[Asterisk-Dev] Cross Platform UDP-VPN based encryption

Mathew Frank mathew at macmillanweir.com
Tue Apr 20 15:55:05 MST 2004


> Mathew Frank wrote:
>
> > Its, fast, lightweight, UDP, and will encrypt the entire contents of
iax2
> > packets.
> >
> > Comments?
>
> It can't give feed back to the application about states beyond the
> current link, some of the people posting on this wanted to demand end to
> end encryption and be sure they were getting exactly that...

Actually I see this as a red herring for any encrypted tunnel - this is
something that the asterisk box needs to handle anyway, and not a function
of the transport layer itself - see below.

As has already been mentioned, asterisk deals with a number of different
connection method - including POTS, as well as the various VOIP protecols -
and on that basis I am in favour of the various connection security options
already mentioned (required, if available, etc).

On that basis the Asterisk box has the ability to evaluate all transport
methods, on the basis of encryption or not, and hence make that decision.

ANOTHER THOUGHT:  I would have to say that in my home office, I would not be
concerned about unencryped SIP, or AIX2 on my protected, local network,
because I am the only one on it - however a "all encrypted" connection
option would in theory block a call to me here, unless I could override
settings somehow, in which case if they were overridable.   That would bring
in a trust issue with the operators of Asterisk servers, tho if you can`t
trust the server operator, then you are screwed anyway.

Unless of course, the encryption was truly end to end - in which case the
asterisk server in the middle could not decrypt it.   I don`t see how this
would be implementable though.

Which leads to another question: realisticly, how many asterisk servers is a
call going to route through accross the internet?   I would have thought
that would be only one - any that that would be a waste, and a source of
excess lag.   Are we worried about a secondary asterisk server inside a
corporation that needs to be encrypted?

Cheers,
Mathew




More information about the asterisk-dev mailing list