[Asterisk-Users] Encryption at RTP level (was: Zultys SIP phone)

John Todd jtodd at loligo.com
Sun Apr 6 12:34:35 MST 2003 

I agree.   However, security is always a tradeoff, and there are some 
users who would be willing to make that tradeoff.  For example, if I 
was on the road and carried one of these phones with me, I'd be 
willing to turn on secure RTP for those calls, but not for my LAN 
calls, and I'd deal with the latency issues in exchange for the 
security.  On the server side, Moore's law is taking care of pushing 
that latency down as time progresses.

Plus, there are a lot of places that value security much more highly 
than the normal user, and despite their use of encrypted tunnels, 
rightly require that applications are encrypted end-to-end at the 
application layer.  I completely agree with this methodology. 
Firewalls and VPNs are for the protection of weak applications 
created by vendors who are slow and stupid (Asterisk is neither.) 
Don't let the crutch of external encryption limit the use of robust 
application encryption - the market will solve those problems quickly 
enough (faster processors, better encryption hashes, etc.)

I've tried suggesting Asterisk to a few people in the banking/finance 
industry, and they won't touch it with a ten foot pole unless the RTP 
sessions are encrypted end to end.  Strangely (or not strangely) they 
don't care so much about the header information, and they were really 
jazzed about the Open Source idea.  But security is job #1 for those 
folks, and I couldn't make a case that Asterisk could solve their 
problems.  As many of you know, though, security is often loudly 
touted but poorly implemented, so maybe the claim of "absolute 
security is required" is simply a distraction to hide some other 
issue with which they were concerned...

JT


>The RTP encryption is going to add latency, so it would only wise 
>for use on a LAN or low latency WAN.  At some point the latency 
>wouldn't be worth the encryption for ~normal~ use.  IMHO
>
>Jeremy McNamara
>
>John Todd wrote:
>
>>
>>Anyone had experience with this phone?  The interesting features 
>>that caught my eye were the RTP encryption, speaker "pager", and 
>>built in 4-port ethernet switch.  Of course, RTP encryption doesn't 
>>exist in * yet, but it might be interesting (I've had people ask 
>>about it, but I don't know how serious they are about needing it.)
>>
>>http://www.zip4x4.com/summary_ZIP4x4.htm
>>
>>
>>JT
>>_______________________________________________
>>Asterisk-Users mailing list
>>Asterisk-Users at lists.digium.com
>>http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
>
>_______________________________________________
>Asterisk-Users mailing list
>Asterisk-Users at lists.digium.com
>http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list