[Asterisk-Dev] Re: libsrtp

James H. Cloos Jr. cloos at jhcloos.com
Fri May 14 12:52:09 MST 2004


>>>>> "John" == John Todd <jtodd at loligo.com> writes:

John> I'd like to put my most robust approval in for this as well. :-)

John> we'd be well-advised to also have TLS for SIP, and
John> whole-enchliada-encryption for IAX2.

W/o question.

John> However, I'd be happy with starting with some RFC-approved
John> method of encrypting SIP RTP streams, if you have the time
John> and experience to put that together.

Based on that library it should be relatively easy.  One question is
whether to use it as is, or break it apart and use the code directly.
It has eg its own aes implementation, which probably differs from the
one already in *.

(On the aes front, we probably want to find useable cpu-optimized
versions for each cpu family of interest.  A recent post to lkml
specified that the 586-optimized aes routine doubled the throughput
for cryptoloop over the plain C version.)

If bug:

http://bugs.digium.com/bug_view_advanced_page.php?bug_id=0001642

is commited to the tree, I will add code to rtp.c that makes use of
it if an encrypted flag is set for the call.  Setting that flag --
and negotiating the key -- will be the responsibility of each
channel that uses rtp.

Hmmm.  Actually, perhaps the existance of a non-NULL key
should itself be the flag?  Does anyone have any thoughts
on that implementation detail?

The next step is then to add key negotiation to the channels,
probably starting with chan_sip or chan_sip2.  Once that works
we can work on sips (sip/tls/tcp and I hope sip/tls/sctp).

For iax, there still needs to be a protocol-level specification on
how to negotate a key and start an encrypted session.  I'd use the
STARTTLS style, where one side requests upgrading an open session
to encrypted and if the other end agrees the key exchange is done
and then only encrypted packets flow.  If they cannot agree then
either they continue w/o or they end the session, depending on
how each side is configured.

-JimC
-- 
James H. Cloos, Jr. <cloos at jhcloos.com> <http://jhcloos.com/voip>



More information about the asterisk-dev mailing list