[Asterisk-Security] SRTP vs IPSEC
John Todd
jtodd at loligo.com
Tue Aug 23 12:50:38 CDT 2005
At 3:05 PM +0800 on 8/22/05, Enzo Michelangeli wrote:
>Jeremy Jackson jerj at coplanar.net
>Wed Aug 10 16:15:01 CDT 2005
>[...]
>> Does RTP use separate UDP ports per media stream? I'm inclined to think
>> it does; gnomemeeting/H323 video calls do. If that's generally true,
>> than code like the above can trigger encryption per stream, *inside* the
>> applicantion(s).
>>
>> What might be some of the other issues? There's a fair bit of work to
>> implement SRTP, so I'd like to be convinced it's necessary.
>
>There is a well documented GPL'd implementation of SRTP available from
>http://srtp.sourceforge.net/srtp.html . Integration with Asterisk
>shouldn't be hard; as usual, the hardest issue is key management.
>Solutions based on a shared secret may work between mutually-authenticated
>nodes; in other cases, a relatively simple way out is to use SIPS (SIP
>over TLS) to pass a randomly-generated session key in cleartext, but
>protected by the TLS layer. Unfortunately, I believe that, at this stage,
>Asterisk doesn't support SIPS (and not even SIP over TCP).
>
>Enzo
I've seen this also, and it looks like a very promising start. As
you indicate, key management is an issue, but I think that will get
sorted out in time.
I disagree that key management is the "hardest" issue. I think the
hardest issue is that this version of SRTP is GPL, which makes it
difficult to integrate into Asterisk.
JT
More information about the Asterisk-Security
mailing list