login | register
Fri 09 of May, 2008 [14:07 UTC]

voip-info.org

Navigation
Today's Deals
Recently Visited Pages
Search with Google
Search this site with Google. Results may not include recent changes.
 
Google Ads
Last Changes
Shoutbox
  • Nick Barnes, Fri 09 of May, 2008 [11:36 UTC]: Christopher - yesterday I tried an Asterisk install on a CentOS 5.1 box with stock GUI and it all worked fine. Sorry I can't help.
  • aero, Fri 09 of May, 2008 [08:20 UTC]: can someone help me out on this, i tried to play some sound files on my asterisk box and this is the error message i got. WARNING[4429]: format_wav.c:169 check_header: Unexpected freqency 22050 May 8 11:17:39 WARNING[4433]: codec_gsm.c:194 gsmtolin_fra
  • Christopher Faust, Thu 08 of May, 2008 [14:15 UTC]: I beleive that I may have to change something in the xserver configuration. Please advise
  • Christopher Faust, Thu 08 of May, 2008 [14:14 UTC]: Everything was perfect. In the bios I have increased the memory allocated Still receive input not supported on my display.
  • Christopher Faust, Thu 08 of May, 2008 [14:13 UTC]: This would not be my main box. I am doing some testing to see if I can install zaptel and asterisk 1.4 on a full centos 5.1 box with development software Its bizzare, because before I went through the asterisk and zaptel installation everything was perfe
  • Nick Barnes, Thu 08 of May, 2008 [13:44 UTC]: Christopher - I can't see any way in which an Asterisk installation would muck your GUI, but remember that it is advised not to use a GUI on an Asterisk box anyway.
  • Christopher Faust, Wed 07 of May, 2008 [15:28 UTC]: When I try to startx I ge input not supported. Though before installing asterisk I had no video issue to start the GUI
  • Christopher Faust, Wed 07 of May, 2008 [15:26 UTC]: Hi Nick, I got centos 5.1 and asterisk up But now I cannot start startx I have set the depth from 24 to 16 for the video i810 driver for the i845 on my netvista machine but I cannot start GNOME. Please advise
  • Nick Barnes, Wed 07 of May, 2008 [10:01 UTC]: Howard - You'll need to provide a lot more information if you really want help.
  • Nick Barnes, Wed 07 of May, 2008 [10:00 UTC]: Christopher - Search the Wiki and you'll find a page I wrote detailing exactly what you have to do for Asterisk 1.4 + CentOS 5.1.
Server Stats
  • Execution time: 0.42s
  • Memory usage: 2.22MB
  • Database queries: 33
  • GZIP: Disabled
  • Server load: 1.07

IAX encryption

IAX encryption


As of asterisk version 1.2.4 (maybe before) there is a rather undocumented channel encryption feature included in chan_iax2. After successful authentication the whole channel including control data and voice data is encrypted with AES128. The encryption can be activated by adding the line

  encryption=aes128
or
  encryption=yes

respectively to your iax.conf. For the encryption to be functional you have to use MD5 authentication since one is based upon the other in this particular implementation!

Note: The calling/called numbers are still passed in the clear over encrypted IAX, so you are still vulnerable to traffic analysis.
If you also care about concealing the dialed number you can do it just fine. The simplest way is to have a single exten that takes all encrypted calls, then once the call is up, dial 'onwards' with DTMF, the DTMF frames would be encrypted.

The IAX encryption scheme is documented in the draft RFC at:
http://mirror.switch.ch/ftp/mirror/internet-drafts/draft-guy-iax-03.txt

Example

For example, consider the following scenario:
alice (192.168.25.10) <-----> bob (192.168.25.11)

iax.conf on alice:

 [bob-enc]
 type=friend
 host=192.168.25.11
 username=alice-enc
 auth=md5
 secret=foobar
 trunk=no
 notransfer=no
 encryption=aes128
 disallow=all
 allow=alaw


iax.conf on bob:

 [alice-enc]
 type=friend
 host=192.168.25.10
 username=bob-enc
 auth=md5
 secret=foobar
 trunk=no
 notransfer=no
 encryption=aes128
 disallow=all
 allow=alaw


Debugging

In order to verify the correct configuration you could use the following CLI command:

 bob*CLI> iax2 show peers
 Name/Username    Host                 Mask             Port          Status    
 alice-enc/bob-e  192.168.25.10   (S)  255.255.255.255  4569      (E) Unmonitored

The "(E)" indicates our encryption feature. Unfortunately the "(E)" also appears when using other authentication methods than MD5, however the actual encryption is NOT operational in this case.

