[asterisk-dev] pjsip asterisk 13.24: sips / srtp and Deutsche Telekom doesn't work because of missing mediasec parameters

Michael Maier m1278468 at mailbox.org
Sun Feb 3 03:40:33 CST 2019 

On 15.01.19 at 20:27 Joshua C. Colp wrote:
> 
> 
> On Tue, Jan 15, 2019, at 3:23 PM, Michael Maier wrote:
>> Hello!
>>
>> Deutsche Telekom introduced sips and srtp. I tested it and it works 
>> partly. Partly means: sips is working - but not srtp. srtp doesn't 
>> work, because of missing additional
>> headers in the REGISTER and INVITE packages (according an enhancement 
>> of RFC 3329).
>>
>>
>> Example:
>>
>> UAC                                            Registrar
>> | 						|
>> |----(1) REGISTER------------------------------>|
>> |        Security-Client: sdes-srtp;mediasec    |
>> |        Proxy-Require: mediasec                |
>> |        Require: mediasec              	|
>> |                                               |
>> |<---(2) 401------------------------------------|
>> |        Security-Server: msrp-tls;mediasec     |
>> |        Security-Server: sdes-srtp;mediasec    |
>> |        Security-Server: dtls-srtp;mediasec    |
>> |                                               |
>> |----(3) REGISTER(with Authorization Header)--->|
>> |        Security-Client: sdes-srtp;mediasec    |
>> |        Proxy-Require: mediasec                |
>> |        Require: mediasec                      |
>> |        Security-Verify: msrp-tls;mediasec     |
>> |        Security-Verify: sdes-srtp;mediasec    |
>> |        Security-Verify: dtls-srtp;mediasec    |
>> |                                            	|
>> |<---(4) 200 OK---------------------------------|
>> |                                               |
>> |                                               |
>> |----(5) INVITE-------------------------------->|
>> |        Security-Verify: msrp-tls;mediasec     |
>> |        Security-Verify: sdes-srtp;mediasec    |
>> |        Security-Verify: dtls-srtp;mediasec    |
>> |        a=3ge2ae:requested                     |
>> |        a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:EpcgtOdT5qd...
>> |                                               |
>> |<---(8) 200 OK---------------------------------|
>> |        a=crypto:1 AES_CM_128_HMAC_SHA1_80 inline:lnfakjh2sd1..
>>
>>
>>
>> You can find a complete description here (english language):
>> https://www.telekom.de/hilfe/downloads/1tr114.pdf
>> The example can be found on page 115.
>>
>> They need those mediasec parameters because of there compatibility with 
>> the 3GPP standards
>> (http://www.qtc.jp/3GPP/Specs/33328-920.pdf) which would require an 
>> additional signaling of the media plane security.
>>
>>
>> Is this already implemented or did I miss something else?
> 
> This is not implemented and I know of noone working on such a thing.


If I wanted to try it myself - what would be the correct places to
implement it?

It shouldn't be that complicated, because it seems mostly to be done by
adding some additional headers during different states and check for
them in the answers. The rest should be mostly the same as used for
existing SRTP.

In which function should the headers been added?
- for outgoing initial REGISTER?
- for outgoing REGISTER with authorization header?
- for outgoing INVITE?

To add an additional header, I found the function ast_sip_add_header.
Would this be the correct function to be used? Can I use this function
to add more than one header with the same header name?


Thanks,
Michael

More information about the asterisk-dev mailing list