[asterisk-dev] [Code Review] DTLS-SRTP Support

Matt Jordan reviewboard at asterisk.org
Wed Sep 19 11:26:53 CDT 2012 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviewboard.asterisk.org/r/2113/#review7089
-----------------------------------------------------------


We're proposing that this patch get committed to Asterisk 11 for inclusion in Asterisk 11.0.0-beta2.
 
This is an exception of our feature freeze policy for new major releases, wherein new features should be submitted for code review by the third Wednesday of July.  We don't make this decision lightly, but there are a few reasons why we feel, in this case, that this patch warrants such an exclusion.
 
We started development for DTLS-SRTP earlier this year.  Due to its relatively low adoption rate by SIP endpoints, when we started development we were not entirely sure what the end result would be.  As we developed it, we determined that the feature would need some significant system level testing - both for its own functionality but also to ensure that the presence of DTLS-SRTP negotiation did not impact unencrypted RTP or SDES-SRTP.  Unfortunately, the timing of this occurred at the same time as when the community developed features were being submitted - near the end of the Asterisk 11 feature development cycle.  Rather than impact getting those features committed, we made the decision to focus our efforts on getting those features in for Asterisk 11 beta1 and put DTLS-SRTP on hold.

Once Asterisk 11.0.0-beta1 was released, we went back to polishing the development of DTLS-SRTP and cranked up the system testing efforts.  This included:
* Testing SDES-SRTP calls in the presence of DTLS-SRTP calls
* Testing unencrypted calls in the presence of DTLS-SRTP calls
* Testing DTLS-SRTP in a variety of complex call scenarios, including
  calls of long duration
* Testing off nominal scenarios, e.g., bad keys, bad configurations, etc.
In all scenarios, not only did DTLS-SRTP continue to function as we'd like, but other Asterisk operations were unaffected by the presence of the feature.
 
So why do we think its important to release DTLS-SRTP in Asterisk 11?

Asterisk 11 is the first Asterisk release that has added support for WebRTC, through the inclusion of SIP over WebSockets and ICE/STUN/TURN support.  We feel its extremely important that Asterisk moves as much as possible towards becoming a WebRTC capable endpoint - the benefits that WebRTC may provide cannot be overstated. In fact, Joshua Colp recently came back from IIT, and while at the conference, it became clear that a number of enterprises are moving rapidly towards compliance with the various WebRTC standards.  Having an open source WebRTC capable endpoint available as early as possible benefits not only the Asterisk and VOIP communities, but the entire community of developers who work in web based applications.

It is looking increasingly like DTLS-SRTP will be the preferred transport for RTP.  Having DTLS-SRTP available in Asterisk 11 brings Asterisk closer to being a fully capable WebRTC endpoint much sooner than waiting for the next major release.
 
Note that if Asterisk 11 was fully released and not still in beta, we would probably not have arrived at this conclusion.  We still feel that new features in release branches typically run a greater risk of negatively impacting the end user experience than what can be used to justify their inclusion.  In this case, since Asterisk 11 is in beta; since significant testing efforts have been performed that have shown that the presence of DTLS-SRTP has not changed the functionality of unencrypted RTP or SDES-SRTP; and since the benefits provided by DTLS-SRTP will be immensely useful for WebRTC, we feel this is a worthwhile addition to Asterisk 11 that justifies its late inclusion.


- Matt


On Sept. 14, 2012, 11:43 a.m., Joshua Colp wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviewboard.asterisk.org/r/2113/
> -----------------------------------------------------------
> 
> (Updated Sept. 14, 2012, 11:43 a.m.)
> 
> 
> Review request for Asterisk Developers.
> 
> 
> Summary
> -------
> 
> WebRTC has migrated to using DTLS-SRTP as the method for securing media streams. This patch adds support for it using OpenSSL. DTLS is used between both sides with the keying material for SRTP extracted from that negotiation.
> 
> 
> Diffs
> -----
> 
>   /configure UNKNOWN 
>   /trunk/channels/chan_sip.c 373058 
>   /trunk/channels/sip/include/sip.h 373058 
>   /trunk/configs/sip.conf.sample 373058 
>   /trunk/configure.ac 373058 
>   /trunk/include/asterisk/autoconfig.h.in 373058 
>   /trunk/include/asterisk/rtp_engine.h 373058 
>   /trunk/main/rtp_engine.c 373058 
>   /trunk/res/res_rtp_asterisk.c 373058 
> 
> Diff: https://reviewboard.asterisk.org/r/2113/diff
> 
> 
> Testing
> -------
> 
> Tested various configurations between two Asterisk instances. Rekeying, verification, etc all appear to work. Unfortunately there are very few DTLS-SRTP implementations in the wild so testing against another implementation has not yet occurred.
> 
> 
> Thanks,
> 
> Joshua
> 
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-dev/attachments/20120919/ac62441f/attachment.htm>

More information about the asterisk-dev mailing list