John Todd wrote:
At 4:17 PM -0400 on 8/10/05, Jeremy Jackson wrote:
policy = "in ipsec esp/transport//require";
buf = ipsec_set_policy(policy, strlen(policy));
setsockopt(so, level, IP_IPSEC_POLICY, buf,ipsec_get_policylen(buf))
SRTP is negotiated in the SDP, instead of at the network layer like
IPSEC. Certain media streams to the same endpoint may or may not
require encryption. This is only one reason of _many_ why IPSEC is not
sufficient for SIP or media encryption on the Internet. Triggering
encryption at the network layer is inadequate, and does not allow for
easy communications between the application layer and the process that
is enacting the encryption.
That being said: IPSEC probably will work great in a VPN environment for
encapsulating VoIP, but that's a different layer of the security model.
Does RTP use separate UDP ports per media stream? I'm inclined to think
it does; gnomemeeting/H323 video calls do. If that's generally true,
than code like the above can trigger encryption per stream, *inside* the
applicantion(s).
What might be some of the other issues? There's a fair bit of work to
implement SRTP, so I'd like to be convinced it's necessary.
--
Jeremy Jackson
Coplanar Networks
W: (519)489-4903
C: (519)897-1516
http://www.coplanar.net
_______________________________________________
Asterisk-Security mailing list
[email protected]
http://lists.digium.com/mailman/listinfo/asterisk-security
