[Asterisk-Dev] libsrtp

Conroy, Lawrence (SMTP) lwc at roke.co.uk
Sat May 15 11:04:29 MST 2004 

Hi Folks,
   libsrtp for * is a GOOD idea, IMHO. Go for it!

However, I'm a little puzzled with these comments.

Yes, I am subscribed to MMUSIC, AVP & SIP/SIPPING Mailing Lists; I 
don't get enough junk email.

No, 802.1X is not an IETF protocol - it's an IEEE link layer protocol.

Yes, SIP does use S/MIME - it's specified in RFC 3261 (for example, see 
section 23 on page 201 et seq).
BTW, the S/MIME RFCs are listed in the references section at the end of 
3261.

No, TCP doesn't really add latency, as this is used only for the SIP 
exchanges (i.e. the signalling),
     NOT the (s)RTP used to carry the media. In practice, you often get 
retransmits in SIP using UDP
     transport unless you're "close", so the extra syn/ack traffic to 
set up TCP is insignificant.
     Remember also that the TCP connections can be re-used, so for 
inter-PBX trunking it makes no odds.

The SIP INVITE/200 exchange carries the SDP anyway, so a secured 
exchange (via SIPS - i.e. TLS)
should be OK to carry the keys, hence SDPdescriptions. You have the 
problem of mutual authentication
and encryption with TLS anyway; once that's dealt with, passing a 
message key (or keys) is OK,
as it's done over a secured signalling channel.

Note that the chat on the AVT list said that time-based re-keying (i.e. 
multiple keys switched
automatically based on the timestamp blah in the RTP stream) is NOT 
supported by srtp. Frankly,
I'd be surprised if anyone needed that any time soon - if encrypted 
content is that sensitive,
then we're probably talking about IPsec anyway.

One last point... srtp encrypts the content only.
The fact that there's a stream between the parties is still obvious to 
an eavesdropper, even
if the signalling that set up the session is secure (and the content is 
secure).
However, I think that the focus on content only means that the good 
news is that standard
NAT mangling should still work with srtp, as the IP/UDP headers are 
intact.

all the best,
   Lawrence



On 15 May 2004, at 4:26 pm, Duane wrote:
> Olle E. Johansson wrote:
>> Yes, but how did you relate EAP-TLS with SIPS?
>
> There is a reason people use UDP for telephony, by introducing TCP 
> into the mix won't that introduce high amounts of latency?
>
> EAP-TLS is handled at the mac layer not at the TCP layer, IPSec also 
> uses TLS but does so over UDP because of latency associated with using 
> TCP...
>
> http://e164.org - Using Enum.164 to interconnect asterisk servers
>  As Fosters is to beer, so ...

-- 

Visit our website at www.roke.co.uk

Registered Office: Roke Manor Research Ltd, Siemens House, Oldbury, Bracknell,
Berkshire. RG12 8FZ

The information contained in this e-mail and any attachments is confidential to
Roke Manor Research Ltd and must not be passed to any third party without
permission. This communication is for information only and shall not create or
change any contractual relationship.

More information about the asterisk-dev mailing list