[Asterisk-Users] IAX/IAX2 encryption?

Brian D Heaton bdheaton at c4i2.com
Mon Nov 10 17:27:46 MST 2003 

Brian,

	Mark was talking about it with JustinT at PN7.  I caught the end of the
conversation.  The question I asked then (and still ask now) is, (for
the IAX/IAX2 case at least) why load down the PBX with PBX-to-PBX
encryption?  

	If you look at the way most large organizations (military, government,
large multi-nationals) handle encrypted network communications you'll
find they separate site-site encryption from the data processing
machines.  You have a RED (cleartext) LAN segment connected to the RED
side of an encryption device.  The BLACK (encrypted) side of the
encryption device connects to remote sites via tunnels.  (Hint: google
for TACLANE ) In addition to decreasing the complexity on the
workstations/servers you reduce the number of fingers in the crypto
device and the number of things running on it.  

	This is the same thing we do now with router-router VPN tunnels.  If
you have only a single tunnel between sites and a best effort black side
network then you do your QoS shaping on the red side and cross your
fingers.  If you've got QoS shaping on the black side then you can setup
more than one tunnel between sites and use policy routing either on the
ecryption device or in front of it to get the data into the correct
tunnels.  If you can do both you're better off since it give you more
granular control.

	You're already running a process ( * ) that needs to do quite a bit of
low-level bit manipulation and DSP on the PBX.  Why load it down with a
process that needs to do mucho math for encryption?  Even with the
hardware daughterboards I think you're going to at least greatly
increase your context switching overhead.

	Tune the Asterisk box (and consume its resources) for Asterisk and tune
the encryption/routing box for encryption/routing.  How about a Soekris
box with the hardware encryption daughterboard? You can get some pretty
nice performance in a small space.  I don't want to see * get loaded
down with a bunch of encryption hooks rather than more refined features
and bug fixes.

	The client case is a whole different matter.  Most of the discussion
between Mark and Justin centered on the IAXy.  Thats a whole different
scenario and I think the best you're going to get there is some type of
symetric cipher with shared secret.  I don't think you've got the code
space or spare cycles to do much more.  At the very least a DH key
exchange of session keys would eat up some call-setup time.

	Thoughts?????


			Other Brian....


PS - Mel says hi!
  


On Mon, 2003-11-10 at 15:26, Brian J. Schrock wrote:
> I second that, and I think I remember hearing Mark talking about it too. But.....
> 
> What type of encryption can you do that does not introduce latency? 
> 
> That said, I would like it to support hardware encryption cards.
> 
> I have done work with FreeS/WAN and it works, and yes it adds about 30-100ms of latency depending on what else is going on. I think it has something to do with keying.
> 
> 
> On Mon, Nov 10, 2003 at 02:06:33PM -0600, Brian West wrote:
> > I wonder if anyone else on the list has expressed any intrest in having
> > some type of native support for encryption for IAX?  I hear IPSEC adds
> > some latency... I would like to side step that for something simpler to
> > setup.
> > 
> > bkw
> > _______________________________________________
> > Asterisk-Users mailing list
> > Asterisk-Users at lists.digium.com
> > http://lists.digium.com/mailman/listinfo/asterisk-users
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
>

More information about the asterisk-users mailing list