How to define RTP encryption to be optional or required?

[Benoit Panizzon]

Hi Team

I'm trying to clarify a rtp encryption issue with an SIP SBC vendor we are evaluating.

We came across the topic - how does one specify if rtp encryption is optional or mandatory?

I had some deeper dive in various RTP RFC but found no clear statement. AI seem to hallucinate this is done by a=encryption:[required|optional] but this is not backed by an RFC.

I suspect this to be how it is done:

RTP/AVP + crypto attributes => Optional

RTP/SAVP => Mandatory

Does anyone know where in the various RFC this is specified?

-Benoît-

[Johan De Clercq]

Add rtp/AVP line and rtp/savp. Then the thing in the middle has the choice. 

--
You received this message because you are subscribed to the Google Groups "Sipwise rtpengine" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rtpengine+...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/rtpengine/1c5e6e88-b6dc-4d0b-bacf-229d394bf889n%40googlegroups.com.

[Richard Fuchs]

On 07/11/2025 04.55, Benoit Panizzon wrote:
> I suspect this to be how it is done:
>
> RTP/AVP + crypto attributes => Optional
> RTP/SAVP => Mandatory
>
> Does anyone know where in the various RFC this is specified?

There are two ways to do "optional SRTP." One is backed by an RFC and
works as you describe. This is called opportunistic SRTP and is
described by RFC 8643.

An older and completely non-standard method works by simply duplicating
each m= media section and presenting it once as plain RTP and once as
mandatory SRTP (in some order), and relies on the receiver supporting
this and choosing the preferred transport, rejecting the other one in
the process. This is in somewhat common use, especially by older devices.

Both are supported by rtpengine. Check out the various `OSRTP-...` flags.

Cheers