AsteriskSRTP

From e164.org wiki
Jump to: navigation, search

Setting up Asterisk for SRTP

What is SRTP

Normally voice packets cross the internet unencrypted inside RTP packets which can be reconstructed and played back by anyone able to intercept such packets. There is a number of solutions to this problem, however this document will only be covering the SRTP branch of asterisk which sends out encryption hints in the SIP packets when negoiating the RTP connection between parties.

While this solution is far from a perfect, it does solve the problem of casual interception. This means law enforcement agencies actually have to do their jobs and selectively monitor those that actually should be monitored, rather then mass monitoring of every conversation taking place over then internet, which is a huge leap forward in terms of privacy.

So how do I setup Asterisk with SRTP?

At the time of writing there is a SRTP branch of asterisk and so you will need to grab this from the SVN server, but you will need to install libSRTP before trying to build asterisk or you won't get very far.

Building and Installing libSRTP

go to [1] and grab the latest and greatest.

Then on your server decompress it:

tar xzvf srtp-x.y.z.tgz
cd srtp
./configure
make
make install

Building and Installing Asterisk with SRTP

You will need to make sure you have subversion tools installed, how you do this will vary based on your distribution.


svn checkout http://svn.digium.com/svn/asterisk/team/oej/securertp-trunk
cd securertp-trunk
wget "http://bugs.digium.com/file_download.php?file_id=10773&type=bug" -O ast_srtp_depend.patch
patch -p0 < ast_srtp_depend.patch
autoconf
./configure
make menuselect


You can navigate the menus by right arrow to enter a submenu, left arrow to go back to the main menu, right arrow or space to select or deselect items and 'x' to quit and save or 'q' to quit without saving.

When you look in "8. Resource Modules" make sure res_srtp is selectable and has an '*' next to it, otherwise you will need to check for errors when you ran ./configure

You can then go through and select or deselect apps and other asterisk modules as you like. Unlike make menuconfig for linux, the config menu for asterisk lacks intermodule sanity checking and it's best to leave most/all res_* modules activated otherwise you can run into issues with other modules that don't seem to have any connections.

Once you finish selecting hit 'x' to quit and save and then run;


make
make install


Post-Installation

Now it's time to setup and test out your shiny new install, if you already have a working asterisk installation you only need to make one small change to your dialplan, for those that are new to this I suggest you now go to:

http://www.asterisk.net.au/tutorial/4/

and follow at least steps 4 to 7, this should give you a working asterisk install with a basic menu you can use for testing.

Dialplan change needed

At this point you need to alter you dial plan, but it's only a minor change. You need to put Set(_SIP_SRTP_SDES=optional) somewhere in your dial plan before you use Dial(), this will allow for opportunistic encryption at least between other Asterisk servers running the SRTP module, but there is also some hard and soft phones that also support SRTP as well.

For more information on this topic, you will need to view the bug report on the topic.

http://bugs.digium.com/view.php?id=5413

End Result

If you run tethereal to inspect packets you should see something like the following as a result of SRTP being used.


non-encrypted link
0.000000 192.168.1.2 -> 192.168.1.1 SIP/SDP Request: INVITE sip:s@192.168.1.1, with session description
0.110996 192.168.1.1 -> 192.168.1.2 SIP Status: 100 Trying
1.118002 192.168.1.1 -> 192.168.1.2 SIP/SDP Status: 200 OK, with session description
1.118230 192.168.1.2 -> 192.168.1.1 SIP Request: ACK sip:s@192.168.1.1
1.147868 192.168.1.1 -> 192.168.1.2 RTP Payload type=iLBC, SSRC=784617568, Seq=38449, Time=240
1.163311 192.168.1.2 -> 192.168.1.1 RTP Payload type=iLBC, SSRC=188867920, Seq=55923, Time=106278296
etc
encrypted link
0.000000 192.168.1.2 -> 192.168.1.1 SIP/SDP Request: INVITE sip:s@192.168.1.1, with session description
0.112056 192.168.1.1 -> 192.168.1.2 SIP Status: 100 Trying
1.114716 192.168.1.1 -> 192.168.1.2 SIP/SDP Status: 200 OK, with session description
1.114984 192.168.1.2 -> 192.168.1.1 SIP Request: ACK sip:s@192.168.1.1
1.145070 192.168.1.1 -> 192.168.1.2 UDP Source port: 10076  Destination port: 10070
1.159458 192.168.1.2 -> 192.168.1.1 UDP Source port: 10070  Destination port: 10076
etc


Notes

ENUMLOOKUP Changes

If you are moving from a 1.2.x version of asterisk to this version there has been some changes to functions, including ENUMLOOKUP. There needs to be an extra comma in any ENUMLOOKUP calls, eg.


If you have this in 1.2: ${ENUMLOOKUP(${EXTEN},sip,1,e164.org)}
then you need this in 1.4: ${ENUMLOOKUP(${EXTEN},sip,,1,e164.org)}


Note the extra comma after "sip"...

More...


Incidently, if the parameter c were used, as in:
${ENUMLOOKUP(+13015611020,ALL,c,e164.org)}
(from doc/README.enum in the 1.2 branch)

it would become:
${ENUMLOOKUP(+13015611020,ALL,c,,e164.org)}
in the new syntax.


Standard

SRTP is RFC standard 3711

Gotchas

Please be aware that while this is a good start SRTP lacks key exchange, and while there is a number of schemes to overcome this such as MIKEY and S/MIME but neither method seems to be widely in use. For example sipura devices use MIKEY for the key exchange, and SRTP.

Personal tools
Namespaces

Variants
Actions
Navigation
Toolbox