[Asterisk-Security] SRTP vs IPSEC

John Todd jtodd at loligo.com
Wed Aug 10 15:33:24 CDT 2005


At 4:17 PM -0400 on 8/10/05, Jeremy Jackson wrote:
>Olle E. Johansson wrote:
>>Jeremy Jackson wrote:
>>
>>>I've been playing with racooon/Linux IPSEC, and it seems quite simple to
>>>enable security on a per-socket basis:
>>>
>>>    policy = "in ipsec esp/transport//require";
>>>    buf = ipsec_set_policy(policy, strlen(policy));
>>>    setsockopt(so, level, IP_IPSEC_POLICY, buf,ipsec_get_policylen(buf))
>>>
>>>I see there is also work being done on SRTP. It seems like SRTP would
>>>duplicate efforts, but maybe there are performance reasons that SRTP
>>>would be better?
>>>
>>>Comments?
>>
>>SRTP can be setup on a per-call basis.
>
>This may be my inexperience with per-socket IPSEC policy, but I 
>believe that translates to being on a per-call basis as well.
>
>--
>Jeremy Jackson
>Coplanar Networks
>W: (519)489-4903
>C: (519)897-1516
>http://www.coplanar.net

SRTP is negotiated in the SDP, instead of at the network layer like 
IPSEC.  Certain media streams to the same endpoint may or may not 
require encryption.  This is only one reason of _many_ why IPSEC is 
not sufficient for SIP or media encryption on the Internet. 
Triggering encryption at the network layer is inadequate, and does 
not allow for easy communications between the application layer and 
the process that is enacting the encryption.

That being said: IPSEC probably will work great in a VPN environment 
for encapsulating VoIP, but that's a different layer of the security 
model.

JT


More information about the Asterisk-Security mailing list