[asterisk-bugs] [JIRA] (ASTERISK-17899) [patch] Adds a 'ignorecryptolifetime' (Ignore Crypto Lifetime) option to sip.conf for SRTP keys specifying optional 'lifetime'

Olle Johansson (JIRA) noreply at issues.asterisk.org
Mon Sep 2 08:37:04 CDT 2013 

    [ https://issues.asterisk.org/jira/browse/ASTERISK-17899?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=209827#comment-209827 ] 

Olle Johansson commented on ASTERISK-17899:
-------------------------------------------

"The lifetime of an SRTP AES master key for G.729 is more than 178,000 years (248/50 pps) for SRTP and more than 27 years (231/(50* 0.05) pps) for an SRTCP AES. Thus, re-key is not recommended for IP telephony. Instead, the session should be ended and a new one established." http://www.cisco.com/web/about/security/intelligence/securing-voip.html

I am trying to sort out how the SDP negotiation applies, since some document claim we have to answer with the same lifetime and the RFC is very unclear. I think we can safely confirm anything above 2^20 and just ignore the packet counters behind it... Not nice, but working. 

As soon as I have a definitive answer, I'll update this issue.
                
> [patch] Adds a 'ignorecryptolifetime' (Ignore Crypto Lifetime) option to sip.conf for SRTP keys specifying optional 'lifetime'
> ------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ASTERISK-17899
>                 URL: https://issues.asterisk.org/jira/browse/ASTERISK-17899
>             Project: Asterisk
>          Issue Type: New Feature
>          Components: Channels/chan_sip/NewFeature
>            Reporter: Dwayne Hubbard
>         Attachments: dw-ignore-crypto-lifetime-1.8.4.patch, dw-ignore-crypto-lifetime-trunk-r320171.patch
>
>
> This functionality is disabled by default, but when enabled it will tell Asterisk to  ignore the crypto lifetime key component if one is specified.  Using this option I was able to successfully make TLS/SRTP calls to the Sangoma Express Gateway.  This patch would not be necessary if the Sangoma Express Gateway provided an option to disable the lifetime specification; but it appears that it does not.
> Without this patch, any SRTP offers that specify the optional lifetime key component will fail.
> This patch was also tested by Ryan Mayer (mantis user: 'hidden').  Thanks Ryan!
> ****** ADDITIONAL INFORMATION ******
> Here is a sample sip.conf entry:
> [guyute]
> host=5.6.7.8
> transport=tls
> encryption=yes
> ignorecryptolifetime=yes
> port=5061
> type=peer
> disallow=all
> allow=ulaw
> dtmfmode=rfc2833
> reinvite=no
> canreinvite=no
> context=default

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.asterisk.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the asterisk-bugs mailing list