At 4:17 PM -0400 on 8/10/05, Jeremy Jackson wrote:
Olle E. Johansson wrote:
Jeremy Jackson wrote:
I've been playing with racooon/Linux IPSEC, and it seems quite simple to
enable security on a per-socket basis:
policy = "in ipsec esp/transport//require";
buf = ipsec_set_policy(policy, strlen(policy));
setsockopt(so, level, IP_IPSEC_POLICY, buf,ipsec_get_policylen(buf))
I see there is also work being done on SRTP. It seems like SRTP would
duplicate efforts, but maybe there are performance reasons that SRTP
would be better?
Comments?
SRTP can be setup on a per-call basis.
This may be my inexperience with per-socket IPSEC policy, but I
believe that translates to being on a per-call basis as well.
--
Jeremy Jackson
Coplanar Networks
W: (519)489-4903
C: (519)897-1516
http://www.coplanar.net
SRTP is negotiated in the SDP, instead of at the network layer like
IPSEC. Certain media streams to the same endpoint may or may not
require encryption. This is only one reason of _many_ why IPSEC is
not sufficient for SIP or media encryption on the Internet.
Triggering encryption at the network layer is inadequate, and does
not allow for easy communications between the application layer and
the process that is enacting the encryption.
That being said: IPSEC probably will work great in a VPN environment
for encapsulating VoIP, but that's a different layer of the security
model.
JT
_______________________________________________
Asterisk-Security mailing list
[email protected]
http://lists.digium.com/mailman/listinfo/asterisk-security
