20_POLY1305_SHA256 | 0x1303 |
| TLS_AES_128_CCM_SHA256 | 0x1304 |
| TLS_AES_128_CCM_8_SHA256 | 0x1305 |
| TLS_SHA256_SHA256 | 0xC0b4 |
| TLS_SHA384_SHA384 | 0xC0b5 |
| TLS_RSA_WITH_AES_128_CBC_SHA | 0x002f |
| TLS_RSA_WITH_AES_256_CBC_SHA | 0x0035 |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA | 0x0033 |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA | 0x0039 |
| TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 | 0x00ab |
| TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 | 0x00aa |
| TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 | 0x00b3 |
| TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 | 0x00b2 |
| TLS_DHE_PSK_WITH_AES_128_CCM | 0xc0a6 |
| TLS_DHE_PSK_WITH_AES_256_CCM | 0xc0a7 |
| TLS_RSA_WITH_AES_128_CCM_8 | 0xc0a0 |
| TLS_RSA_WITH_AES_256_CCM_8 | 0xc0a1 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CCM | 0xc0ac |
| TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 | 0xc0ae |
| TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 | 0xc0af |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | 0xc013 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | 0xc014 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | 0xc009 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | 0xc00a |
| TLS_RSA_WITH_AES_128_CBC_SHA256 | 0x003c |
| TLS_RSA_WITH_AES_256_CBC_SHA256 | 0x003d |
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | 0x0067 |
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | 0x006b |
| TLS_RSA_WITH_AES_128_GCM_SHA256 | 0x009c |
| TLS_RSA_WITH_AES_256_GCM_SHA384 | 0x009d |
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 | 0x009e |
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 | 0x009f |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | 0xc02f |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | 0xc030 |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | 0xc02b |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | 0xc02c |
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA | 0x0041 |
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA | 0x0045 |
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA | 0x0084 |
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA | 0x0088 |
| TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 | 0x00ba |
| TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 | 0x00be |
| TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 | 0x00c0 |
| TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 | 0x00c4 |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | 0xc027 |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 | 0xc023 |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | 0xc028 |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 | 0xc024 |
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 0xcca8 |
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | 0xcca9 |
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 0xccaa |
| TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 0xcc13 |
| TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | 0xcc14 |
| TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | 0xcc15 |
| TLS_DH_anon_WITH_AES_128_CBC_SHA | 0x0034 |
| TLS_DH_anon_WITH_AES_256_GCM_SHA384 | 0x00a7 |
| TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 | 0xc037 |
| TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 | 0xd001 |
| TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 | 0xccab |
| TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | 0xccac |
| TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 | 0xccad |
Signature Hashing Algorithms supported
| Hash Algorithm Name | Algorithm |
| ecdsa_secp521r1_sha512 | 0x0603 |
| ecdsa_secp384r1_sha384 | 0x0503 |
| ecdsa_secp256r1_sha256 | 0x0403 |
| ecdsa_sha1 | 0x0203 |
| ed25519 | 0x0807 |
| ed448 | 0x0808 |
| rsa_pss_rsae_sha512 | 0x0806 |
| rsa_pss_pss_sha512 | 0x080b |
| rsa_pss_rsae_sha384 | 0x0805 |
| rsa_pss_pss_sha384 | 0x080a |
| rsa_pss_rsae_sha256 | 0x0804 |
| rsa_pss_pss_sha256 | 0x0809 |
| rsa_pkcs1_sha512 | 0x0601 |
| rsa_pkcs1_sha384 | 0x0501 |
| rsa_pkcs1_sha256 | 0x0401 |
| SHA224 RSA | 0x0301 |
| rsa_pkcs1_sha1 | 0x0201 |
| SHA1 Anonymous | 0x0200 |
Crypto Media Suites Supported
| Media Suite Name |
| AEAD_AES_256_GCM |
| AEAD_AES_128_GCM |
| AES_256_CM_HMAC_SHA1_80 |
| AES_256_CM_HMAC_SHA1_32 |
| AES_192_CM_HMAC_SHA1_80 |
| AES_192_CM_HMAC_SHA1_32 |
| AES_CM_128_HMAC_SHA1_80 |
| AES_CM_128_HMAC_SHA1_32 |
| F8_128_HMAC_SHA1_80 |
| F8_128_HMAC_SHA1_32 |
Example Cipher Suite breakdown
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS - identifies the cipher suite as a Transport Layer Security (TLS) cipher suite
ECDCHE - used for key exchange (Elliptic Curve Diffie-Hellman Ephemeral is this example)
RSA - used for authentication (the server presents an RSA certificate for TLS handshake signing (Rivest-Shamir-Adleman public-key cryptographic algorithm in this example))
AES_256_GCM - the symmetric encryption algorithm (Advanced Encryption Standard (AES) with a 256-bit key in Galois/Counter Mode (GCM) in this example)
SHA384 - the message authentication (MAC) algorithm (Secure Hash Algorithm with a 384-bit (48-byte) digest)
Example Secure Hash Algorithm breakdown
ecdsa_secp521r1_sha512
ecdsa - the public key signature algorithm the provide authentication and integrity (not encryption) (Elliptic Curve Digital Signature Algorithm is this example)
secp521r1 - a standard NIST elliptic curve over a 521-bit prime field
SHA512 - the message authentication (MAC) algorithm (Secure Hash Algorithm with a 512-bit (64-byte) digest)
Example Crypto Media Suite breakdown
AEAD_AES_256_GCM
AEAD - provides confidentiality and integrity (Authenticated Encryption with Associated Data in this example)
AES - symmetric block cipher that provided encryption (Advanced Encryption Standard in this example)
256 - the encryption key size
GCM - GCM in AEAD mode encrypts data and authenticates both the data and any associated unencrypted input (AAD) (Galois/Counter Mode in this example)
Note: The selection of cipher suites and signature hashing algorithms is limited by the cryptographic signature algorithm RSA (Rivest-Shamir-Adleman) or ECDSA (Elliptic Curve Digital Signature Algorithm) of the TLS certificate. For example, a certificate with an RSA signature algorithm would not support the TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 cipher suite.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article