Re: Re: [Asterisk-Users] How to encript SIP comunications?
Thanks Steve Now with the help of all of you the picture is getting more clear to present it, at least for me Thanks for all your tips On Sun, 21 Nov 2004 13:02:53 -0500, Steve Totaro <[EMAIL PROTECTED]> wrote: > There has to be a router or switch to plug the phone into or the phone wont > be of much use. > > You can pick up a cheap linksys IPSec VPN endpoint for about $80 last I > checked. > > > > > > Hello Miguel > > > > Thanks for this suggestion, but if the user has onlye a Grandstream > > SIP phone on the other end, no PC, nothing, just the SIP phone. It can > > be possible any encription in this case? > > > > Fach > > > > On Sat, 20 Nov 2004 11:51:46 -0800 (PST), Miguel Ruiz Velasco Sobrino > > <[EMAIL PROTECTED]> wrote: > > > Hello Fach, > > > I have used openvpn for a while and in the new release thereis a feature > called "server > > > mode" that makes posible to have a full network of vpn links besides a > single TUN/TAP > > > adaptor (a pure software NIC) in the server. I haven't used that > feature, but I think > > > this is what you need. Also openvpn runs on linux, *bsd, solaris, > windows, and maybe in > > > other OS. > > > > > > Miguel > > ___ > > Asterisk-Users mailing list > > [EMAIL PROTECTED] > > http://lists.digium.com/mailman/listinfo/asterisk-users > > To UNSUBSCRIBE or update options visit: > >http://lists.digium.com/mailman/listinfo/asterisk-users > > > > -- John Fach Linux Dominicana Linux/LAMP/VoIP Consulting & Solutions p: 1-786-380-4685 1-347-952-3288 w: http://www.linuxdominicana.com e: [EMAIL PROTECTED] --- ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: Re: [Asterisk-Users] How to encript SIP comunications?
There has to be a router or switch to plug the phone into or the phone wont be of much use. You can pick up a cheap linksys IPSec VPN endpoint for about $80 last I checked. > Hello Miguel > > Thanks for this suggestion, but if the user has onlye a Grandstream > SIP phone on the other end, no PC, nothing, just the SIP phone. It can > be possible any encription in this case? > > Fach > > On Sat, 20 Nov 2004 11:51:46 -0800 (PST), Miguel Ruiz Velasco Sobrino > <[EMAIL PROTECTED]> wrote: > > Hello Fach, > > I have used openvpn for a while and in the new release thereis a feature called "server > > mode" that makes posible to have a full network of vpn links besides a single TUN/TAP > > adaptor (a pure software NIC) in the server. I haven't used that feature, but I think > > this is what you need. Also openvpn runs on linux, *bsd, solaris, windows, and maybe in > > other OS. > > > > Miguel > ___ > Asterisk-Users mailing list > [EMAIL PROTECTED] > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: >http://lists.digium.com/mailman/listinfo/asterisk-users > ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: Re: [Asterisk-Users] How to encript SIP comunications?
Hello Miguel Thanks for this suggestion, but if the user has onlye a Grandstream SIP phone on the other end, no PC, nothing, just the SIP phone. It can be possible any encription in this case? Fach On Sat, 20 Nov 2004 11:51:46 -0800 (PST), Miguel Ruiz Velasco Sobrino <[EMAIL PROTECTED]> wrote: > Hello Fach, > I have used openvpn for a while and in the new release thereis a feature > called "server > mode" that makes posible to have a full network of vpn links besides a single > TUN/TAP > adaptor (a pure software NIC) in the server. I haven't used that feature, but > I think > this is what you need. Also openvpn runs on linux, *bsd, solaris, windows, > and maybe in > other OS. > > Miguel ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: Re: [Asterisk-Users] How to encript SIP comunications?
