Hello Daniel, Yes, we found Kamailio very easy to use with TLS. You have a done a great job on this project! Our phone client is connecting and working fine with Kamailio, using SIP over TLS. We are using DTLS for end-to-end secure phone call between the two handsets. DTLS generates (RFC 5764) session keys which are then used to setup SRTP tunnel. I don't think we did any special to make this work with Kamailio --- it took maybe a day to bring up.
I'll give some thought to what sort of metrics we could provide you to help you evaluate the cost-benefit of adding DTLS support. And certainly, it would be easy for us to support SIP over DTLS --- simple API change. I'll hopefully make it out to one of these future Kamailo events, unfortunately, I'll be on the road that week. I would really like to see SRTP-DTLS take off --- it's really a nice approach from a security perspective (handset-to-handset security). At the last event, there was 0% SRTP-DTLS implementations at SipIt. I am pinging a bit early, to connect and I would like to see that percentage eek up a little. Best, James -----Original Message----- From: Daniel-Constantin Mierla [mailto:mico...@gmail.com] Sent: Tuesday, January 11, 2011 4:03 PM To: James Blaisdell Cc: sip-implementors@lists.cs.columbia.edu Subject: Re: [Sip-implementors] SipIt Interop Testing: SIP/TLS & DTLS-SRTP? Hello James, On 1/12/11 12:27 AM, James Blaisdell wrote: > Hello Daniel, > > We have working prototype phone app for various mobile platforms (e.g. > Android, iPhone, etc). We're likely going to release sometime this summer, > but would be interested in betas, etc. fyi, we should work fine with a > Kamailio + Asterisk configuration, but we haven't tested that configuration > yet. TLS with Kamailio v3.1 is very simple, the default config comes with tls support in it, just install the tls module and then enable it in config by just defining WITH_TLS. I have been testing quite extensive the TLS part at last SIPit in Europe, together with Olle Johansson, we set a TLS testing framework -- several kamailio instances available all the time for everyone there, running various TLS-related configs. I was interested in TLS vs DTLS performances since our tests with TLS scaled up to about 80 000 residential-like active connections on one server or approx 40 000 heavy-traffic active connections. Some figures about DTLS would have been interesting to estimate eventual performance gain. > > > Our DTLS code leverages our TLS code. There shouldn't be much of a > performance delta for crypto algo line rate, since both protocols (1.2) at > that point are essentially the same. i.e. Both use an explicit IV, etc. We > have some real world TLS performance metrics for a low-end PowerQuicc III > processor on our website; http://www.mocana.com/benchmarks.html. I would > imagine DTLS would be faster due to less memory copies per packet, than TLS > over TCP/IP (more complex header, RTT, etc). Memory is an issue at least with libssl, the tests proved that the library uses quite a lot of memory per connection. Otherwise, managing many tcp/tls connection improved a lot with latest kernels and *poll APIs. It is good to know that there is some interest for DTLS, though. > Do you have a link to the Kamailio& SER meeting? It might be something we > would be interested in participating in. The one I mentioned is the developer team face-to-face meeting, it is usually once per year, located in Europe, last one was at beginning of summer 2010 in Berlin, probably next one will be next summer. It is more administrative-like meeting for the project, but is open for anyone and announced on project web site when the time and location are decided. If you referred to next public one that is happening in Irvine, CA, some details are posted at: http://www.kamailio.org/w/2011/01/social-networking-event-irvine-ca-usa-jan-25-2011/ This is just for networking purposes, to allow people from the project to connect and meet face to face in the area we have other events. By its type and duration, it is not technical oriented, just discussions about present and the future development. Thanks, Daniel > Thank you, > > James > > > -----Original Message----- > From: Daniel-Constantin Mierla [mailto:mico...@gmail.com] > Sent: Tuesday, January 11, 2011 3:01 PM > To: James Blaisdell > Cc: sip-implementors@lists.cs.columbia.edu > Subject: Re: [Sip-implementors] SipIt Interop Testing: SIP/TLS& DTLS-SRTP? > > Hello, > > On 1/11/11 11:20 PM, James Blaisdell wrote: >> Hello, >> >> A couple of us are planning to attend SipIt in April. This is a little >> early, anyone interested in DTLS-SRTP (RFC 5764) interop testing? >> >> Our current config: handset running our client connected to SIP/TLS to >> Kamailio; with handset to handset using DTLS-SRTP. > is the handset available on the market? At the latest Kamailio& SER > developer meeting, DTLS was put on the agenda for next major release > (for the current release we added asynchronous TLS support), but the > interest decreased as we couldn't find client DTLS implementations. > > Btw, as you aready did some work with DTLS, have you compared somehow > DTLS vs TLS performances? > > Thanks, > Daniel > >> TLS and DTLS implementations support 1.2 and lower, plus ~60 cipher >> suites. SRTP has good cipher and integrity algorithm coverage. Safe TLS >> renegotiation (RFC 5746) is also implemented. And codex coverage should be >> pretty good by April, but would love to hear what people are supporting for >> maximum interoperability. >> >> We're interested in testing with any available implementations; SIP side >> and/or handset-to-handset side. >> >> Thank you, >> >> James >> Mocana Corp >> -- Daniel-Constantin Mierla Kamailio (OpenSER) Advanced Training Jan 24-26, 2011, Irvine, CA, USA http://www.asipto.com _______________________________________________ Sip-implementors mailing list Sip-implementors@lists.cs.columbia.edu https://lists.cs.columbia.edu/cucslists/listinfo/sip-implementors