If you would like to see the encryption in action, try the debug output in "logger.conf" and issue the following CLI commands:

 bob*CLI> set debug 1
 Core debug is at least 1
 bob*CLI> iax2 debug
 IAX2 Debugging Enabled


the debug output of our control data looks like this:

 TE-Frame Retry000 — OSeqno: 009 ISeqno: 009 Type: IAX     Subclass: LAGRP  
    Timestamp: 20004ms  SCall: 00001  DCall: 00004 192.168.25.10:4569
 Feb 15 14:09:22 DEBUG17937: chan_iax2.c:3875 encrypt_frame: Encoding full frame 6/12 with length 12
 Feb 15 14:09:22 DEBUG17937: chan_iax2.c:3883 encrypt_frame: Encoding full frame 6/12 with length 12 + 24 padding (15=28)
 Tx-Frame Retry000 — OSeqno: 017 ISeqno: 002 Type: (168?) Subclass: 141
    Timestamp: 3945693623ms  SCall: 00001  DCall: 00004 192.168.25.10:4569
 Rx-Frame Retry No — OSeqno: 133 ISeqno: 235 Type: (132?) Subclass: 101
    Timestamp: 43813863ms  SCall: 00004  DCall: 00001 192.168.25.10:4569
 Feb 15 14:09:22 DEBUG17937: chan_iax2.c:3836 decode_frame: Decoding full frame with length 36 (padding = 24) (15=d8)
 RD-Frame Retry No — OSeqno: 008 ISeqno: 009 Type: IAX     Subclass: ACK    
    Timestamp: 20001ms  SCall: 00004  DCall: 00001 192.168.25.10:4569


... and the voice data:

Feb 15 14:09:23 DEBUG18288: chan_iax2.c:3891 encrypt_frame: Encoding mini frame with length 164
Feb 15 14:09:23 DEBUG17937: chan_iax2.c:3851 decode_frame: Decoding mini with length 194


See also


Created by Ben Fuhrmannek, Last modification by JustRumours on Thu 07 of Feb, 2008 [15:58 UTC]

Comments

Comments Filter

VoIP Security Solutions

by jenniferhan on Thursday 27 of December, 2007 [07:06:10 UTC]
SpeedVoIP is a professional VoIP Security and VoIP anti blocking solutions provider.
The core solution for VoIP Security and VoIP anti-blocking is VGCP (VoiceGuard Control Protocol).
It can work with any 3rd-party Softphone / ATA / Gateway / IP Phone / IADs and SIP proxy or server.
It can work in the way similar to that of SOHO router, but it only encrypts and decrypts SIP and RTP packets on link layer, not to handup these packets to IP stack for forwarding while bypassing other data packets originating from SIP terminals. In this scenario, peak throughput and minimal CPU overhead can be easily achieved.

VoiceGuard can real-time incorporate light-weight traffic for puzzling and bypassing VoIP blocking system without consuming more bandwidth and compromising voice quality. Even in some circumstance, VoiceGuard can simulate traffic behavior of universal data networking protocol such as OICQ, MSN and so on.

For more information, please refer to: http://www.speed-voip.com/index-36.html

Andy
xd.wong@speed-voip.com
andywong-01@hotmail.com

Any Updates on IAX encrytption

by idnihus on Thursday 05 of July, 2007 [12:33:03 UTC]
The last post here is more than one year old, and I cannot find any other details about IAX encryption. Is it still available? Is it an active part of Asterisk, or still a "pipe dream"?

beware, this is only alpha stage encryption

by Ben Fuhrmannek on Friday 17 of March, 2006 [15:35:48 UTC]
I've been using this feature since before this article came out and I consider it highly unstable and not too efficient. Just have a look at the source code and you'll know instantly what i mean. Packets with "decrypt failed" and lost connections occur occasionally. If it works for you, keep your fingers crossed that it keeps running.

For the time being neither IAX2 nor this encryption feature is part of any standard which makes both rather unpredictable to sudden changes. And also the following issues are yet to be solved:
- transferring the call and keeping the encryption up and running
- a key challenge based on RSA
- user-based encryption, not just host-based
- signalisation of a secure channel, maybe by setting a variable
- more encryption algorithms
- ... probably more things to do

Besides,... an issue has been raised on the developers mailing list on the security of this particular implementation of channel encryption.

Again, this feature is really nice to have, yet unfinished. There is neither reliability nor security proven. This will probably change in the near future. Until then i suggest to use alternative methods of encryption like IPSec, PPTP, OpenVPN, ... you name it.

Link2VoIP supports the new AES128 encryption

by stevenlee on Thursday 02 of March, 2006 [09:19:13 UTC]
Hello,

Link2VoIP.com supports the new AES128 encryption on IAX2 channels, when you signup they ask you if you want the option enabled. I have been using it for 2 days now, and it is working. No more sharking my VoIP traffic! :D

Peace!

Link2VoIP supports the new AES128 encryption

by stevenlee on Thursday 02 of March, 2006 [09:18:53 UTC]
Hello,

Link2VoIP.com supports the new AES128 encryption on IAX2 channels, when you signup they ask you if you want the option enabled. I have been using it for 2 days now, and it is working. No more sharking my VoIP traffic! :D

Peace!

Getting service providers to implement this is next

by Chip Schweiss on Wednesday 15 of February, 2006 [18:30:12 UTC]
Now all we need to do is get VoIP providers to implement this feature and Asterisk has a big jump over the SIP world when it comes to security concerns about sending voice with out encryption across the net.

Why this wasn't big news, I have no idea.

Please update this page with new information, just login and click on the "Edit" or "Add Comment" button above. Get a free login here: Register Thanks! - support@voip-info.org

Page Changes | Comments

Sponsored by:
Terms of Service Privacy Policy
© 2003-2008 VOIP-Info.org LLC

Powered by bitweaver