Asterisk SRTP
Created by: cervajs,Last modification on Mon 01 of Jun, 2009 [09:27 UTC]
GENERAL
info about SRTP http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol
Ref. http://bugs.digium.com/view.php?id=5413
review board http://reviewboard.digium.com/r/191/
Asterisk SRTP drops MIKEY support. NOW is focused on SDES support!
http://lists.digium.com/pipermail/asterisk-dev/2009-January/036029.html
wireshark dump
must looks like (for G711 alaw codec)
15.963537 x.x.x.x -> y.y.y.y SRTP PT=ITU-T G.711 PCMA, SSRC=0x52B6274E, Seq=14198, Time=214264558
15.968667 y.y.y.y -> x.x.x.x SRTP PT=ITU-T G.711 PCMA, SSRC=0x3AAC8277, Seq=3195, Time=78560
REQUIREMENTS
(centos5, fedora 10)
yum -y install gcc gcc-c++ pkgconfig zlib-devel openssl-devel ncurses-devel
yum -y install autoconf automake libtool
LIBSRTP
rpm -ivh http://qutecom.ipex.cz/RPMS/srtp-1.4.4-1.i386.rpm
(source is http://qutecom.ipex.cz/RPMS/srtp-1.4.4-1.src.rpm)
OR
download http://srtp.sourceforge.net/download.html
tar -xzf srtp-tarball
./configure --prefix=/usr
make
make runtest
make install
ASTERISK
svn co http://svn.digium.com/svn/asterisk/team/group/srtp asterisk-srtp
cd asterisk-srtp
./configure
make menuselect (check res_srtp in "resource modules")
make
make install
In case your build fails with 'relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC' go back to libsrtp compilation and call configure again like 'CFLAGS="-Wall -O4 -fexpensive-optimizations -funroll-loops -fPIC" ./configure --prefix=/usr'. After make and make install try to compile asterisk-srtp again.
CONFIG
sip.conf
srtpcapable=yes|no
dialplan functions:
SIPPEER()
if the value of SIPSRTP evaluates to false, then encryption will not be offered, otherwise it will.
An quick/short example of how to offer SRTP only to devices that are capable would be something like:
[default]
exten => _600X,1,Set(_SIPSRTP=${SIPPEER(${EXTEN},srtpcapable)})
exten => _600X,n,Dial(SIP/${EXTEN})
extensions.conf
[main]
exten => 600,1,Playback(demo-echotest) ; Let them know what's going on
exten => 600,n,Echo ; Do the echo test
exten => 600,n,Playback(demo-echodone) ; Let them know it's over
exten => 600,n,hangup
sip.conf
[700]
type=friend
context=main
host=dynamic
secret=700
nat=yes
srtpcapable=yes
[701]
type=friend
context=main
host=dynamic
secret=701
nat=yes
srtpcapable=yes
call to 600
look at ethereal dump at asterisk box i.e tethereal host <phone ip>
Known issues
OLD
MINISIP libraries (IT'S IMPORTANT TO KEEP FOLLOWING ORDER!)
(yum -y install subversion if is not installed)
svn co -r3250 svn://svn.minisip.org/minisip/trunk minisip-trunk
cd minisip-trunk
Compiling and installing libmutil
First we run the bootstrap script to generate the configure script.
cd libmutil
libmutil$ ./bootstrap
Now we are ready to compile the source code of libmutil and install it:
libmutil$ ./configure --prefix=/usr
libmutil$ make
libmutil$ make install
Compiling and installing libmnetutil
Configuring, compiling and installing libmnetutil is done the same way as with libmutil:
cd ../libmnetutil
libmnetutil$ ./bootstrap
libmnetutil$ ./configure --prefix=/usr
libmnetutil$ make
libmnetutil$ make install
Compiling and installing libmcrypto
Configuring, compiling and installing libmcrypto is done the same way as with libmutil:
cd ../libmcrypto
libmcrypto$ ./bootstrap
libmcrypto$ ./configure --prefix=/usr
libmcrypto$ make
libmcrypto$ make install
Compiling and installing libmikey
Configuring, compiling and installing libmikey is done the same way as with libmutil:
cd ../libmikey
libmikey$ ./bootstrap
libmikey$ ./configure --prefix=/usr
libmikey$ make
libmikey$ make install
info about SRTP http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol
Ref. http://bugs.digium.com/view.php?id=5413
review board http://reviewboard.digium.com/r/191/
Asterisk SRTP drops MIKEY support. NOW is focused on SDES support!
