[Asterisk-code-review] chan sip: Allow Preferred sRTP. (asterisk[master])
Alexander Traud
asteriskteam at digium.com
Fri Aug 26 09:32:58 CDT 2016
Alexander Traud has posted comments on this change.
Change subject: chan_sip: Allow Preferred sRTP.
......................................................................
Patch Set 1:
Adding this on the outbound is not the scope of this change here.
Anyway, I looked into that and the behavior of PJSIP
<https://reviewboard.asterisk.org/3992>
endpoint:media_encryption=sdes
endpoint:media_encryption_optimistic=yes
is not accepted by at least one implementation (blocker for me, here). Reading the RFCs literally, crypto= without a sRTP profile is wrong behavior. Although I see this as a clever way to specify sRTP optionally, I am aware of only one approach which works across all implementations (and their settings): First create a RTP/SAVP with crypto= (only over TLS), when that fails INVITE again with RTP/AVP without crypto=.
This is possible with chan_sip thanks to the Dialplan and the channel variables secure_bridge_signaling and secure_bridge_media. That way, I am even able to use DNS-NAPTR to detect TLS automatically. Both is not possible in PJSIP yet (and a severe issue for me). Nevertheless, again, out of scope of this change here.
Or stated differently: On inbound, please. On the outbound, no. Asterisk is able to support a defined and always working behavior via a Dialplan. I see no need to implement a workaround. <https://en.wikipedia.org/wiki/Robustness_principle>
> It may work for some endpoints, but the answer should be RTP/AVP.
No rationale given. It could be the other way around as well, because that behavior is not defined in the RFCs. I tried a lot of optimistic sRTP implementations with RTP/sAVP in chan_sip. No issue. To be honest, I faced no issue with res_pjsip (which sticks to RTP/AVP) either. Ingress, egress I mentioned before.
For consistency (is that your rationale? Or does it come from your SIPit 31 tests with optimistic sRTP in PJSIP?), I would love to follow res_pjsip and therefore your advice, but I do not know how to code that.
--
To view, visit https://gerrit.asterisk.org/3234
To unsubscribe, visit https://gerrit.asterisk.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I42cb779df3a9c7b3dd03a629fb3a296aa4ceb0fd
Gerrit-PatchSet: 1
Gerrit-Project: asterisk
Gerrit-Branch: master
Gerrit-Owner: Alexander Traud <pabstraud at compuserve.com>
Gerrit-Reviewer: Alexander Traud <pabstraud at compuserve.com>
Gerrit-Reviewer: Anonymous Coward #1000019
Gerrit-Reviewer: George Joseph <gjoseph at digium.com>
Gerrit-Reviewer: Joshua Colp <jcolp at digium.com>
Gerrit-HasComments: No
More information about the asterisk-code-review
mailing list