Hello Fach, I have used openvpn for a while and in the new release thereis a feature called "server mode" that makes posible to have a full network of vpn links besides a single TUN/TAP adaptor (a pure software NIC) in the server. I haven't used that feature, but I think this is what you need. Also openvpn runs on linux, *bsd, solaris, windows, and maybe in other OS. Miguel > >Hello Gregory > >Thanks for your tip, but this looks like a point to point encription, >but how about between extensions registered in a Asterisk server. > >Let's say I got a building 200 users registered and a given set of >extensions, any of the users can be out of town or in another building >in another city but for the matter of their job their communications >have to be encripted. I can do your suggestion, but is group of users >move from place to place then how would I do? > >I would appreciate to have a clear solutions for a more flexible >scenario of encription > >All suggestions are highly appreciated > >Bye > >Fach = Miguel Ruiz Velasco Version: OpenKeyServer v1.2 Comment: Extracted from belgium.keyserver.net Signature: 0x59831109 __ Do you Yahoo!? Meet the all-new My Yahoo! - Try it today! http://my.yahoo.com ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] How to encript SIP comunications?
Am Samstag, 20. November 2004 18:48 schrieb Linux Dominicana: > Hello Gregory > > Thanks for your tip, but this looks like a point to point encription, > but how about between extensions registered in a Asterisk server. > > Let's say I got a building 200 users registered and a given set of > extensions, any of the users can be out of town or in another building > in another city but for the matter of their job their communications > have to be encripted. I can do your suggestion, but is group of users > move from place to place then how would I do? > > I would appreciate to have a clear solutions for a more flexible > scenario of encription > > All suggestions are highly appreciated > Hi all I did some research on this topic a short time ago. Here is what's the status. Anyone correct me, if I'm wrong: Encryption can be done on several OSI Layers Layer 3: IPsec (Network Layer) The network layer secures the connection. Unfortunately you have to use an up to date kernel and hard phones don't support it yet. This sounds pretty secure but can only be done in point to point so here we have our disadvantage for your case. Layer 4: TLS ( Transport Layer) Hell I simply forgot what was wrong here. I think it was the NAT traversal. You can not secure at this layer, if you have a NAT between your boxes because the checksum has to be altered for changing IP's. I'm not quite sure about this as I said I simply forgot or I'm mismixing layers :-). Layer 5/6 : SRTP Security at the application level. Well this is what we want. SRTP is defined in an rfc and it secures any stream. A reference implementation was created by a big company which does nothing more than wrap a security layer around the RTP protocol. This is unfortunately just the half lease because it only secures the audio stream. We would also want to secure the signaling protocol which we call SIP. This is called SIPS and is also defined in a rfc. So now we know what we want but how do we want it? There is symmetric encryption (same key used for encryption as for decryption) and there is asymmetric encryption (different keys for encryption and decryption). Symmetric ciphers are DES, AES, 3DES and so on. These are good for real-time applications such as voice audio as they are fast enough to en/decrypt lots of data in a short period of time. Well asymmetric encryption is mainly done via RSA-based ciphers which are quite hard to handle in large-scale environments for many reasons especially key exchange can get complex for software and hardware. So some vendors sell phones that support AES encryption. SNOM claimed to support it but has removed this support for some reason from their data sheets. The Zip4x5 claimes to have encryption and you can even download the software for linux for free if you are willing to give your name and email away. Well and now we finally get to the problem: Asterisk is somehow ready to support encryption as AES libs are compiled in but there is no SRTP and SIPS protocol implementation as far as I could see. Someone on IRC told me that he thinks encryption will be done in about a half year but my personal estimation regarding the latest development of asterisk would be a bit longer as a lot of things have to be reworked from scratch. Due to the frequent patches and contributions to the code from many developers the code gets more and more messed up. I haven't checked the development version for quite a while so this might have changed in the meantime. Anyone feel free to post it to the wiki if you like. So far Jens ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] How to encript SIP comunications?
