SIP Security in Yate
(→Advantages) |
|||
| Line 1: | Line 1: | ||
| − | |||
To protect the signaling messages against snooping or alteration use TLS. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. | To protect the signaling messages against snooping or alteration use TLS. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery. | ||
| Line 6: | Line 5: | ||
Using SRTP, which is a security profile for RTP will add confidentiality, message authentication, and replay protection to the protocol. | Using SRTP, which is a security profile for RTP will add confidentiality, message authentication, and replay protection to the protocol. | ||
| − | + | ===How to configure SIP secure=== | |
| − | + | Yate can bind on TLS. This is done using a '''listener''' that it is a specific section in [[SIP Configuration File#Configuration File|ysipchan.conf]]. | |
| + | In the next steps will configure Yate to bind on [http://en.wikipedia.org/wiki/Transport_Layer_Security TLS] and to use [http://en.wikipedia.org/wiki/Secure_Real-time_Transport_Protocol SRTP] packets for voice. | ||
| − | === How to set a TLS listener === | + | ==== How to set a TLS listener ==== |
In [[SIP Configuration File#Configuration File|ysipchan.conf]]: | In [[SIP Configuration File#Configuration File|ysipchan.conf]]: | ||
| Line 22: | Line 22: | ||
sslcontext=server_context | sslcontext=server_context | ||
| − | === Configure a SSL server context=== | + | ==== Configure a SSL server context==== |
In [[OpenSSL#Configuration|openssl.conf]] | In [[OpenSSL#Configuration|openssl.conf]] | ||
| Line 33: | Line 33: | ||
The files name.crt and name.key have to be in the same place as the configuration file in this example. | The files name.crt and name.key have to be in the same place as the configuration file in this example. | ||
| − | ===Enable SRTP=== | + | ====Enable SRTP==== |
Data security protocols such as SRTP rely upon a separate key management system to securely establish encryption and/or authentication keys. TLS will protect the SDP message. | Data security protocols such as SRTP rely upon a separate key management system to securely establish encryption and/or authentication keys. TLS will protect the SDP message. | ||
Revision as of 10:43, 16 November 2012
To protect the signaling messages against snooping or alteration use TLS. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, or message forgery.
Using SRTP, which is a security profile for RTP will add confidentiality, message authentication, and replay protection to the protocol.
Contents |
How to configure SIP secure
Yate can bind on TLS. This is done using a listener that it is a specific section in ysipchan.conf.
In the next steps will configure Yate to bind on TLS and to use SRTP packets for voice.
How to set a TLS listener
In ysipchan.conf:
[general] type=tls addr=x.x.x.x port=5061 sslcontext=server_context
Configure a SSL server context
In openssl.conf
[server_context] enable=yes certificate=name.crt key=name.key
The files name.crt and name.key have to be in the same place as the configuration file in this example.
Enable SRTP
Data security protocols such as SRTP rely upon a separate key management system to securely establish encryption and/or authentication keys. TLS will protect the SDP message.
In ysipchan.conf by default secure parameter is disabled, for using SRTP you have to enable it.
[default] ; secure: bool: Generate and accept RFC 4568 security descriptors for SRTP secure=enable
Advantages
- SRTP is ideal for protecting Voice over IP traffic because it can be used in conjunction with header compression and has no effect on IP Quality of Service.
- SRTP provide significant advantages, especially for voice traffic using low-bitrate voice codecs such as G.729 and iLBC.
- SRTP confidentiality of RTP packets protects packet payloads from being read by entities without the secret encryption key.
- SRTP message authentication of RTP packets protects the integrity of a packet against forgery, alteration, or replacement.
- TLS provide privacy and data integrity between communicating applications.
See also
