[Asterisk-Security] SRTP vs IPSEC
Jeremy Jackson
jerj at coplanar.net
Wed Aug 10 16:15:01 CDT 2005
John Todd wrote:
> At 4:17 PM -0400 on 8/10/05, Jeremy Jackson wrote:
>>>>
>>>> policy = "in ipsec esp/transport//require";
>>>> buf = ipsec_set_policy(policy, strlen(policy));
>>>> setsockopt(so, level, IP_IPSEC_POLICY, buf,ipsec_get_policylen(buf))
>>>>
>
> SRTP is negotiated in the SDP, instead of at the network layer like
> IPSEC. Certain media streams to the same endpoint may or may not
> require encryption. This is only one reason of _many_ why IPSEC is not
> sufficient for SIP or media encryption on the Internet. Triggering
> encryption at the network layer is inadequate, and does not allow for
> easy communications between the application layer and the process that
> is enacting the encryption.
>
> That being said: IPSEC probably will work great in a VPN environment for
> encapsulating VoIP, but that's a different layer of the security model.
Does RTP use separate UDP ports per media stream? I'm inclined to think
it does; gnomemeeting/H323 video calls do. If that's generally true,
than code like the above can trigger encryption per stream, *inside* the
applicantion(s).
What might be some of the other issues? There's a fair bit of work to
implement SRTP, so I'd like to be convinced it's necessary.
--
Jeremy Jackson
Coplanar Networks
W: (519)489-4903
C: (519)897-1516
http://www.coplanar.net
More information about the Asterisk-Security
mailing list