[Asterisk-Dev] zebedee (encrypted forwarding of UDP over TCP) was RE: [Asterisk- Dev] We can do better than Skype

[Whisker, Peter]

I have to forward a couple of IAX trunks over Zebedee at the moment and it
does work. I have asked for (and just today been granted) a DMZ with
4569/udp open but Zebedee has done well.

The network between client and server is quite fast (100MBPS, 3ms latency
through firewall) so this provides a temporary workable solution. I had
connectivity between internal and DMZ only on a few TCP ports but no UDP
ports.

I listen locally on reepicheep:4569 zebedee client and forward via a Win2k
box already on the DMZ. The only thing that I have found is that I can't
forward more than one trunk from each Zebedee client. Each trunk needs a
separate client IP address otherwise either zebedee or asterisk mix them up.
Using different listener ports doesn't work.

Here is my listener and server setups:

==client==

reepicheep:/etc# more zeb_cli.conf
include "/etc/zebedee.key"

multiuse true
detached true
serverhost xxx.xxx.xxx.xxx
serverport 8001
ipmode udp
compression zlib:0
checksumlevel 0
maxbufsize 4100
#
tunnel 4569/udp:iax2.fwdnet.net:4569
reepicheep:/etc#

== server (Win2k box) ==

#
# Sample Zebedee server configuration file
#
# This shows the use of many, but not all, of the configuration file
# options available for use by a server.
#
# $Id: server.zbd,v 1.7 2003/09/17 08:06:36 ndwinton Exp $

verbosity 2     # Slightly more than basic messages

# Comment out the following line once you have read the comments
# in this file and enabled or disabled the appropriate options!

detached true
server true     # Yes, it's a server!
ipmode both     # Operate in mixed TCP/UDP mode

compression zlib:9      # Allow maximum zlib compression
keylength 256           # Allow keys up to 256 bits
keylifetime 36000       # Shared keys last 10 hours
#maxbufsize 16383       # Allow maximum possible buffer size
maxbufsize 8200

# Uncomment the following line to log messages to a local file.
#
logfile './server.log'
#
# Or to log to the system logging facility uncomment this:
#
#  logfile SYSLOG

keygenlevel 2   # Generate maximum strength private keys

checksumlevel 7     # Allow maximum strength checksums
minchecksumlevel 0  # Allow no checksums if client requests

# Uncomment the following line if you want to use a fixed private
# key stored in a static file. The file should contain a line of
# the form "privatekey hexadecimal-key-string". This file should
# be readable by the user running Zebedee but no-one else.
#
#  include './server.key'

# To validate the identity of clients use a line something like
# the following:
#
checkidfile './clients.id'

# The "redirect" expression can be use to set the default ports
# allowed when a target specification consists of a hostname but
# no other ports. The "redirect none" statement prohibits
# tunnelling anywhere by default.

#redirect none

# Set up allowed targets. Note that there are NO targets allowed
# by this file by default. You must explicitly edit it to enable
# them.

# The following are good for testing purposes. Either TCP or UDP
# are allowed.
#
#  target localhost:daytime,echo,chargen

# Basic interactive services, TCP only.
#
#  target localhost:telnet/tcp,ftp/tcp

# VNC traffic -- usually you will only need a subset of this
# range, perhaps 5900 or 5901.
#
#  target localhost:5900-5999/tcp

# X Window System -- again, usually you will only need
# a subset of this range.
#
#  target localhost:6000-6010/tcp

# Here is an example of specifying targets using a subnet. In
# this case allowing tunnels to be established to VNC servers
# on the 10.1.1.xx subnet.
#
#  target 10.1.1.0/24:5900/tcp

# The following line ensures that the default target host
# is the local machine. The last named host becomes the
# default so leaving this here ensures that "localhost" is,
# the default unless overridden on the command line.

serverport 8001			# We listen for incoming zebedee clients'
TCP here

target iax2.fwdnet.net		# We accept these outgoing destination
requests
target misery.digium.com
target iaxtel.com
target localhost

=========================

Peter Whisker

-----Original Message-----
From: Steve Kann [mailto:stevek at stevek.com]
Sent: 19 October 2004 22:28
To: Asterisk Developers Mailing List
Subject: Re: [Asterisk-Dev] We can do better than Skype


Daniel Pocock wrote:

> I believe IAX is much closer to achieving this goal than SIP or H323, 
> but Skype's protocol is more successful at getting through firewalls 
> and NAT because of two things (which I openly admit I haven't verified 
> myself, so please correct me if I've been mis informed):
> - all connections go back through a Skype server with a real IP, even 
> if calling user to user
> - they can tunnel through HTTP proxies
>
> Maybe we need to look at the possibility of IAX over HTTP and IAX over 
> TCP?

It's actually much easier to do IAX over HTTP or IAX over TCP, with IAX, 
that it would be to do the same for SIP or H323 because of IAX's 
nat-friendliness.

I actually have a system that does this already, but it's not 
open-source.  I think that you could use a zebedee tunnel (which is 
open-source) with IAX relatively easily, and then you'd get IAX over TCP 
with encryption.  It's obviously not so good w.r.t. jitter, but it 
should work.


-SteveK

_______________________________________________
Asterisk-Dev mailing list
Asterisk-Dev at lists.digium.com
http://lists.digium.com/mailman/listinfo/asterisk-dev
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-dev

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.