[lug] IPsec (or other security) in Asterisk
Zan Lynx
zlynx at acm.org
Fri Sep 14 10:34:24 MDT 2007
On Fri, 2007-09-14 at 10:05 -0600, Michael J. Hammel wrote:
> I'm doing a little research on a project that might involve Asterisk.
> One of the key issues is VoIP security. It doesn't appear that IPsec is
> supported in Asterisk (based on their web site, at least). And there
> don't appear to be any other transport layer or higher security features
> (ssh, tls, ssl, or similar).
>
> Anyone know if Asterisk supports or is intending to support security
> features for VoIP? Does Asterisk (or any application for that matter)
> need to specifically support IPsec or is this a feature of the
> networking stack that is configured outside the realm of the
> application? My limited understanding of IPsec is that it's the latter
> - outside the realm of the application.
Any application that uses IPv4 will use IPsec transparently, if IPsec is
configured on the route in question. I haven't done it, but I believe
IKE (IPsec Key Exchange) daemons like Racoon can be set on the default
route, and then the daemon can attempt a secure certificate IPsec with
any destination that supports it (not many).
IPv6 allows application level control of IPsec, I believe. IPsec is a
required part of the IPv6 standards. It's supposed to integrate better
with things like MTU and MSS.
IPv4 can have performance problems with IPsec. For example, an
application might think the MTU is 1500 and send UDP packets of 1500,
but they'll be fragmented since the IPsec tunneling adds a (40 byte?)
header.
You also end up with *weird* problems with some QoS setups. I used to
have SSH sessions over my home to work VPN that would freeze for
minutes, because my Linux QoS configuration would insist on dropping
some of the (encrypted) packet fragments and TCP didn't seem to realize
that resending the "lost" packet only created another batch of IPsec
fragments.
--
Zan Lynx <zlynx at acm.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20070914/9a85cfe0/attachment.pgp>
More information about the LUG
mailing list