[Asterisk-Users] IAX encrytion

Håkan Källberg hk at simulina.se
Thu Jun 2 13:29:18 MST 2005 

> -----Original Message-----
> From: John Melody [mailto:john at sybernet.ie]
> Sent: Monday, May 30, 2005 2:37 AM
> 
> What encryption features are available to encrypt the IAX2 traffic between
> two asterisk servers. I have read that there is some encryption possible but
> has anyone been able to encrypt the entire payload of IAX traffic between
> two
> asterisk servers.

On Mon, May 30, 2005 at 09:26:42AM -0600, Colin Anderson wrote:
> I am using vtun without incident:
> 
> http://vtun.sourceforge.net/
> 
> this is a bolt-on and depending on the box's specs and the number of
> tunnels, it may negatively impact the server's performance. To address this,
> in my application, I use a seperate box to aggregate all of the remote IAX
> servers tunnels and marshall all of the traffic to my primary server. The
> seperate box is a lowly P-II 400 and it works fine with 25 tunnels going
> into it. 

Well, so far I have seen Vtun and IP-Sec suggested. These aren't
exactly answers to the question, as John asked for encrypting
the payload, but anyway these are also possibilities, until
encryption is solidly built into the IAX2 (IAX3?) protocol,
or even SIP.

I would like to make yet another suggestion, that have some
advantages. Take a look at: www.winton.org.uk/zebedee/

I'd call this a light weight ssh - with the important addition
to be able to tunnel UDP over TCP - encrypted.

(Dis)advantages with the different solutions:

VTun - IP-Sec: 

These may need cooperation from the
(NAT)Gateways/Firewalls. This speaks against the spirit of IAX2.

Native IAX2 encryption:

This would be the technically most efficient solution, but the only
thing you'd hide would be the content of the phone call, not the fact
that you are placing a phone call.

Zebedee:

Tunneling UDP over TCP is NOT very efficient! But zebedee can,
as ssh, be run over NAT-gateways and requires only one open port
in the firewall, as IAX2 itself. An attacker might guess that
a phone call is going on, due to the shape of the data stream,
but it is not obvious, and you may mix the traffic with other
transfers to hide it better.

Håkan Källberg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 155 bytes
Desc: not available
Url : http://lists.digium.com/pipermail/asterisk-users/attachments/20050602/4f4b5e51/attachment.pgp

More information about the asterisk-users mailing list