Linksys ATA

Administrator Guide

Document Version 3.1

Chapter 3

Configuring Linksys ATAs

Configuring a Dial Plan

Dial Plan Timers

The dial plan functionality is regulated by the following configurable parameters:

•

Interdigit_Long_Timer

•

Interdigit_Short_Timer

•

Dial_Plan ([1] and [2])

Interdigit Long Timer

The <Interdigit_Long_Timer> specifies the default maximum time (in seconds) allowed between dialed

digits, when no candidate digit sequence is as yet complete (see the discussion of the Dial_Plan

parameter for an explanation of candidate digit sequences).

Interdigit Short Timer

The <Interdigit_Short_Timer> specifies the default maximum time (in seconds) allowed between dialed

digits, when at least one candidate digit sequence is complete as dialed (see the following discussion of

Dial_Plan parameters for an explanation of candidate digit sequences).

Dial Plans

The Dial_Plan parameters contain the actual dial plan scripts for each line

n

, where

n

is a number from

1 to 4.

ParName

Interdigit_Long_Timer

Default

10

ParName

Interdigit_Short_Timer

Default

3

ParName

Dial_Plan[n] for Each Line

n

Default

(*xx | [3469]11 | 0 | 00 | <:1408>[2-9]xxxxxx |

1[2-9]xx[2-9]xxxxxx | 011x. )

Linksys ATA

Administrator Guide

Document Version 3.1

Chapter 3

Configuring Linksys ATAs

Secure Call Implementation

Secure Call Implementation

This section describes secure call implementation with a Linksys ATA. It includes the following topics:

•

Enabling Secure Calls, page 3-10

•

Secure Call Details, page 3-10

•

Using a Mini-Certificate, page 3-11

•

Generating a Mini-Certificate, page 3-11

Enabling Secure Calls

A secure call is established in two stages. The first stage is no different from normal call setup. The

second stage starts after the call is established in the normal way with both sides ready to stream RTP

packets. I

In the second stage, the two parties exchange information to determine if the current call can switch over

to the secure mode. The information is transported by base64 encoding embedded in the message body

of SIP INFO requests, and responses using a proprietary format. If the second stage is successful, the

Linksys ATA plays a special Secure Call Indication Tone for a short time to indicate to both parties that

the call is secured and that RTP traffic in both directions is being encrypted.

If the user has a phone that supports call waiting caller ID (CIDCW) and that service is enabled, the CID

will be updated with the information extracted from the Mini-Certificate received from the remote party.

The Name field of the CID will be prepended with a ‘$’ symbol. Both parties can verify the name and

number to ensure the identity of the remote party.

The signing agent is implicit and must be the same for all Linksys ATAs that communicate securely with

each other. The public key of the signing agent is pre-configured into the Linksys ATA by the

administrator and is used by the Linksys ATA to verify the Mini-Certificate of its peer. The

Mini-Certificate is valid if it has not expired, and it has a valid signature.

The Linksys ATA can be configured so that, by default, all outbound calls are either secure or not secure.

If secure by default, the user has the option to disable security when making a call by dialing *19 before

dialing the target number. If not secure by default, the user can make a secure outbound call by dialing

*18 before dialing the target number. However, the user cannot force inbound calls to be secure or not

secure; that depends on whether the caller has security enabled or not.

The Linksys ATA will not switch to secure mode if the CID of the called party from its Mini-Certificate

does not agree with the user-id used in making the outbound call. The Linksys ATA performs this check

after receiving the Mini-Certificate of the called party

Secure Call Details

Looking at the second stage of setting up a secure call in greater detail, this stage can be further divided

into two steps.

1.

The caller sends a “Caller Hello” message (base64 encoded and embedded in the message body of

a SIP INFO request) to the called party with the following information:

•

Message ID (4B)

•

Version and flags (4B)

•

SSRC of the encrypted stream (4B)

Linksys ATA

Administrator Guide

Document Version 3.1

Chapter 3

Configuring Linksys ATAs

Secure Call Implementation

•

Mini-Certificate (252B)

Upon receiving the Caller Hello, the called party responds with a Callee Hello message (base64

encoded and embedded in the message body of a SIP response to the caller’s INFO request) with

similar information, if the Caller Hello message is valid. The caller then examines the Callee Hello

and proceeds to the next step if the message is valid.