http://lists.digium.com/pipermail/asterisk-dev/2009-January/036029.html
PHONES COMPATIBILITY
| Phone1(CALLER) | FIRMWARE | ASTERISK VERSION | Phone2(CALLED) | FIRMWARE | works? | notes |
|---|---|---|---|---|---|---|
| Aastra 57i | 2.5.0.82 | SRTP branch | Grandstream | 1.1.6.44 | ? | example |
| Aastra 57i | 2.5.0.82 | SRTP branch | echo application | n/a | yes | |
| Grandstream GXP 2020 | 1.1.6.44 | SRTP branch | echo application | n/a | yes | srtp forced |
| Linksys SPA-922 | 6.1.5(a) | SRTP branch | echo application | n/a | yes | SIP -> srtp method: s-descriptor |
| Linksys SPA-941 | 5.1.8 | SRTP branch | echo application | n/a | no | SDES not supported |
| Siemens gigaset A580 | 021840000000 / 043.00 | SRTP branch | echo application | n/a | no | SRTP not supported |
| Snom 360 | 7.3.14 | SRTP branch | echo application | n/a | no | res_srtp.c:301 res_srtp_unprotect: SRTP unprotect: authentication failure |
| Eyebeam 1.5.19.5 | SRTP branch | echo application | n/a | yes | ||
| QuteCom 2.2 | SRTP branch | echo application | n/a | no | SDES not supported but in roadmap http://trac.qutecom.org/roadmap | |
| Twinkle 1.4.2 | SRTP branch | echo application | n/a | no | srtp not announced | |
| Kapanga | SRTP branch | echo application | n/a | ? | ||
| phonerlite | SRTP branch | echo application | n/a | ? |
wireshark dump
must looks like (for G711 alaw codec)
15.963537 x.x.x.x -> y.y.y.y SRTP PT=ITU-T G.711 PCMA, SSRC=0x52B6274E, Seq=14198, Time=214264558
15.968667 y.y.y.y -> x.x.x.x SRTP PT=ITU-T G.711 PCMA, SSRC=0x3AAC8277, Seq=3195, Time=78560
INSTALL GUIDE
REQUIREMENTS
(centos5, fedora 10)
yum -y install gcc gcc-c++ pkgconfig zlib-devel openssl-devel ncurses-devel
yum -y install autoconf automake libtool
LIBSRTP
rpm -ivh http://qutecom.ipex.cz/RPMS/srtp-1.4.4-1.i386.rpm
(source is http://qutecom.ipex.cz/RPMS/srtp-1.4.4-1.src.rpm)
OR
download http://srtp.sourceforge.net/download.html
tar -xzf srtp-tarball
./configure --prefix=/usr
make
make runtest
make install
ASTERISK
svn co http://svn.digium.com/svn/asterisk/team/group/srtp asterisk-srtp
cd asterisk-srtp
./configure
make menuselect (check res_srtp in "resource modules")
make
make install
In case your build fails with 'relocation R_X86_64_32 against `a local symbol' can not be used when making a shared object; recompile with -fPIC' go back to libsrtp compilation and call configure again like 'CFLAGS="-Wall -O4 -fexpensive-optimizations -funroll-loops -fPIC" ./configure --prefix=/usr'. After make and make install try to compile asterisk-srtp again.
CONFIG
sip.conf
srtpcapable=yes|no
dialplan functions:
SIPPEER()
if the value of SIPSRTP evaluates to false, then encryption will not be offered, otherwise it will.
An quick/short example of how to offer SRTP only to devices that are capable would be something like:
[default]
exten => _600X,1,Set(_SIPSRTP=${SIPPEER(${EXTEN},srtpcapable)})
exten => _600X,n,Dial(SIP/${EXTEN})
extensions.conf
[main]
exten => 600,1,Playback(demo-echotest) ; Let them know what's going on
exten => 600,n,Echo ; Do the echo test
exten => 600,n,Playback(demo-echodone) ; Let them know it's over
exten => 600,n,hangup
sip.conf
[700]
type=friend
context=main
host=dynamic
secret=700
nat=yes
srtpcapable=yes
[701]
type=friend
context=main
host=dynamic
secret=701
nat=yes
srtpcapable=yes
call to 600
look at ethereal dump at asterisk box i.e tethereal host <phone ip>
Known issues
- MIKEY method doesn't support optional encryption.
- The callee can't force encryption or select method.
- The caller need to hangup if it requires encryption and it isn't available.
OLD
MINISIP libraries (IT'S IMPORTANT TO KEEP FOLLOWING ORDER!)
(yum -y install subversion if is not installed)
svn co -r3250 svn://svn.minisip.org/minisip/trunk minisip-trunk
cd minisip-trunk
Compiling and installing libmutil
First we run the bootstrap script to generate the configure script.
cd libmutil
libmutil$ ./bootstrap
Now we are ready to compile the source code of libmutil and install it:
libmutil$ ./configure --prefix=/usr
libmutil$ make
libmutil$ make install
Compiling and installing libmnetutil
Configuring, compiling and installing libmnetutil is done the same way as with libmutil:
cd ../libmnetutil
libmnetutil$ ./bootstrap
libmnetutil$ ./configure --prefix=/usr
libmnetutil$ make
libmnetutil$ make install
Compiling and installing libmcrypto
Configuring, compiling and installing libmcrypto is done the same way as with libmutil:
cd ../libmcrypto
libmcrypto$ ./bootstrap
libmcrypto$ ./configure --prefix=/usr
libmcrypto$ make
libmcrypto$ make install
Compiling and installing libmikey
Configuring, compiling and installing libmikey is done the same way as with libmutil:
cd ../libmikey
libmikey$ ./bootstrap
libmikey$ ./configure --prefix=/usr
libmikey$ make
libmikey$ make install
Comments