[Asterisk-Security] SRTP vs IPSEC
John Todd
jtodd at loligo.com
Wed Aug 10 15:33:24 CDT 2005
At 4:17 PM -0400 on 8/10/05, Jeremy Jackson wrote:
>Olle E. Johansson wrote:
>>Jeremy Jackson wrote:
>>
>>>I've been playing with racooon/Linux IPSEC, and it seems quite simple to
>>>enable security on a per-socket basis:
>>>
>>> policy = "in ipsec esp/transport//require";
>>> buf = ipsec_set_policy(policy, strlen(policy));
>>> setsockopt(so, level, IP_IPSEC_POLICY, buf,ipsec_get_policylen(buf))
>>>
>>>I see there is also work being done on SRTP. It seems like SRTP would
>>>duplicate efforts, but maybe there are performance reasons that SRTP
>>>would be better?
>>>
>>>Comments?
>>
>>SRTP can be setup on a per-call basis.
>
>This may be my inexperience with per-socket IPSEC policy, but I
>believe that translates to being on a per-call basis as well.
>
>--
>Jeremy Jackson
>Coplanar Networks
>W: (519)489-4903
>C: (519)897-1516
>http://www.coplanar.net
SRTP is negotiated in the SDP, instead of at the network layer like
IPSEC. Certain media streams to the same endpoint may or may not
require encryption. This is only one reason of _many_ why IPSEC is
not sufficient for SIP or media encryption on the Internet.
Triggering encryption at the network layer is inadequate, and does
not allow for easy communications between the application layer and
the process that is enacting the encryption.
That being said: IPSEC probably will work great in a VPN environment
for encapsulating VoIP, but that's a different layer of the security
model.
JT
More information about the Asterisk-Security
mailing list