Hi, we have a question which is not directly related to SIP but SRTP, but we hope someone can still clarify the scenario.
We are encountering an issue where the authentication tag validation for a sequence of SRTP packets (SSRC 0xCB23BAA3) starts failing after processing several packets. This failure occurs after the sender delivers around 15 G.722 packets with a different SSRC (0xB12E5B92). Source and destination address are the same for both streams. The reason for these G.722 packets being sent is unclear, especially since the call was negotiated to use G.711. We would consider this the first issue. Here is a sample of the packet sequence we received: SSRC SEQ Codec Timestamp 0xCB23BAA3 1363 G.711 597285443 0xCB23BAA3 1364 G.711 597285603 0xCB23BAA3 1365 G.711 597285763 ... 0xCB23BAA3 1379 G.711 597288003 0xB12E5B92 58505 G.722 2973790942 0xB12E5B92 58506 G.722 2973791102 0xCB23BAA3 1380 G.711 597288163 ... The first packet failing authentication is 0xCB23BAA3/1380. All subsequent packets from this stream also fail authentication. After capturing the scenario and debugging it, we found that authentication would succeed if the sequence from 0xB12E5B92/58506 to 0xCB23BAA3/1380 was considered a rollover of sequence numbers, thereby increasing the "v" according to RFC 3711 when calculating the authentication tag. According to our understanding of RFC 3711, "s_l" (the highest received sequence number) is part of the cryptographic context, and each SSRC has its own cryptographic context: > A cryptographic context SHALL be uniquely identified by the triplet context > identifier: > context id = <SSRC, destination network address, destination transport port > number> It seems to us that the sender is incorrectly authenticating subsequent packets of stream 0xCB23BAA3, possibly not considering 0xCB23BAA3 and 0xB12E5B92 as different cryptographic contexts. Thanks for any feedback. Regards, Schraffl Peter _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/mailman/listinfo/sip-implementors