2.

The caller sends the “Caller Final” message to the called party with the following information:

•

Message ID (4B)

•

Encrypted Master Key (16B or 128b)

•

Encrypted Master Salt (16B or 128b)

The Master Key and Master Salt are encrypted with the public key from the called party

mini-certificate. The Master Key and Master Salt are used by both ends for deriving session keys to

encrypt subsequent RTP packets. The called party then responds with a Callee Final message (which

is an empty message).

Using a Mini-Certificate

The Linksys ATA Mini-Certificate (MC) contains the following information:

•

User Name (32B)

•

User ID or Phone Number (16B)

•

Expiration Date (12B)

•

Public Key (512b or 64B)

•

Signature (1024b or 512B)

The MC has a 512-bit public key used for establishing secure calls. The administrator must provision

each subscriber of the secure call service with an MC and the corresponding 512-bit private key. The

MC is signed with a 1024-bit private key of the service provider, which acts as the CA of the MC. The

1024-bit public key of the CA signing the MC must also be provisioned for each subscriber.

The CA public key is used by the Linksys ATA to verify the MC received from the other end. If the MC

is invalid, the Linksys ATA will not switch to secure mode. The MC and the 1024-bit CA public key are

concatenated and base64 encoded into the single parameter <Mini Certificate>. The 512-bit private key

is base64 encoded into the <SRTP Private Key> parameter, which should be kept secret, like a password.

Because the secure call establishment relies on exchange of information embedded in message bodies of

SIP INFO requests/responses, the service provider must ensure that the network infrastructure allows

the SIP INFO messages to pass through with the message body unmodified.

Generating a Mini-Certificate

Linksys provides a configuration tool called gen_mc for the generation of MC and private keys with the

following syntax:

gen_mc

ca-key user-name user-id expire-date

Where:

•

ca-key

is a text file with the base64 encoded 1024-bit CA private/public key pairs for

signing/verifying the MC, such as the following:

Linksys ATA

Administrator Guide

Document Version 3.1

Chapter 3

Configuring Linksys ATAs

Configuring a Streaming Audio Server

9CC9aYU1X5lJuU+EBZmi3AmcqE9U1LxEOGwopaGyGOh3VyhKgi6JaVtQZt87PiJINKW8XQj3B9Qqe3VgYx

WCQNa335YCnDsenASeBxuMIEaBCYd1l1fVEodJZOGwXwfAde0MhcbD0kj7LVlzcsTyk2TZYTccnZ75TuTj

j13qvYs=

5nEtOrkCa84/mEwl3D9tSvVLyliwQ+u/Hd+C8u5SNk7hsAUZaA9TqH8Iw0J/IqSrsf6scsmundY5j7Z5mK

5J9uBxSB8t8vamFGD0pF4zhNtbrVvIXKI9kmp4vph1C5jzO9gDfs3MF+zjyYrVUFdM+pXtDBxmM+fGUfrp

AuXb7/k=

•

user-name

is the name of the subscriber, such as “Joe Smith”. Maximum length is 32 characters

•

user-id

is the User ID of the subscriber, which must match exactly the user-id used in the INVITE

when making the call, such as “14083331234”. The maximum length is 16 characters.

•

expire-date

is the expiration date of the MC, such as “00:00:00 1/1/34” (34=2034). Internally the

date is encoded as a fixed 12B string: 000000010134

The tool generates the <Mini Certificate> and <SRTP Private Key> parameters that can be provisioned

to the Linksys ATA.

For Example:

gen_mc ca_key “Joe Smith” 14085551234 “00:00:00 1/1/34”

Produces the following Mini Certificate and SRTP Private Key:

<Mini Certificate>

Sm9lIFNtaXRoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxNDA4NTU1MTIzNAAAAAAAMDAwMDAwMDEwMTM00OvJakde2v

VMF3Rw4pPXL7lAgIagMpbLSAG2+++YlSqt198Cp9rP/xMGFfoPmDKGx6JFtkQ5sxLcuwgxpxpxkeXvpZKlYlpsb28L

