Difference between DTLS-SRTP and SRTP packets send over DTLS connections

Question

I have two SIP endpoint and wanted to send the media over DTLS-SRTP. I am little bit confuse in below points

1. Is DTLS-SRTP and SRTP packets send over DTLS connections are same or different ?

2. If different, Could you please explain me how are they different ?

Answer 1

DTLS is utilized to establish the keys that are then used for securing the RTP stream. Once the keys are established, they are used to encrypt the RTP stream to make it SRTP(nothing special about the encryption, standard SRTP rfc3711) and then sent over that DTLS channel. If you read rfc5764, you can get more specifics about what a DTLS channel is and demultiplexing the packets, etc.

So, DTLS is key MANAGEMENT for the SRTP exchange. See rfc5764 section 4.1 for a little example.

In summary: if by SRTP over a DTLS connection you mean once keys have been exchanged and encrypting the media with those keys, there is not much difference. The main difference is that with DTLS-SRTP, the DTLS negotiation occurs on the same ports as the media itself and thus packet demultiplexing must be taken into account over those ports.

Answer 2

The above answer is almost correct. In DTLS-SRTP, a DTLS handshake is indeed used to derive the SRTP master key.

However, once the master key is obtained, DTLS is not used to transmit RTP : RTP packets are encrypted using SRTP and sent directly over the underlying transport (UDP).