[asterisk-dev] SRTP and forcing encrypted calls

Olle E. Johansson oej at edvina.net
Wed Feb 10 14:29:49 CST 2010


I wonder if we should try to raise ourselves a bit above various channel specifics.

If we have an inbound call, we can have or require a combination of
 - secure signalling
 - secure caller ID (identity)
 - secure media
 - secure IM

For setting up an outbound call leg, we can demand the same. Maybe this is a requirement on the bridge that will be set up.

 - secure signalling
 - secure callee ID
 - secure media
 - secure IM

We also need to be able to have a property on the bridge  - like the meetme. 

 - "I don't want anyone to participate in the bridge without secure media"

Of course, I've forgotten something here. Please add.

All of this doesn't work on all involved channels, but we can at least try to find out a generic multiprotocol way of handling security. 

Also, we need to come up with answers to this kind of situations:

- inbound call with SRTP
- outbound call to forking SIP proxy
   - 183 with RTP from one server
  - 200 OK with SRTP

SHould we play the early media if we have a security requirement?

 - incoming call with TLS/SRTP - security requirement for outbound call
 - 200 OK with SRTP
 - REFER to non-SRTP device 

- should we deny transfer?

 - outbound call without security requirement
 - 200 OK with one offer RTP and an alternative with SRTP in the same SDP

  Polycoms do this if configured that way. What do we choose? (if we could parse the SDP correctly :-) )

 - outbound call with security requirement
 - 200 OK with SRTP for audio, but RTP for video and text

  - Do we accept non-secured media streams? Or reject the call?

I don't think this is a SRTP issue, it's a more complex and generic Asterisk issue ;-)

/O





More information about the asterisk-dev mailing list