[asterisk-dev] What's a secure call?

Matthew Rubenstein email at mattruby.com
Tue Jul 3 14:45:36 CDT 2007


On Tue, 2007-07-03 at 12:00 -0500, asterisk-dev-request at lists.digium.com
wrote:
> Date: Tue, 3 Jul 2007 11:05:19 +0200
> From: Olle E Johansson <olle at voop.com>
> Subject: [asterisk-dev] What's a secure call?
> To: Asterisk Mailing List Developers <asterisk-dev at lists.digium.com>
> Message-ID: <4CF6A332-54D2-4596-9235-54F1A09944B9 at voop.com>
> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
> 
> To open a can of worms... :-)
> 
> I'm involved in Phil Zimmerman's efforts to integrate Zrtp into
> Asterisk. At the same time we have code for SRTP that needs to be
> integrated.
> 
> This means that we will add the concept of a "secure call" in
> Asterisk. At some point, I want to be able to build dialplans
> where I can manager security requirements on channels, like "this
> conference is protected and requires a secure channel".


> Can we simplify this and make it configurable? Do we want to?
> 
> Can we implement the notion of a "trusted" PBX that we allow being in
> the middle and "untrusted" PBXs that we want to avoid or that changes
> the security property of a call.
> 
> As I said to Phil: "A PBX is designed to be a man-in-the-middle
> attack."
> 
> There's certainly room for discussion, brainstorming and wild ideas
> here.

	The main change we could use would be *factoring out* the Asterisk RTP
"stack" from all its code paths throughout Asterisk. Then we could use
any existing RTP server, including ones supporting SRTP. I already have
a customized RTP server, and many other installations do, too. A
standard interface would let us use "best of breed", where "best" is the
right server for our specific requirements.

	A standalone RTP server would also make the upgrade project more
manageable. And derive not just code, but probably also expertise from
existing RTP projects.


> /O




More information about the asterisk-dev mailing list