Hi, is there any more info about securing IAX calls or better said remote iax extensions ? I feel much more comfortable using IAX.
Regards, Robert. ----- Original Message ----- From: "Benjamin on Asterisk Mailing Lists" <[EMAIL PROTECTED]> To: "Asterisk Users Mailing List - Non-Commercial Discussion" <[EMAIL PROTECTED]> Sent: Wednesday, October 13, 2004 12:26 PM Subject: Re: [Asterisk-Users] Where is the cheapest place to buy grandstreamphones ?. > On Wed, 13 Oct 2004 10:48:39 +0200, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Where is the cheapest place to buy grandstream phones ? > > I have heard that SIPphones.com are about to sell them for $49 or $59 > a piece but that may be just a rumour or it may be an offer limited to > those over the age of 80 attended by their parents, I don't know. > > > And the other day I posted questions about security fir SIP, is the only > > solution a vpn ?. > > Isn't there SSL integrated in SIP ? > > Do you actually know how SIP works? > > SIP is only HALF a protocol from the viewpoint of VoIP. SIP doesn't > actually do any VoIP. SIP is only there for introducing two parties to > each other. That's all SIP does. "1.2.3.4 meet 6.7.8.9 -- 6.7.8.9, > this is 1.2.3.4". It is then up to those parties to arrange how they > communicate with each other. SIP has nothing to do with that > communication. SIP does not deal with voice. It only deals with > introductions and the filing of divorce papers. That's it > > The kind of SIP that is mostly used for establishing VoIP connections > is using another protocol, called RTP, which from the viewpoint of > VoIP has to be considered the OTHER HALF of what makes up the VoIP > protocol. SIP makes the introduction, RTP carries the voice. > > So when you talk about a SIP phone call, what you really mean is an > RTP phone call which has been arranged for by SIP. > > Since those two protocols are technically independent protocols only > loosely taped together by SIP's introduction, there are three > independent data streams involved, all using different ports, from the > viewpoint of TCP/IP all independent connections that have nothing to > do with each other. To make things worse still, the ports used for the > voice traffic, are determined at random, one for each direction. > > So, if you wanted to wrap a SIP based IP phone call into SSL, then you > would need to find a way how to get three independent data streams > potentiall going to two different destinations on three different > ports, two of which are random, all together into one socket. Good > luck with that. > > Of course you could wrap the three connections all individually, but > that doesn't help you with NAT traversal. In fact it will make NAT > traversal more difficult because some of the techniques that aid > SIP/NAT traversal need to be able to read and understand the SIP > messages to know which ports to open for the associated RTP traffic. > If you encrypt the SIP stream individually, you will make it > impossible for those techniques to work because they cannot read the > SIP messages anymore. > > If you leave the SIP stream untouched and only encrypt the RTP > traffic, then you will not increase your security in terms of > potential break in attacks. You will only protect yourself against > eavesdropping on the audio channels. > > So, to get proper security, you would have to encapsulate both SIP and > RTP streams into a single stream and send that off to a remote party > that knows how to unbundle it again. > > This means you are looking at building a tunnel. Hence VPN. > > > The moral of the story is this: > > Everybody doing VoIP has at some point run into the issue of SIP/NAT > traversal and discovered how it is a pain to get working and how it is > a serious security risk if you do get it working. > > We have all been there before you. We are all wearing the T-shirt that > says "been there, done that" and we have earned that T-shirt with our > own blood, sweat and tears. > > So, you have two choices: You can either just trust our advice. Or you > can ignore it, bang your head against the wall like many of us did > before and earn your own "been there, done that" T-shirt. Whatever you > do, you are not going to find a solution other than what has been > presented to you already. SIP is broken and it will remain that way > because it is broken by design. > > Trust me on this, I myself have been one of those who didn't want to > take the advice from the resident VoIP gurus at the time and I was > banging my head against the wall in search of a solution that isn't > there. Of course my stubborness has given me a pretty good > understanding of the problem, but I could have saved myself a lot of > trouble if I had listened to the advice of those who told me that I > was wasting my time. > > VPN or IAX it is. > > rgds > benjk > > -- > Sunrise Telephone Systems, 9F Shibuya Daikyo Bldg., 1-13-5 Shibuya, > Tokyo, Japan. > > NB: Spam filters in place. Messages unrelated to the * mailing lists > may get trashed. > _______________________________________________ > Asterisk-Users mailing list > [EMAIL PROTECTED] > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users _______________________________________________ Asterisk-Users mailing list [EMAIL PROTECTED] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
