I presently have sip trunks with 2 providers, voip.ms and Flowroute, that I have established successfully with a TLS connection.
I can make and receive calls on these trunks.
I have not explicitly, to the best of my knowledge, enabled SRTP on the endpoints.
Is my understanding correct that if TLS is enabled on the SIP registration only the SIP traffic is traversing the encrypted tunnel and the actual RTP payload is passing from/to my ITSP unencrypted?
Or is the actual situation that the the RTP traffic on my internal network is unencrypted but the entire “conversation” from my IP to/from my ITSP is in an encrypted tunnel.
Have researched this for a long time but my Google-Fu seems to be failing in providing the correct search terms to narrow my results.
Any insight or corrections to my understanding would be appreciated. Thanks.
Correct, though “tunnel” isn’t really the right term here. (I would only say “tunnel” of a VPN.) It is an encrypted transport.
To use SRTP you have to specifically enable it.
Are you using pjsip or chan_sip? If you are using chan_sip, be careful. It is easy to have mismatched transports for a trunk (for example, sending your provider a TLS registration but sending calls to them over UDP). Make sure your transport is the same. (See the “server_a” example at Home - Asterisk Documentation which shows a registration line starting with tls:// and a peer definition that includes transport=tls and port=5061)
This is true. If you are going on to the PSTN then without any doubt there will be some part of the path that is not encrypted.
I think it could be useful if the network between you and your ITSP is particularly unsafe or hostile; e.g. an open wifi in a public place. Your call would not be end-to-end encrypted, but at least it would prevent snooping from nearby.