[asterisk-dev] VoIP Encryption
Daniel Pocock
daniel at readytechnology.co.uk
Sat Mar 11 07:14:36 MST 2006
Tzafrir Cohen wrote:
>On Sat, Mar 11, 2006 at 10:09:45AM +0000, Daniel Pocock wrote:
>
>
>
>>- Firewalls - your iptables configuration (if you are using it) will
>>need to be tweaked, particularly for making connections to the machine
>>that the VPN is running from.
>>
>>
>
>OpenVPN and similar tunnels will need less tweaks than ipsec-based
>tools, BTW
>
>
I must confess, `tweak' may be an understatement in some cases.
However, IPsec with Openswan does give you the benefit of doing neat
stuff like `Opportunistic Encryption'. This means that (after extensive
tweaking), any two peers can (in theory) discover each other's public
keys through DNS and start exchanging encrypted packets. I must confess
I haven't yet tried this feature, but it looks neat and could
potentially work quite well with technologies like ENUM, allowing a true
distributed, secure phone system, with better privacy than you get from
any traditional telco. Has anyone tried this, and does it set up the
tunnel quickly enough before the SIP peer gives up sending INVITE?
Incidentally, when you make your phone call over a regular telco, it's
quite possible that the call could go through several TDM switches
before it reaches it's destination, and that means several places where
an engineer, if inclined to do so, could monitor the call. It's just as
easy for this to happen in the TDM world as in an ISP. However, the
benefit of VoIP is that we can choose to mix'n'match encryption
products, whereas with TDM/regular telephony, you don't have as many
choices.
More information about the asterisk-dev
mailing list