[lug] IPsec (or other security) in Asterisk

Nate Duehr nate at natetech.com
Fri Sep 14 12:16:56 MDT 2007


Michael J. Hammel wrote:
> I'm doing a little research on a project that might involve Asterisk.
> One of the key issues is VoIP security.  It doesn't appear that IPsec is
> supported in Asterisk (based on their web site, at least).  And there
> don't appear to be any other transport layer or higher security features
> (ssh, tls, ssl, or similar).  

There's an RFC for doing SIP (well, really RTP) over TLS.

It's called "SRTP".  Many phones support it.

I saw an internal note fly around that we support it now in our phones 
on some later level of firmware flash.

Disclaimer: I work for Polycom.  We make SIP phones.

> Anyone know if Asterisk supports or is intending to support security
> features for VoIP?  Does Asterisk (or any application for that matter)
> need to specifically support IPsec or is this a feature of the
> networking stack that is configured outside the realm of the
> application?   My limited understanding of IPsec is that it's the latter
> - outside the realm of the application.

Asterisk appears to not support it, since this bounty is still open:
http://www.voip-info.org/wiki-Asterisk+Bounty+SIP+encryption

But I don't really know.

Encrypting the whole network is an option, but difficult at the end-points.

Most companies I've seen with large SIP phone deployments seem to have 
them VLAN'ed off from the rest of the network traffic (for QoS purposes) 
onto a separate "phone" network.  I think some of our phones support 
VLAN tagging directly at the phone and even routing a second VLAN (your 
usual corporate VLAN) through the second RJ45 on the phone to your 
desktop PC... I think.  I honestly don't work with the VoIP phone 
products very much.

Most all companies doing SIP phones internally, maintain physical 
control of their in-house networks (so folks aren't plugging sniffers in 
to listen to RTP traffic - easy to do with Wireshark, etc...), they only 
allow traffic for that one person's phone to go out any particular 
switch port, and typically they don't have encryption on their phones, 
yet...

Were you looking to encrypt from the phone on the desktop to the 
Asterisk server on-site, or something else?

Going off-site, a VPN connection bridging the Asterisk server or a whole 
network at the far side, to the local phone VLAN, seems the simplest way 
to go.  IPSec seems a bit overkill... but of course, anything can be done...

Nate



More information about the LUG mailing list