Transport Protocol Selection

Created by Kelly Evans, Modified on Wed, 4 Jun at 8:28 AM by Kelly Evans

The Peeredge Orchestrator supports UDP, TCP, and TLS v1.2 as transport protocols for SIP signaling. The Peeredge Orchestrator supports RTP and SRTP protocols for media sessions. Both RTP and SRTP use UDP as the transport protocol.

Transport protocols provide essential services to voice applications, including:

Multiplexing Assign port numbers to each application, which enables the IP network to carry thousands of application messages between hosts simultaneously.
Reliable message delivery The receiver verifies the transmission of each packet using a checksum to ensure contents are not corrupted. The receiver acknowledges the verified packet or requests retransmission of the corrupted packet. If the transmitter doesn’t receive an acknowledgment, it assumes the packet is lost and retransmits it. The transport layer also ensures packets arrive in sequence by inserting a sequence number.
Flow control The receiver uses a transmission window value to provide feedback to the sender about buffer space to avoid buffer overruns and underruns.
Congestion management When multiple losses occur, the transport layer implements a back-off algorithm that allows congestion to clear before resuming transmission.

Recommendations

If any portion of the end-to-end network transport is considered unsecure (i.e. direct Internet), then 46 Labs recommends using TLS.

If the end-to-end network transport is already secure (i.e. SD-WAN, MPLS, IPsec tunnels), then 46 Labs recommends using UDP. If any customer networking devices in the SIP signaling path between the customer SBCs/PBXs and the Peeredge SBC do not properly handle UDP message fragmentation and assembly, then 46 Labs recommends TCP.

The Peeredge Orchestrator supports the following cipher suites, signature hashing algorithms and crypto media suites.

TLS supported cipher suites

Cipher Name	Cipher
TLS_AES_128_GCM_SHA256	0x1301
TLS_AES_256_GCM_SHA384	0x1302
TLS_CHACHA20_POLY1305_SHA256	0x1303
TLS_AES_128_CCM_SHA256	0x1304
TLS_AES_128_CCM_8_SHA256	0x1305
TLS_SHA256_SHA256	0xC0b4
TLS_SHA384_SHA384	0xC0b5
TLS_RSA_WITH_AES_128_CBC_SHA	0x002f
TLS_RSA_WITH_AES_256_CBC_SHA	0x0035
TLS_DHE_RSA_WITH_AES_128_CBC_SHA	0x0033
TLS_DHE_RSA_WITH_AES_256_CBC_SHA	0x0039
TLS_DHE_PSK_WITH_AES_256_GCM_SHA384	0x00ab
TLS_DHE_PSK_WITH_AES_128_GCM_SHA256	0x00aa
TLS_DHE_PSK_WITH_AES_256_CBC_SHA384	0x00b3
TLS_DHE_PSK_WITH_AES_128_CBC_SHA256	0x00b2
TLS_DHE_PSK_WITH_AES_128_CCM	0xc0a6
TLS_DHE_PSK_WITH_AES_256_CCM	0xc0a7
TLS_RSA_WITH_AES_128_CCM_8	0xc0a0
TLS_RSA_WITH_AES_256_CCM_8	0xc0a1
TLS_ECDHE_ECDSA_WITH_AES_128_CCM	0xc0ac
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8	0xc0ae
TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8	0xc0af
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA	0xc013
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA	0xc014
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA	0xc009
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA	0xc00a
TLS_RSA_WITH_AES_128_CBC_SHA256	0x003c
TLS_RSA_WITH_AES_256_CBC_SHA256	0x003d
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256	0x0067
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256	0x006b
TLS_RSA_WITH_AES_128_GCM_SHA256	0x009c
TLS_RSA_WITH_AES_256_GCM_SHA384	0x009d
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256	0x009e
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384	0x009f
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256	0xc02f
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384	0xc030
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256	0xc02b
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384	0xc02c
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA	0x0041
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA	0x0045
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA	0x0084
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA	0x0088
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256	0x00ba
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256	0x00be
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256	0x00c0
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256	0x00c4
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256	0xc027
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256	0xc023
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384	0xc028
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384	0xc024
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	0xcca8
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	0xcca9
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256	0xccaa
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256	0xcc13
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256	0xcc14
TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256	0xcc15
TLS_DH_anon_WITH_AES_128_CBC_SHA	0x0034
TLS_DH_anon_WITH_AES_256_GCM_SHA384	0x00a7
TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256	0xc037
TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256	0xd001
TLS_PSK_WITH_CHACHA20_POLY1305_SHA256	0xccab
TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256	0xccac
TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256	0xccad

Signature Hashing Algorithms supported

Hash Algorithm Name	Algorithm
ecdsa_secp521r1_sha512	0x0603
ecdsa_secp384r1_sha384	0x0503
ecdsa_secp256r1_sha256	0x0403
ecdsa_sha1	0x0203
ed25519	0x0807
ed448	0x0808
rsa_pss_rsae_sha512	0x0806
rsa_pss_pss_sha512	0x080b
rsa_pss_rsae_sha384	0x0805
rsa_pss_pss_sha384	0x080a
rsa_pss_rsae_sha256	0x0804
rsa_pss_pss_sha256	0x0809
rsa_pkcs1_sha512	0x0601
rsa_pkcs1_sha384	0x0501
rsa_pkcs1_sha256	0x0401
SHA224 RSA	0x0301
rsa_pkcs1_sha1	0x0201
SHA1 Anonymous	0x0200

Crypto Media Suites Supported

Media Suite Name

AEAD_AES_256_GCM

AEAD_AES_128_GCM

AES_256_CM_HMAC_SHA1_80

AES_256_CM_HMAC_SHA1_32

AES_192_CM_HMAC_SHA1_80

AES_192_CM_HMAC_SHA1_32

AES_CM_128_HMAC_SHA1_80

AES_CM_128_HMAC_SHA1_32

F8_128_HMAC_SHA1_80

F8_128_HMAC_SHA1_32

Note: The selection of cipher suites and signature hashing algorithms is limited by the what cryptographic algorithm RSA (Rivest-Shamir-Adleman) or ECDSA (Elliptic Curve Digital Signature Algorithm) was used to sign the TLS certificate. For example, an RSA signed certificate would not support the TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 cipher suite.