Hello Gregory Thanks for your tip, but this looks like a point to point encription, but how about between extensions registered in a Asterisk server. Let's say I got a building 200 users registered and a given set of extensions, any of the users can be out of town or in another building in another city but for the matter of their job their communications have to be encripted. I can do your suggestion, but is group of users move from place to place then how would I do? I would appreciate to have a clear solutions for a more flexible scenario of encription All suggestions are highly appreciated Bye Fach On Sat, 20 Nov 2004 00:39:28 -0500, Gregory Junker <[EMAIL PROTECTED]> wrote: > Linux 2.6 kernel includes IPSec directly, and ipsec-tools can be used to > create a secure point-to-point link. OpenSWAN makes use of the kernel > IPSec in 2.6, and makes it available in 2.2 and 2.4 kernels. IPSec can > use shared keys or x509 certificates within or without a PKI for > authentication. OpenVPN has been mentioned as another option, and it > uses SSL/TLS for the encryption, and also supports PKI and PSK for auth. > Both provide perfect-forward secrecy (PFS) which is important if your > client wants past and future communications to remain impossible to > decrypt, even with a compromised or subpoenaed private key. > > Any of the above can be used to encrypt a point-to-point link such as > the one you describe. > > http://www.openswan.org > http://www.openvpn.org > > Greg > > > > Linux Dominicana wrote: > > Hello everybody > > > > A given scenario: > > > > A client does want to have his own VoIP PBX with Asterisk running, but > > he ask me. How secure can be the communication among all subscribers? > > If there're sniffers on the middle or any other listening device on a > > given netowork. > > > > The client is not fictitial, but it main requirement is encription of > > all point to point comunications for given reasons. > > > > Any guidance, products, solutions implementation available and if > > works is much better. > > > > Suggestions are welcome > > > > Regards > > > > John Fach > > ___ > > Asterisk-Users mailing list > > [EMAIL PROTECTED] > > http://lists.digium.com/mailman/listinfo/asterisk-users > > To UNSUBSCRIBE or update options visit: > >http://lists.digium.com/mailman/listinfo/asterisk-users > > > -- John Fach Linux Dominicana Linux/LAMP Technology Consulting & Solutions p: 1-786-380-4685 1-347-952-3288 w: http://www.linuxdominicana.com e: [EMAIL PROTECTED] ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] How to encript SIP comunications?
Linux Dominicana wrote: Hello everybody A given scenario: A client does want to have his own VoIP PBX with Asterisk running, but he ask me. How secure can be the communication among all subscribers? If there're sniffers on the middle or any other listening device on a given netowork. The client is not fictitial, but it main requirement is encription of all point to point comunications for given reasons. Any guidance, products, solutions implementation available and if works is much better. There is SRTP: http://srtp.sourceforge.net/srtp.html Doesn't look like anyone has submitted a feature request for its inclusion in *. Regards, -- Jason Becker Director & CEO Coalescent Systems Inc. 403.244.8089 www.coalescentsystems.ca ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] How to encript SIP comunications?
http://www.openvpn.org sorry, this should have been http://openvpn.sourceforge.net ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [Asterisk-Users] How to encript SIP comunications?
Linux 2.6 kernel includes IPSec directly, and ipsec-tools can be used to create a secure point-to-point link. OpenSWAN makes use of the kernel IPSec in 2.6, and makes it available in 2.2 and 2.4 kernels. IPSec can use shared keys or x509 certificates within or without a PKI for authentication. OpenVPN has been mentioned as another option, and it uses SSL/TLS for the encryption, and also supports PKI and PSK for auth. Both provide perfect-forward secrecy (PFS) which is important if your client wants past and future communications to remain impossible to decrypt, even with a compromised or subpoenaed private key. Any of the above can be used to encrypt a point-to-point link such as the one you describe. http://www.openswan.org http://www.openvpn.org Greg Linux Dominicana wrote: Hello everybody A given scenario: A client does want to have his own VoIP PBX with Asterisk running, but he ask me. How secure can be the communication among all subscribers? If there're sniffers on the middle or any other listening device on a given netowork. The client is not fictitial, but it main requirement is encription of all point to point comunications for given reasons. Any guidance, products, solutions implementation available and if works is much better. Suggestions are welcome Regards John Fach ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users ___ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users