[Asterisk-Users] Where is the cheapest place to buy grandstreamphones ?.

Robert Rozman rozman at fri.uni-lj.si
Wed Oct 13 04:21:32 MST 2004


Hi,

is there any more info about securing IAX calls or better said remote iax
extensions ? I feel much more comfortable using IAX.

Regards,

Robert.

----- Original Message ----- 
From: "Benjamin on Asterisk Mailing Lists" <benjk.on.asterisk.ml at gmail.com>
To: "Asterisk Users Mailing List - Non-Commercial Discussion"
<asterisk-users at lists.digium.com>
Sent: Wednesday, October 13, 2004 12:26 PM
Subject: Re: [Asterisk-Users] Where is the cheapest place to buy
grandstreamphones ?.


> On Wed, 13 Oct 2004 10:48:39 +0200, hitete at free.fr <hitete at free.fr> wrote:
> > Where is the cheapest place to buy grandstream phones ?
>
> I have heard that SIPphones.com are about to sell them for $49 or $59
> a piece but that may be just a rumour or it may be an offer limited to
> those over the age of 80 attended by their parents, I don't know.
>
> > And the other day I posted questions about security fir SIP, is the only
> > solution a vpn ?.
> > Isn't there SSL integrated in SIP ?
>
> Do you actually know how SIP works?
>
> SIP is only HALF a protocol from the viewpoint of VoIP. SIP doesn't
> actually do any VoIP. SIP is only there for introducing two parties to
> each other. That's all SIP does. "1.2.3.4 meet 6.7.8.9 -- 6.7.8.9,
> this is 1.2.3.4". It is then up to those parties to arrange how they
> communicate with each other. SIP has nothing to do with that
> communication. SIP does not deal with voice. It only deals with
> introductions and the filing of divorce papers. That's it
>
> The kind of SIP that is mostly used for establishing VoIP connections
> is using another protocol, called RTP, which from the viewpoint of
> VoIP has to be considered the OTHER HALF of what makes up the VoIP
> protocol. SIP makes the introduction, RTP carries the voice.
>
> So when you talk about a SIP phone call, what you really mean is an
> RTP phone call which has been arranged for by SIP.
>
> Since those two protocols are technically independent protocols only
> loosely taped together by SIP's introduction, there are three
> independent data streams involved, all using different ports, from the
> viewpoint of TCP/IP all independent connections that have nothing to
> do with each other. To make things worse still, the ports used for the
> voice traffic, are determined at random, one for each direction.
>
> So, if you wanted to wrap a SIP based IP phone call into SSL, then you
> would need to find a way how to get three independent data streams
> potentiall going to two different destinations on three different
> ports, two of which are random, all together into one socket. Good
> luck with that.
>
> Of course you could wrap the three connections all individually, but
> that doesn't help you with NAT traversal. In fact it will make NAT
> traversal more difficult because some of the techniques that aid
> SIP/NAT traversal need to be able to read and understand the SIP
> messages to know which ports to open for the associated RTP traffic.
> If you encrypt the SIP stream individually, you will make it
> impossible for those techniques to work because they cannot read the
> SIP messages anymore.
>
> If you leave the SIP stream untouched and only encrypt the RTP
> traffic, then you will not increase your security in terms of
> potential break in attacks. You will only protect yourself against
> eavesdropping on the audio channels.
>
> So, to get proper security, you would have to encapsulate both SIP and
> RTP streams into a single stream and send that off to a remote party
> that knows how to unbundle it again.
>
> This means you are looking at building a tunnel. Hence VPN.
>
>
> The moral of the story is this:
>
> Everybody doing VoIP has at some point run into the issue of SIP/NAT
> traversal and discovered how it is a pain to get working and how it is
> a serious security risk if you do get it working.
>
> We have all been there before you. We are all wearing the T-shirt that
> says "been there, done that" and we have earned that T-shirt with our
> own blood, sweat and tears.
>
> So, you have two choices: You can either just trust our advice. Or you
> can ignore it, bang your head against the wall like many of us did
> before and earn your own "been there, done that" T-shirt. Whatever you
> do, you are not going to find a solution other than what has been
> presented to you already. SIP is broken and it will remain that way
> because it is broken by design.
>
> Trust me on this, I myself have been one of those who didn't want to
> take the advice from the resident VoIP gurus at the time and I was
> banging my head against the wall in search of a solution that isn't
> there. Of course my stubborness has given me a pretty good
> understanding of the problem, but I could have saved myself a lot of
> trouble if I had listened to the advice of those who told me that I
> was wasting my time.
>
> VPN or IAX it is.
>
> rgds
> benjk
>
> -- 
> Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya,
> Tokyo, Japan.
>
> NB: Spam filters in place. Messages unrelated to the * mailing lists
> may get trashed.
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users




More information about the asterisk-users mailing list