[asterisk-dev] What's a secure call? / Separate RTP module.
Olle E Johansson
olle at voop.com
Wed Jul 4 03:03:32 CDT 2007
3 jul 2007 kl. 21.45 skrev Matthew Rubenstein:
> On Tue, 2007-07-03 at 12:00 -0500, asterisk-dev-
> request at lists.digium.com
> wrote:
>> Date: Tue, 3 Jul 2007 11:05:19 +0200
>> From: Olle E Johansson <olle at voop.com>
>> Subject: [asterisk-dev] What's a secure call?
>> To: Asterisk Mailing List Developers <asterisk-dev at lists.digium.com>
>> Message-ID: <4CF6A332-54D2-4596-9235-54F1A09944B9 at voop.com>
>> Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed
>>
>> To open a can of worms... :-)
>>
>> I'm involved in Phil Zimmerman's efforts to integrate Zrtp into
>> Asterisk. At the same time we have code for SRTP that needs to be
>> integrated.
>>
>> This means that we will add the concept of a "secure call" in
>> Asterisk. At some point, I want to be able to build dialplans
>> where I can manager security requirements on channels, like "this
>> conference is protected and requires a secure channel".
>
>
>> Can we simplify this and make it configurable? Do we want to?
>>
>> Can we implement the notion of a "trusted" PBX that we allow being in
>> the middle and "untrusted" PBXs that we want to avoid or that changes
>> the security property of a call.
>>
>> As I said to Phil: "A PBX is designed to be a man-in-the-middle
>> attack."
>>
>> There's certainly room for discussion, brainstorming and wild ideas
>> here.
>
> The main change we could use would be *factoring out* the Asterisk
> RTP
> "stack" from all its code paths throughout Asterisk. Then we could use
> any existing RTP server, including ones supporting SRTP. I already
> have
> a customized RTP server, and many other installations do, too. A
> standard interface would let us use "best of breed", where "best"
> is the
> right server for our specific requirements.
>
> A standalone RTP server would also make the upgrade project more
> manageable. And derive not just code, but probably also expertise from
> existing RTP projects.
Interesting thought, but a bit off-topic from the general "secure
call" discussion :-)
Yes, at some point the RTP stack needs to be a module not something
embedded into
the Asterisk core. Patches are welcome!
/O
More information about the asterisk-dev
mailing list