[asterisk-dev] SRTP Status and Plans for Asterisk 1.6.x

[Raj Jain]

On Sun, Nov 9, 2008 at 4:18 PM, Johansson Olle E <oej at edvina.net> wrote:
>
> 9 nov 2008 kl. 17.47 skrev John Todd:
>
>> Now that SIP/TLS is in place,
>
> http://www.asterisk.org/doxygen/trunk/sip_tcp_tls.html
>
> To say that SIP/TLS is in place is very much premature, John. Doesn't
> mean that we should wait much more with SRTP, but there is a lot of
> work do be done before anyone can say that either TCP or TLS is in
> place. The code is thre, the functionality is missing.

I don't think it is fair to say that Asterisk's SIP TCP/TLS
implementattion is "very premature" (I've read the emails sent after
the SIPit trip but I was waiting for a trip report before responding;
so I'm responding after reading what I assume to be a trip report at
http://www.asterisk.org/doxygen/trunk/sip_tcp_tls.html).

I personally have tested asterisk's SIP/TCP/TLS  against a variety of
SIP trunk implementations and have found no problems in that area, to
be honest. Issues such as "transport=tls" versus "sips" are issues
with the the SIP protocol design itself and should not be attributed
to Asterisk. Also, honoing NAPTR/SRC are choices that SIP UA
implementations make (these are not mandatory). I'd admit that there
is at least one problem that I discovered when you're dealing w/ a
SIP//TCP user/peer (bug id # 0122822) that I found, but I think that's
a minor issue at this point because we're mostly concerned about SIP
trunking. Most of the problems reported at
http://www.asterisk.org/doxygen/trunk/sip_tcp_tls.html seem like a
wish-list to me.

Furthermore, I think concepts such as sip-connect-reuse and
sip-outbound are still at  infancy in this stage. As far as I can tell
(and also according to SIPit reports) nobody has implemented these at
this stage, so I don't think it's fair to blame Asterisk for not
supporting these.

Also, a comment to John Todd's point about secure key exchange for
SRTP -- pls. look at DTLS-SRTP.

--
Raj Jain