4Rhg5qZA+Gqj1hDFCmG6dffZ9SJhxES767G0JIS+N8lQBLr0AuemotknSjjjOy8c+1lTCd2t44Mh0vmwNg4fDck2Yd

mTMBR516xJt4/uQ/LJQlni2kwqlm7scDvll5k232EvvvVtCK0AYa4eWd6fQOpiESCO9CC9aYU1X5lJuU+EBZmi3Amc

qE9U1LxEOGwopaGyGOh3VyhKgi6JaVtQZt87PiJINKW8XQj3B9Qqe3VgYxWCQNa335YCnDsenASeBxuMIEaBCYd1l1

fVEodJZOGwXwfAde0MhcbD0kj7LVlzcsTyk2TZYTccnZ75TuTjj13qvYs=

<SRTP Private Key>

b/DWc96X4YQraCnYzl5en1CIUhVQQqrvcr6Qd/8R52IEvJjOw/e+Klm4XiiFEPaKmU8UbooxKG36SEdKusp0AQ==

Configuring a Streaming Audio Server

This section describes how to use and configure a streaming audio server (SAS). It includes the

following topics:

•

Music On Hold, page 3-12

•

Using a Streaming Audio Server, page 3-13

•

Using the IVR with an SAS Line, page 3-13

•

Example SAS with MOH, page 3-14

•

SAS Line Not Registered with the Proxy Server, page 3-14

Music On Hold

On a connected call, the Linksys ATA may place the remote party on hold by performing a hook-flash

to initiate a three-way call or by swapping two calls during call-waiting. If the remote client indicates

that it can still receive audio while the call is holding, the Linksys ATA can be configured to contact an

auto-answering streaming audio server (SAS) to stream audio to the holding party. When used this way,

the SAS is referred to as an MOH Server.

Linksys ATA

Administrator Guide

Document Version 3.1

Chapter 3

Configuring Linksys ATAs

Configuring a Streaming Audio Server

Using a Streaming Audio Server

The SAS feature lets you use attach an audio source to one of the Linksys ATA FXS ports (Phone 1 or

Phone 2 on the PAP2T) and use it as a streaming audio source device.

If the

Linksys ATA has multiple

FXS ports, either or both of the associated lines (Line 1 and Line 2 on the PAP2T)

can be configured

as an SAS server

.

To connect an external music source to an FXS port, use a media signal adapter, which provides a line

in from a media source and a RJ-11 port for connecting to the FXS port on the Linksys ATA. The

following is a URL for a device that has been tested with Linksys ATAs:

After installing the music source using the media signal adapter and completing the required

configuration on the Linksys ATA , when the line is called and the FXS port is off hook, the Linksys

ATA answers the call automatically and streams audio to the caller.

If the FXS port is on-hook when the incoming call arrives, the Linksys ATA replies with a SIP 503

response code (Service Not Available). The SAS line will not ring for incoming calls even if the attached

equipment is on-hook.

If an incoming call is auto-answered, but later the FXS port changes to on-hook, the SPA does not

terminate the call but continues to stream silence packets to the caller. If an incoming call arrives when

the SAS line has reached full capacity, the SPA replies with a SIP 486 response (Busy Here).

The SAS line can be set up to refresh each streaming audio session periodically using a SIP re-INVITE

message, which detects if the connection to the caller is down. If the caller does not respond to the

refresh message, the SAS line terminates the call so that the streaming resource can be used for other

callers.

Each SAS server can maintain up to five simultaneous calls. If the second line on the Linksys ATA is

disabled, then the SAS line can maintain up to 10 simultaneous calls. Further incoming calls will receive

a busy signal (SIP 486 Response).

If no calls are in session, battery is removed from tip-and-ring of the FXS port. Some audio source

devices have an LED to indicate the battery status. This can be used as a visual indication as to whether

audio streaming is in progress.

Set up the Proxy and Subscriber Information for the SAS Line as you normally would with a regular user

account.

Call Forwarding, Call Screening, Call Blocking, DND, and Caller-ID Delivery features are not available

on an SAS line.

Using the IVR with an SAS Line

The IVR can still be used on an SAS line, but the user needs to follow the following steps:

Step 1

Power off the Linksys ATA.

Step 2

Connect a phone to the port and make sure the phone is on-hook.

Step 3

Power on the Linksys ATA.

Step 4

Pick up handset and press * * * * to invoke IVR in the usual way.