[Asterisk-Dev] Re: libsrtp

brian brian at bkw.org
Fri May 14 13:56:21 MST 2004 

How are the keys? Static or dynamic? How often do they roll?

bkw

> -----Original Message-----
> From: asterisk-dev-admin at lists.digium.com [mailto:asterisk-dev-
> admin at lists.digium.com] On Behalf Of James H. Cloos Jr.
> Sent: Friday, May 14, 2004 2:52 PM
> To: asterisk-dev at lists.digium.com
> Subject: [Asterisk-Dev] Re: libsrtp
>
> >>>>> "John" == John Todd <jtodd at loligo.com> writes:
>
> John> I'd like to put my most robust approval in for this as well. :-)
>
> John> we'd be well-advised to also have TLS for SIP, and
> John> whole-enchliada-encryption for IAX2.
>
> W/o question.
>
> John> However, I'd be happy with starting with some RFC-approved
> John> method of encrypting SIP RTP streams, if you have the time
> John> and experience to put that together.
>
> Based on that library it should be relatively easy.  One question is
> whether to use it as is, or break it apart and use the code directly.
> It has eg its own aes implementation, which probably differs from the
> one already in *.
>
> (On the aes front, we probably want to find useable cpu-optimized
> versions for each cpu family of interest.  A recent post to lkml
> specified that the 586-optimized aes routine doubled the throughput
> for cryptoloop over the plain C version.)
>
> If bug:
>
> http://bugs.digium.com/bug_view_advanced_page.php?bug_id=0001642
>
> is commited to the tree, I will add code to rtp.c that makes use of
> it if an encrypted flag is set for the call.  Setting that flag --
> and negotiating the key -- will be the responsibility of each
> channel that uses rtp.
>
> Hmmm.  Actually, perhaps the existance of a non-NULL key
> should itself be the flag?  Does anyone have any thoughts
> on that implementation detail?
>
> The next step is then to add key negotiation to the channels,
> probably starting with chan_sip or chan_sip2.  Once that works
> we can work on sips (sip/tls/tcp and I hope sip/tls/sctp).
>
> For iax, there still needs to be a protocol-level specification on
> how to negotate a key and start an encrypted session.  I'd use the
> STARTTLS style, where one side requests upgrading an open session
> to encrypted and if the other end agrees the key exchange is done
> and then only encrypted packets flow.  If they cannot agree then
> either they continue w/o or they end the session, depending on
> how each side is configured.
>
> -JimC
> --
> James H. Cloos, Jr. <cloos at jhcloos.com> <http://jhcloos.com/voip>
> _______________________________________________
> Asterisk-Dev mailing list
> Asterisk-Dev at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-dev
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-dev

More information about the asterisk-dev mailing list